diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 4030f6fe7d..1829cee67b 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,7 +1,36 @@ -Fixes # +## Before submitting this PR please ensure that you have read the following sections and then completed the template below: -## Proposed Changes +Thank you for your contribution to the Microsoft Sentinel Github repo. - - - - - - +> The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. + +> Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures, there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason. + + Change(s): + - Updated syntax for XYZ.yaml + + Reason for Change(s): + - New schema used for XYZ.yaml + - Resolves ISSUE #1234 + +## After the submission has been made, please look at the Validation Checks: + +> Check that the validations are passing and address any issues that are present. Let us know if you have tried fixing and need help. + +> References: +> - [Guidance for Detection checks](https://github.com/Azure/Azure-Sentinel#pull-request-detection-template-structure-validation-check) +> - [General contribution guidance](https://github.com/Azure/Azure-Sentinel/wiki#what-can-you-contribute-and-how-can-you-create-contributions) +> - [PR validation troubleshooting](https://github.com/Azure/Azure-Sentinel#pull-request) + +## PR Template + +----------------------------------------------------------------------------------------------------------- + **Description for the PR:** + (Enter the description below) + + +**Testing Completed:** + Yes/ No : + + +----------------------------------------------------------------------------------------------------------- \ No newline at end of file diff --git a/.script/dataConnectorValidator.ts b/.script/dataConnectorValidator.ts index 2635c49243..3e0bd77a81 100644 --- a/.script/dataConnectorValidator.ts +++ b/.script/dataConnectorValidator.ts @@ -11,7 +11,7 @@ import { ConnectorCategory } from "./utils/dataConnector"; export async function IsValidDataConnectorSchema(filePath: string): Promise { if(!filePath.includes('Templates')) - { + { let jsonFile = JSON.parse(fs.readFileSync(filePath, "utf8")); if(isPotentialConnectorJson(jsonFile)) @@ -32,13 +32,13 @@ export async function IsValidDataConnectorSchema(filePath: string): Promise _tableSchemas; + private const int TestFolderDepth = 3; + public CustomTablesSchemasLoader() { _tableSchemas = new List(); - var jsonFiles = Directory.GetFiles(DetectionsYamlFilesTestData.GetCustomTablesPath(), "*.json"); + + var jsonFilePath = Path.Combine(Utils.GetTestDirectory(TestFolderDepth), "CustomTables"); + var jsonFiles = Directory.GetFiles(jsonFilePath, "*.json"); + foreach (var jsonFile in jsonFiles) { var tableSchema = ReadTableSchema(jsonFile); diff --git a/.script/tests/KqlvalidationsTests/DetectionsYamlFilesTestData.cs b/.script/tests/KqlvalidationsTests/DetectionsYamlFilesTestData.cs deleted file mode 100644 index 7b10c963b9..0000000000 --- a/.script/tests/KqlvalidationsTests/DetectionsYamlFilesTestData.cs +++ /dev/null @@ -1,76 +0,0 @@ -using System; -using System.Collections.Generic; -using System.IO; -using System.Linq; -using System.Reflection; -using System.Text; - -namespace Kqlvalidations.Tests -{ - public class DetectionsYamlFilesTestData : TheoryData - { - public DetectionsYamlFilesTestData() - { - List detectionPaths = GetDetectionPaths(); - var files = GetDetectionFiles(detectionPaths); - files.ForEach(f => AddData(Path.GetFileName(f))); - } - - public static List GetDetectionPaths() - { - List dirPaths = new List() { "Detections", "Solutions"}; - var rootDir = Directory.CreateDirectory(GetAssemblyDirectory()); - var testFolderDepth = 6; - List detectionPaths = new List(); - for (int i = 0; i < testFolderDepth; i++) - { - rootDir = rootDir.Parent; - } - foreach (var dirName in dirPaths) - { - detectionPaths.Add(Path.Combine(rootDir.FullName, dirName)); - } - - return detectionPaths; - } - - public static string GetCustomTablesPath() - { - var rootDir = Directory.CreateDirectory(GetAssemblyDirectory()); - var testFolderDepth = 3; - for (int i = 0; i < testFolderDepth; i++) - { - rootDir = rootDir.Parent; - } - var detectionPath = Path.Combine(rootDir.FullName, "CustomTables"); - return detectionPath; - } - - public static string GetSkipTemplatesPath() - { - var rootDir = Directory.CreateDirectory(GetAssemblyDirectory()); - var testFolderDepth = 3; - for (int i = 0; i < testFolderDepth; i++) - { - rootDir = rootDir.Parent; - } - return rootDir.FullName; - } - - private static string GetAssemblyDirectory() - { - string codeBase = Assembly.GetExecutingAssembly().CodeBase; - UriBuilder uri = new UriBuilder(codeBase); - string path = Uri.UnescapeDataString(uri.Path); - return Path.GetDirectoryName(path); - } - - private static List GetDetectionFiles(List detectionPaths) - { - var files = Directory.GetFiles(detectionPaths[0], "*.yaml", SearchOption.AllDirectories).ToList(); - files.AddRange(Directory.GetFiles(detectionPaths[1], "*.yaml", SearchOption.AllDirectories).ToList().Where(s => s.Contains("Analytic Rules"))); - - return files; - } - } -} diff --git a/.script/tests/KqlvalidationsTests/KqlValidationTests.cs b/.script/tests/KqlvalidationsTests/KqlValidationTests.cs index 8d5ed1dd3b..6962cb2111 100644 --- a/.script/tests/KqlvalidationsTests/KqlValidationTests.cs +++ b/.script/tests/KqlvalidationsTests/KqlValidationTests.cs @@ -1,7 +1,5 @@ -using Microsoft.Azure.Sentinel.KustoServices.Contract; -using Newtonsoft.Json; -using System; -using System.Collections.Generic; +using System.Collections.Generic; +using Microsoft.Azure.Sentinel.KustoServices.Contract; using System.IO; using System.Linq; using System.Text.RegularExpressions; @@ -13,7 +11,6 @@ namespace Kqlvalidations.Tests public class KqlValidationTests { private readonly IKqlQueryAnalyzer _queryValidator; - private static readonly List DetectionPaths = DetectionsYamlFilesTestData.GetDetectionPaths(); public KqlValidationTests() { _queryValidator = new KqlQueryAnalyzerBuilder() @@ -22,16 +19,14 @@ namespace Kqlvalidations.Tests .Build(); } + // We pass File name to test because in the result file we want to show an informative name for the test [Theory] [ClassData(typeof(DetectionsYamlFilesTestData))] - public void Validate_DetectionQueries_HaveValidKql(string detectionsYamlFileName) + public void Validate_DetectionQueries_HaveValidKql(string fileName, string encodedFilePath) { - var detectionsYamlFile = getDetectionsYamlFile(detectionsYamlFileName); - var yaml = File.ReadAllText(detectionsYamlFile); - var deserializer = new DeserializerBuilder().Build(); - var res = deserializer.Deserialize(yaml); - string queryStr = res["query"]; - string id = res["id"]; + var res = ReadAndDeserializeYaml(encodedFilePath); + var queryStr = (string) res["query"]; + var id = (string) res["id"]; //we ignore known issues if (ShouldSkipTemplateValidation(id)) @@ -39,41 +34,61 @@ namespace Kqlvalidations.Tests return; } + ValidateKql(id, queryStr); + } + + // We pass File name to test because in the result file we want to show an informative name for the test + [Theory] + [ClassData(typeof(DetectionsYamlFilesTestData))] + public void Validate_DetectionQueries_SkippedTemplatesDoNotHaveValidKql(string fileName, string encodedFilePath) + { + var res = ReadAndDeserializeYaml(encodedFilePath); + var queryStr = (string) res["query"]; + var id = (string) res["id"]; + + //Templates that are in the skipped templates should not pass the validation (if they pass, why skip?) + if (ShouldSkipTemplateValidation(id)) + { + var validationRes = _queryValidator.ValidateSyntax(queryStr); + Assert.False(validationRes.IsValid, $"Template Id:{id} is valid but it is in the skipped validation templates. Please remove it from the templates that are skipped since it is valid."); + } + + } + + // // We pass File name to test because in the result file we want to show an informative name for the test + // [Theory] + // [ClassData(typeof(InsightsYamlFilesTestData))] + // public void Validate_InsightsQueries_HaveValidKqlBaseQuery(string fileName, string encodedFilePath) + // { + // var res = ReadAndDeserializeYaml(encodedFilePath); + // var queryStr = (string) res["BaseQuery"]; + // + // ValidateKql(fileProp.FileName, queryStr); + // } + + private void ValidateKql(string id, string queryStr) + { var validationRes = _queryValidator.ValidateSyntax(queryStr); var firstErrorLocation = (Line: 0, Col: 0); if (!validationRes.IsValid) { firstErrorLocation = GetLocationInQuery(queryStr, validationRes.Diagnostics.First(d => d.Severity == "Error").Start); } - Assert.True(validationRes.IsValid, validationRes.IsValid ? string.Empty : $"Template Id:{id} is not valid in Line:{firstErrorLocation.Line} col:{firstErrorLocation.Col} Errors:{validationRes.Diagnostics.Select(d => d.ToString()).ToList().Aggregate((s1, s2) => s1 + "," + s2)}"); + + Assert.True(validationRes.IsValid, + validationRes.IsValid + ? string.Empty + : @$"Template Id: {id} is not valid in Line: {firstErrorLocation.Line} col: {firstErrorLocation.Col} +Errors: {validationRes.Diagnostics.Select(d => d.ToString()).ToList().Aggregate((s1, s2) => s1 + "," + s2)}"); } - [Theory] - [ClassData(typeof(DetectionsYamlFilesTestData))] - public void Validate_DetectionQueries_SkippedTemplatesDoNotHaveValidKql(string detectionsYamlFileName) + private Dictionary ReadAndDeserializeYaml(string encodedFilePath) { - var detectionsYamlFile = getDetectionsYamlFile(detectionsYamlFileName); - - var yaml = File.ReadAllText(detectionsYamlFile); + + var yaml = File.ReadAllText(Utils.DecodeBase64(encodedFilePath)); var deserializer = new DeserializerBuilder().Build(); - var res = deserializer.Deserialize(yaml); - string queryStr = res["query"]; - string id = res["id"]; - - //Templates that are in the skipped templates should not pass the validateion (if they pass, why skip?) - if (ShouldSkipTemplateValidation(id)) - { - var validationRes = _queryValidator.ValidateSyntax(queryStr); - Assert.False(validationRes.IsValid, $"Template Id:{id} is valid but it is in the skipped validation templates. Please remove it from the templates that are skipped since it is valid."); - } - - else - { - return; - } - + return deserializer.Deserialize(yaml); } - private bool ShouldSkipTemplateValidation(string templateId) { return TemplatesToSkipValidationReader.WhiteListTemplates @@ -97,23 +112,6 @@ namespace Kqlvalidations.Tests var col = (pos - curPos + 1); return (curlineIndex + 1, col); } - - /// - ///Get detection yaml file from Detection or solution analytics rule folder - /// - /// Detections Yaml File Name - /// detections yaml file path - private string getDetectionsYamlFile(string detectionsYamlFileName) - { - try - { - return Directory.GetFiles(DetectionPaths[0], detectionsYamlFileName, SearchOption.AllDirectories).Single(); - } - catch - { - return Directory.GetFiles(DetectionPaths[1], detectionsYamlFileName, SearchOption.AllDirectories).Where(s => s.Contains("Analytic Rules")).Single(); - } - } } } diff --git a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json index 7cdfe875e4..c90b7cb6c7 100644 --- a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json +++ b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json @@ -112,7 +112,7 @@ { "id": "4902eddb-34f7-44a8-ac94-8486366e9494", "templateName": "ExcessiveDenyFromSource.yaml", - "validationFailReason": "The name 'imWebSession' does not refer to any known function" + "validationFailReason": "The name 'imNetworkSession' does not refer to any known function" }, { "id": "3f0c20d5-6228-48ef-92f3-9ff7822c1954", @@ -120,10 +120,17 @@ "validationFailReason": "The name 'imWebSession' does not refer to any known function" }, { - "id": "6e575295-a7e6-464c-8192-3e1d8fd6a990", - "templateName": "Log4J_IPIOC_Dec112021.yaml", - "validationFailReason": "The name 'imDns' does not refer to any known function." + "id": "fcb9d75c-c3c1-4910-8697-f136bfef2363", + "templateName": "PossibleBeaconingActivity.yaml", + "validationFailReason": "The name 'imNetworkSession' does not refer to any known function." }, + // Commenting out for now as the imDNS has been commented out in the referenced query since it was causing customer query failures. + // Once ASIM is fully deployed to all customer environments, this will likely solve the overall issues. + //{ + // "id": "6e575295-a7e6-464c-8192-3e1d8fd6a990", + // "templateName": "Log4J_IPIOC_Dec112021.yaml", + // "validationFailReason": "The name 'imDns' does not refer to any known function." + //}, { "id": "b39e6482-ab7e-4817-813d-ec910b64b26e", "templateName": "HighlySensitivePasswordAccessed.yaml", diff --git a/.script/tests/KqlvalidationsTests/TemplatesToSkipValidationReader.cs b/.script/tests/KqlvalidationsTests/TemplatesToSkipValidationReader.cs index 46f5e07a67..2a2a77d8b8 100644 --- a/.script/tests/KqlvalidationsTests/TemplatesToSkipValidationReader.cs +++ b/.script/tests/KqlvalidationsTests/TemplatesToSkipValidationReader.cs @@ -15,10 +15,11 @@ namespace Kqlvalidations.Tests public static class TemplatesToSkipValidationReader { private const string SKipJsonFileName = "SkipValidationsTemplates.json"; + private const int TestFolderDepth = 3; static TemplatesToSkipValidationReader() { - var jsonFilePath = Path.Combine(DetectionsYamlFilesTestData.GetSkipTemplatesPath(), SKipJsonFileName); + var jsonFilePath = Path.Combine(Utils.GetTestDirectory(TestFolderDepth), SKipJsonFileName); using (StreamReader r = new StreamReader(jsonFilePath)) { string json = r.ReadToEnd(); diff --git a/.script/tests/KqlvalidationsTests/Utils.cs b/.script/tests/KqlvalidationsTests/Utils.cs new file mode 100644 index 0000000000..9e7534bc3c --- /dev/null +++ b/.script/tests/KqlvalidationsTests/Utils.cs @@ -0,0 +1,37 @@ +using System; +using System.IO; +using System.Reflection; + +namespace Kqlvalidations.Tests +{ + public static class Utils + { + public static string GetTestDirectory(int testFolderDepth) + { + var rootDir = Directory.CreateDirectory(GetAssemblyDirectory()); + for (int i = 0; i < testFolderDepth; i++) + { + rootDir = rootDir.Parent; + } + return rootDir.FullName; + } + + public static string EncodeToBase64(string plainText) { + var plainTextBytes = System.Text.Encoding.UTF8.GetBytes(plainText); + return Convert.ToBase64String(plainTextBytes); + } + + public static string DecodeBase64(string base64EncodedData) { + var base64EncodedBytes = Convert.FromBase64String(base64EncodedData); + return System.Text.Encoding.UTF8.GetString(base64EncodedBytes); + } + + private static string GetAssemblyDirectory() + { + string codeBase = Assembly.GetExecutingAssembly().CodeBase; + UriBuilder uri = new UriBuilder(codeBase); + string path = Uri.UnescapeDataString(uri.Path); + return Path.GetDirectoryName(path); + } + } +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/YamlFilesTestData/DetectionsYamlFilesLoader.cs b/.script/tests/KqlvalidationsTests/YamlFilesTestData/DetectionsYamlFilesLoader.cs new file mode 100644 index 0000000000..725bf714be --- /dev/null +++ b/.script/tests/KqlvalidationsTests/YamlFilesTestData/DetectionsYamlFilesLoader.cs @@ -0,0 +1,19 @@ +using System.Collections.Generic; +using System.IO; +using System.Linq; + +namespace Kqlvalidations.Tests +{ + public class DetectionsYamlFilesLoader : YamlFilesLoader + { + protected override List GetDirectoryPaths() + { + var basePath = Utils.GetTestDirectory(TestFolderDepth); + var detectionsDir = new List { Path.Combine(basePath, "Detections")}; + var solutionDirectories = Path.Combine(basePath, "Solutions"); + var analyticsRulesDir = Directory.GetDirectories(solutionDirectories, "Analytic Rules", SearchOption.AllDirectories); + + return analyticsRulesDir.Concat(detectionsDir).ToList(); + } + } +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/YamlFilesTestData/DetectionsYamlFilesTestData.cs b/.script/tests/KqlvalidationsTests/YamlFilesTestData/DetectionsYamlFilesTestData.cs new file mode 100644 index 0000000000..0603d18667 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/YamlFilesTestData/DetectionsYamlFilesTestData.cs @@ -0,0 +1,9 @@ +namespace Kqlvalidations.Tests +{ + public class DetectionsYamlFilesTestData : YamlFilesTestData + { + public DetectionsYamlFilesTestData() : base(new DetectionsYamlFilesLoader()) + { + } + } +} diff --git a/.script/tests/KqlvalidationsTests/YamlFilesTestData/InsightsYamlFilesLoader.cs b/.script/tests/KqlvalidationsTests/YamlFilesTestData/InsightsYamlFilesLoader.cs new file mode 100644 index 0000000000..0274d76a1a --- /dev/null +++ b/.script/tests/KqlvalidationsTests/YamlFilesTestData/InsightsYamlFilesLoader.cs @@ -0,0 +1,13 @@ +using System.Collections.Generic; +using System.IO; + +namespace Kqlvalidations.Tests +{ + public class InsightsYamlFilesLoader : YamlFilesLoader + { + protected override List GetDirectoryPaths() + { + return new List { Path.Combine(Utils.GetTestDirectory(TestFolderDepth), "Insights")}; + } + } +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/YamlFilesTestData/InsightsYamlFilesTestData.cs b/.script/tests/KqlvalidationsTests/YamlFilesTestData/InsightsYamlFilesTestData.cs new file mode 100644 index 0000000000..63801a8b67 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/YamlFilesTestData/InsightsYamlFilesTestData.cs @@ -0,0 +1,11 @@ +using System.IO; + +namespace Kqlvalidations.Tests +{ + public class InsightsYamlFilesTestData : YamlFilesTestData + { + public InsightsYamlFilesTestData() : base(new InsightsYamlFilesLoader()) + { + } + } +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/YamlFilesTestData/YamlFilesLoader.cs b/.script/tests/KqlvalidationsTests/YamlFilesTestData/YamlFilesLoader.cs new file mode 100644 index 0000000000..e8ab976508 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/YamlFilesTestData/YamlFilesLoader.cs @@ -0,0 +1,23 @@ +using System.Collections.Generic; +using System.IO; +using System.Linq; + +namespace Kqlvalidations.Tests +{ + public abstract class YamlFilesLoader + { + protected const int TestFolderDepth = 6; + + protected abstract List GetDirectoryPaths(); + + public List GetFilesNames() + { + var directoryPaths = GetDirectoryPaths(); + return directoryPaths.Aggregate(new List(), (accumulator, directoryPath) => + { + var files = Directory.GetFiles(directoryPath, "*.yaml", SearchOption.AllDirectories).ToList(); + return accumulator.Concat(files).ToList(); + }); + } + } +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/YamlFilesTestData/YamlFilesTestData.cs b/.script/tests/KqlvalidationsTests/YamlFilesTestData/YamlFilesTestData.cs new file mode 100644 index 0000000000..14f16a8420 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/YamlFilesTestData/YamlFilesTestData.cs @@ -0,0 +1,17 @@ +using System.IO; + +namespace Kqlvalidations.Tests +{ + public class YamlFilesTestData : TheoryData + { + public YamlFilesTestData(YamlFilesLoader yamlFilesLoader) + { + var files = yamlFilesLoader.GetFilesNames(); + files.ForEach(filePath => + { + var fileName = Path.GetFileName(filePath); + Add(fileName, Utils.EncodeToBase64(filePath)); + }); + } + } +} diff --git a/.script/tests/dataConnectorValidatorTest/dataConnectorValidator.test.ts b/.script/tests/dataConnectorValidatorTest/dataConnectorValidator.test.ts index 03b0eddf2c..385711743d 100644 --- a/.script/tests/dataConnectorValidatorTest/dataConnectorValidator.test.ts +++ b/.script/tests/dataConnectorValidatorTest/dataConnectorValidator.test.ts @@ -76,6 +76,14 @@ describe("dataConnectorValidator", () => { await checkInvalid(".script/tests/dataConnectorValidatorTest/testFiles/Agari/invalidAzureFunctionConnectorPermissions.json","DataConnectorValidationError"); }); + it("should pass when validSyslogDataConnector.json is valid", async () => { + await checkValid(".script/tests/dataConnectorValidatorTest/testFiles/validAzureDiagnosticsDataConnector.json"); + }); + + it("should throw an exception when Syslog data connector have Invalid set of permissions", async () => { + await checkInvalid(".script/tests/dataConnectorValidatorTest/testFiles/invalidAzureDiagnosticsDataConnector.json","DataConnectorValidationError"); + }); + async function checkValid(filePath: string): Promise { let result = await IsValidDataConnectorSchema(filePath); expect(result).to.equal(ExitCode.SUCCESS); diff --git a/.script/tests/dataConnectorValidatorTest/testFiles/invalidAzureDiagnosticsDataConnector.json b/.script/tests/dataConnectorValidatorTest/testFiles/invalidAzureDiagnosticsDataConnector.json new file mode 100644 index 0000000000..ca12eeaf78 --- /dev/null +++ b/.script/tests/dataConnectorValidatorTest/testFiles/invalidAzureDiagnosticsDataConnector.json @@ -0,0 +1,58 @@ +{ + "id": "MicrosoftAzurePurview", + "title": "Azure Purview", + "publisher": "Microsoft", + "descriptionMarkdown": "Connect to Azure Purview to enable data sensitivity enrichment of Microsoft Sentinel. Data classification and sensitivity label logs from Azure Purview scans can be ingested and visualized through workbooks, analytical rules, and more.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "PurviewDataSensitivityLogs", + "baseQuery": "PurviewDataSensitivityLogs" + } + ], + "sampleQueries": [ + { + "description": "View files that contain a specific classification (example shows Social Security Number)", + "query": "PurviewDataSensitivityLogs\n | where Classification has \"Social Security Number\"" + } + ], + "dataTypes": [ + { + "name": "AzureDiagnostics (PurviewDataSensitivityLogs)", + "lastDataReceivedQuery": "PurviewDataSensitivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "PurviewDataSensitivityLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Azure Purview account Owner or Contributor role to set up Diagnostic Settings. Microsoft Contributor role with write permissions to enable data connector, view workbook, and create analytic rules.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true + } + } + ] + }, + "instructionSteps": [ + { + "title": "Connect Azure Purview to Azure Sentinel", + "description": "Within the Azure Portal, navigate to your Purview resource:\n 1. In the search bar, search for **Purview accounts.**\n 2. Select the specific account that you would like to be set up with Sentinel.\n\nInside your Azure Purview resource:\n 3. Select **Diagnostic Settings.**\n 4. Select **+ Add diagnostic setting.**\n 5. In the **Diagnostic setting** blade:\n - Select the Log Category as **DataSensitivityLogEvent**.\n - Select **Send to Log Analytics**.\n - Chose the log destination workspace. This should be the same workspace that is used by **Azure Sentinel.**\n - Click **Save**.", + "instructions": [] + } + ] + } \ No newline at end of file diff --git a/.script/tests/dataConnectorValidatorTest/testFiles/validAzureDiagnosticsDataConnector.json b/.script/tests/dataConnectorValidatorTest/testFiles/validAzureDiagnosticsDataConnector.json new file mode 100644 index 0000000000..a506844652 --- /dev/null +++ b/.script/tests/dataConnectorValidatorTest/testFiles/validAzureDiagnosticsDataConnector.json @@ -0,0 +1,59 @@ +{ + "id": "MicrosoftAzurePurview", + "title": "Azure Purview", + "publisher": "Microsoft", + "descriptionMarkdown": "Connect to Azure Purview to enable data sensitivity enrichment of Microsoft Sentinel. Data classification and sensitivity label logs from Azure Purview scans can be ingested and visualized through workbooks, analytical rules, and more.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "PurviewDataSensitivityLogs", + "baseQuery": "PurviewDataSensitivityLogs" + } + ], + "sampleQueries": [ + { + "description": "View files that contain a specific classification (example shows Social Security Number)", + "query": "PurviewDataSensitivityLogs\n | where Classification has \"Social Security Number\"" + } + ], + "dataTypes": [ + { + "name": "AzureDiagnostics (PurviewDataSensitivityLogs)", + "lastDataReceivedQuery": "PurviewDataSensitivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "PurviewDataSensitivityLogs\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Azure Purview account Owner or Contributor role to set up Diagnostic Settings. Microsoft Contributor role with write permissions to enable data connector, view workbook, and create analytic rules.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ] + }, + "instructionSteps": [ + { + "title": "Connect Azure Purview to Azure Sentinel", + "description": "Within the Azure Portal, navigate to your Purview resource:\n 1. In the search bar, search for **Purview accounts.**\n 2. Select the specific account that you would like to be set up with Sentinel.\n\nInside your Azure Purview resource:\n 3. Select **Diagnostic Settings.**\n 4. Select **+ Add diagnostic setting.**\n 5. In the **Diagnostic setting** blade:\n - Select the Log Category as **DataSensitivityLogEvent**.\n - Select **Send to Log Analytics**.\n - Chose the log destination workspace. This should be the same workspace that is used by **Azure Sentinel.**\n - Click **Save**.", + "instructions": [] + } + ] + } \ No newline at end of file diff --git a/.script/tests/detectionTemplateSchemaValidation/Models/AttackTactic.cs b/.script/tests/detectionTemplateSchemaValidation/Models/AttackTactic.cs index fd7ff0f979..33702433f5 100644 --- a/.script/tests/detectionTemplateSchemaValidation/Models/AttackTactic.cs +++ b/.script/tests/detectionTemplateSchemaValidation/Models/AttackTactic.cs @@ -14,6 +14,10 @@ Exfiltration, CommandAndControl, Impact, + Reconnaissance, + ResourceDevelopment, + ImpairProcessControl, + InhibitResponseFunction, PreAttack } } diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json index 4a5db55b23..fd177c1dc1 100644 --- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json +++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json @@ -33,12 +33,14 @@ "CEF", "CheckPoint", "CiscoASA", + "CiscoDuoSecurity", "CiscoFirepowerEStreamer", "CiscoISE", "CiscoMeraki", "CiscoSecureEndpoint", "CiscoUCS", "CiscoUmbrellaDataConnector", + "CiscoWSA", "Citrix", "CitrixWAF", "CloudflareDataConnector", @@ -51,6 +53,7 @@ "DDOS", "DNS", "Darktrace", + "DigitalGuardianDLP", "Dynamics365", "ESETEnterpriseInspector", "ESETPROTECT", @@ -64,6 +67,7 @@ "ForgeRock", "Fortinet", "GWorkspaceRAPI", + "ImpervaWAFCloudAPI", "ImpervaWAFGateway", "ImportedConnector", "InfobloxCloudDataConnector", @@ -102,6 +106,7 @@ "SecurityEvents", "SemperisDSP", "SenservaPro", + "SentinelOne", "SlackAuditAPI", "SonicWallFirewall", "SonraiDataConnector", @@ -118,6 +123,7 @@ "ThreatIntelligenceTaxii", "ThycoticSecretServer_CEF", "TrendMicro", + "TrendMicroCAS", "TrendMicroTippingPoint", "TrendMicroXDR", "UbiquitiUnifi", diff --git a/.script/utils/dataConnector.ts b/.script/utils/dataConnector.ts index 91c4f8cb57..0b453798f7 100644 --- a/.script/utils/dataConnector.ts +++ b/.script/utils/dataConnector.ts @@ -194,4 +194,5 @@ export enum ConnectorCategory { Event="Event", RestAPI="REST_API", AzureFunction="Azure_Function", + AzureDiagnostics="AzureDiagnostics" } \ No newline at end of file diff --git a/.script/utils/dataConnectorCheckers/dataTypeChecker.ts b/.script/utils/dataConnectorCheckers/dataTypeChecker.ts index ee1034b7a9..45381c120c 100644 --- a/.script/utils/dataConnectorCheckers/dataTypeChecker.ts +++ b/.script/utils/dataConnectorCheckers/dataTypeChecker.ts @@ -1,12 +1,12 @@ import { DataType } from "../dataConnector"; import { DataConnectorValidationError } from "../validationError"; -export function isValidDataType(dataTypes: Array): boolean { +export function isValidDataType(dataTypes: Array): boolean { dataTypes.forEach((dataType) => { let name = dataType.name; if(name.indexOf(' ') >= 0) { - if ((name.includes("CommonSecurityLog") || name.includes("Syslog") || name.includes("Event"))) + if ((name.includes("CommonSecurityLog") || name.includes("Syslog") || name.includes("Event") || name.includes("AzureDiagnostics"))) { return true; } diff --git a/.script/utils/schemas/AzureDiagnostics_ConnectorSchema.json b/.script/utils/schemas/AzureDiagnostics_ConnectorSchema.json new file mode 100644 index 0000000000..c1f3c70f8d --- /dev/null +++ b/.script/utils/schemas/AzureDiagnostics_ConnectorSchema.json @@ -0,0 +1,201 @@ +{ + "type": "object", + "required": [ + "id", + "title", + "publisher", + "graphQueries", + "sampleQueries", + "dataTypes", + "connectivityCriterias", + "availability", + "permissions", + "instructionSteps" + ], + "properties": { + "id": { + "type": "string" + }, + "title": { + "type": "string" + }, + "publisher": { + "type": "string" + }, + "descriptionMarkdown": { + "type": "string" + }, + "graphQueries": { + "type": "array", + "items": { + "type": "object", + "required": [ + "metricName", + "legend", + "baseQuery" + ], + "properties": { + "metricName": { + "type": "string" + }, + "legend": { + "type": "string" + }, + "baseQuery": { + "type": "string" + } + } + } + }, + "sampleQueries": { + "type": "array", + "items": { + "type": "object", + "required": [ + "description", + "query" + ], + "properties": { + "description": { + "type": "string" + }, + "query": { + "type": "string" + } + } + } + }, + "dataTypes": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name", + "lastDataReceivedQuery" + ], + "properties": { + "name": { + "type": "string" + }, + "lastDataReceivedQuery": { + "type": "string" + } + } + } + }, + "connectivityCriterias": { + "type": "array", + "items": { + "type": "object", + "required": [ + "type", + "value" + ], + "properties": { + "type": { + "type": "string" + }, + "value": { + "type": "array", + "default": [ + ], + "items": { + "type": "string" + } + } + } + } + }, + "availability": { + "type": "object", + "required": [ + "status", + "isPreview" + ], + "properties": { + "status": { + "type": "integer" + }, + "isPreview": { + "type": "boolean" + } + } + }, + "permissions": { + "type": "object", + "required": [ + "resourceProvider" + ], + "properties": { + "resourceProvider": { + "type": "array", + "items": { + "type": "object", + "required": [ + "provider", + "permissionsDisplayText", + "providerDisplayName", + "scope", + "requiredPermissions" + ], + "properties": { + "provider": { + "type": "string" + }, + "permissionsDisplayText": { + "type": "string" + }, + "providerDisplayName": { + "type": "string" + }, + "scope": { + "type": "string" + }, + "requiredPermissions": { + "type": "object", + "required": [ + "write", + "read", + "delete" + ], + "properties": { + "write": { + "type": "boolean" + }, + "read": { + "type": "boolean" + }, + "delete": { + "type": "boolean" + } + } + } + } + } + } + } + }, + "instructionSteps": { + "type": "array", + "items": { + "type": "object", + "required": [ + "title", + "description", + "instructions" + ], + "properties": { + "title": { + "type": "string" + }, + "description": { + "type": "string" + }, + "instructions": { + "type": "array" + } + } + } + } + } +} \ No newline at end of file diff --git a/CODEOWNERS b/CODEOWNERS index c0e0ac754b..00458d6ddb 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -7,7 +7,7 @@ # This is copied from here: https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners -/Playbooks/ @dicolanl @Yaniv-Shasha @sarah-yo @sreedharande +/Playbooks/ @dicolanl @Yaniv-Shasha @sarah-yo @sreedharande @lior-tamir /Workbooks/ @Liatlishams /Solutions/HoneyTokens @haneuvir /Solutions/SAP @udidekel @tamirkopitz diff --git a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/.funcignore b/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/.funcignore deleted file mode 100644 index 414df2f01a..0000000000 --- a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/.funcignore +++ /dev/null @@ -1,4 +0,0 @@ -.git* -.vscode -local.settings.json -test \ No newline at end of file diff --git a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/.gitignore b/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/.gitignore deleted file mode 100644 index 0fd34d4b3f..0000000000 --- a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/.gitignore +++ /dev/null @@ -1,6 +0,0 @@ - -# Azure Functions artifacts -bin -obj -appsettings.json -local.settings.json \ No newline at end of file diff --git a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger.zip b/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger.zip index a66a782005..5be0f01341 100644 Binary files a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger.zip and b/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger.zip differ diff --git a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/function.json b/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/function.json index 2170cfa5b4..e14ab16cb5 100644 --- a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/function.json +++ b/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/function.json @@ -4,7 +4,7 @@ "name": "Timer", "type": "timerTrigger", "direction": "in", - "schedule": "0 */5 * * * *" + "schedule": "%Schedule%" } ] } diff --git a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/readme.md b/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/readme.md deleted file mode 100644 index 6f80bfdf0a..0000000000 --- a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/readme.md +++ /dev/null @@ -1,11 +0,0 @@ -# TimerTrigger - PowerShell - -The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function every 5 minutes. - -## How it works - -For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression)(See the link for full details). A cron expression is a string with 6 separate expressions which represent a given schedule via patterns. The pattern we use to represent every 5 minutes is `0 */5 * * * *`. This, in plain text, means: "When seconds is equal to 0, minutes is divisible by 5, for any hour, day of the month, month, day of the week, or year". - -## Learn more - - Documentation diff --git a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/run.ps1 b/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/run.ps1 index 8b64129f4c..5a8cec3697 100644 --- a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/run.ps1 +++ b/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/run.ps1 @@ -3,13 +3,15 @@ Language: PowerShell Version: 1.0 Author: Nicholas DiCola - Last Modified: 05/12/2021 + Modified By: Sreedhar Ande + Last Modified: 12/16/2021 DESCRIPTION This Function App calls the MCAS Activity REST API (https://docs.microsoft.com/cloud-app-security/api-activities) to pull the MCAS Activity logs. The response from the MCAS API is recieved in JSON format. This function will build the signature and authorization header needed to post the data to the Log Analytics workspace via the HTTP Data Connector API. The Function App will post the data to MCASActivity_CL. #> + # Input bindings are passed in via param block. param($Timer) @@ -29,8 +31,6 @@ if ($env:MSI_SECRET -and (Get-Module -ListAvailable Az.Accounts)){ Connect-AzAccount -Identity } -#Wait-Debugger - $AzureWebJobsStorage = $env:AzureWebJobsStorage $MCASAPIToken = $env:MCASAPIToken $workspaceId = $env:WorkspaceId @@ -38,8 +38,8 @@ $workspaceKey = $env:WorkspaceKey $Lookback = $env:Lookback $MCASURL = $env:MCASURL $LAURI = $env:LAURI -$storageAccountContainer = "mcasactivity-logs" -$fileName = "lastrun-MCAS.json" +$TblLastRunExecutions = "MCASLastRunLogs" + $StartTime = (get-date).ToUniversalTime() $currentStartTime = $StartTime | get-date -Format yyyy-MM-ddTHH:mm:ss:ffffffZ @@ -202,33 +202,28 @@ $headers = @{ } $EndEpoch = ([int64]((Get-Date -Date $StartTime) - (get-date "1/1/1970")).TotalMilliseconds) - -#check for last run file +# Retrieve Timestamp from last executions +# Check if Table has already been created and if not create it to maintain state between executions of Function $storageAccountContext = New-AzStorageContext -ConnectionString $AzureWebJobsStorage -$checkBlob = Get-AzStorageBlob -Blob $fileName -Container $storageAccountContainer -Context $storageAccountContext -if($checkBlob -ne $null){ - #Blob found get data - Get-AzStorageBlobContent -Blob $fileName -Container $storageAccountContainer -Context $storageAccountContext -Destination "$env:temp\$fileName" -Force - $lastRunContext = Get-Content "$env:temp\$fileName" | ConvertFrom-Json - $StartEpoch = $lastRunContext.lastRunEpoch - $lastRunContext.lastRunEpoch = $EndEpoch - $lastRunContext | ConvertTo-Json | out-file "$env:temp\$fileName" + +$LastExecutionsTable = Get-AzStorageTable -Name $TblLastRunExecutions -Context $storageAccountContext -ErrorAction Ignore +if($null -eq $LastExecutionsTable.Name) { + New-AzStorageTable -Name $TblLastRunExecutions -Context $storageAccountContext + $LastRunExecutionsTable = (Get-AzStorageTable -Name $TblLastRunExecutions -Context $storageAccountContext.Context).cloudTable + Add-AzTableRow -table $LastRunExecutionsTable -PartitionKey "MCASExecutions" -RowKey $workspaceId -property @{"lastRun"="$CurrentStartTime";"lastRunEpoch"="$EndEpoch"} -UpdateExisting +} +Else { + $LastRunExecutionsTable = (Get-AzStorageTable -Name $TblLastRunExecutions -Context $storageAccountContext.Context).cloudTable +} + +# retrieve the row +$LastRunExecutionsTableRow = Get-AzTableRow -table $LastRunExecutionsTable -partitionKey "MCASExecutions" -RowKey $workspaceId -ErrorAction Ignore +if($null -ne $LastRunExecutionsTableRow.lastRunEpoch){ + $StartEpoch = $LastRunExecutionsTableRow.lastRunEpoch } else { - #no blob create the context - #$StartEpoch = ([int64]((Get-Date -Date $StartTime).AddMinutes(-$Lookback) - (get-date "1/1/1970")).TotalMilliseconds) $StartEpoch = ([int64]((Get-Date -Date $StartTime).AddDays(-$Lookback) - (get-date "1/1/1970")).TotalMilliseconds) - $lastRunContent = @" -{ -"lastRun": "$CurrentStartTime", -"lastRunEpoch": $EndEpoch } -"@ - $lastRunContent | Out-File "$env:temp\$fileName" - $lastRunContext = $lastRunContent | ConvertFrom-Json -} - - #Build query $body = @" @@ -246,7 +241,6 @@ $body = @" "@ - #Get the Activities Write-Host "Starting to process Tenant: $MCASURL" $uri = $MCASURL+"/api/v1/activities/" @@ -275,7 +269,7 @@ do { Write-Host "Got some results: "($results.data.Count) $totalRecords += ($results.data.Count) Write-Host $totalRecords - #SendToLogA -Data ($results.data) -customLogName "MCASActivity" + SendToLogA -Data ($results.data) -customLogName "MCASActivity" } else{ Write-Host "No new logs" @@ -285,7 +279,7 @@ do { if($loopAgain -ne $false){ # if there is more data update the query $newBody = $body | ConvertFrom-Json - If($newBody.filters.date.lte -eq $null){ + If($null -eq $newBody.filters.date.lte){ $newBody.filters.date | Add-Member -Name lte -Value ($results.nextQueryFilters.date.lte) -MemberType NoteProperty } else { @@ -295,10 +289,6 @@ do { Write-Host $body } else { - # no more data write last run to az storage - Set-AzStorageBlobContent -Blob $fileName -Container $storageAccountContainer -Context $storageAccountContext -File "$env:temp\$fileName" -Force + Add-AzTableRow -table $LastRunExecutionsTable -PartitionKey "MCASExecutions" -RowKey $workspaceId -property @{"lastRun"="$CurrentStartTime";"lastRunEpoch"="$EndEpoch"} -UpdateExisting } -} until ($loopAgain -eq $false) - -#clear the temp folder -Remove-Item $env:temp\* -Recurse -Force -ErrorAction SilentlyContinue \ No newline at end of file +} until ($loopAgain -eq $false) \ No newline at end of file diff --git a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/sample.dat b/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/sample.dat deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/host.json b/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/host.json index c1437cbc6e..3786482f8d 100644 --- a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/host.json +++ b/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/host.json @@ -1,5 +1,6 @@ { "version": "2.0", + "functionTimeout": "00:10:00", "logging": { "applicationInsights": { "samplingSettings": { diff --git a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/proxies.json b/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/proxies.json deleted file mode 100644 index b385252f5e..0000000000 --- a/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/proxies.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "$schema": "http://json.schemastore.org/proxies", - "proxies": {} -} diff --git a/DataConnectors/MCASActivityFunction/CHANGELOG.MD b/DataConnectors/MCASActivityFunction/CHANGELOG.MD index 5898157778..1aca4e06d1 100644 --- a/DataConnectors/MCASActivityFunction/CHANGELOG.MD +++ b/DataConnectors/MCASActivityFunction/CHANGELOG.MD @@ -1,3 +1,10 @@ ## 1.0 - Converted MCAS Acitivyt Data connector from Logic Apps to Azure Function -- Splitting the data if it is more than 25MB \ No newline at end of file +- Splitting the data if it is more than 25MB + +## 2.0 +- Function Schedule (CRON Expression) as parameter +- Updated StorageAccountName and KeyVaultName +- Updated Path for Function Package +- Deleted the usage of Storage Account to write last run executions +- Writing Last Run executions to Azure Storage Table \ No newline at end of file diff --git a/DataConnectors/MCASActivityFunction/Function Dependencies/lastrun-MCAS.json b/DataConnectors/MCASActivityFunction/Function Dependencies/lastrun-MCAS.json deleted file mode 100644 index 1a104f3fe4..0000000000 --- a/DataConnectors/MCASActivityFunction/Function Dependencies/lastrun-MCAS.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "lastRun": "", - "lastRunEpoch": 0 -} \ No newline at end of file diff --git a/DataConnectors/MCASActivityFunction/azuredeploy.json b/DataConnectors/MCASActivityFunction/azuredeploy.json index e110058804..9dc7c0f206 100644 --- a/DataConnectors/MCASActivityFunction/azuredeploy.json +++ b/DataConnectors/MCASActivityFunction/azuredeploy.json @@ -50,8 +50,8 @@ }, "variables": { "FunctionName": "[concat(toLower(parameters('FunctionName')),'-fn', uniqueString(resourceGroup().id, subscription().id))]", - "StorageAccountName": "[concat(substring(variables('FunctionName'), 0, 7), '-sa-', uniqueString(resourceGroup().id, subscription().id))]", - "KeyVaultName": "[concat(substring(variables('FunctionName'), 0, 7), '-kv-', uniqueString(resourceGroup().id, subscription().id))]", + "StorageAccountName": "[substring(concat(substring(variables('FunctionName'), 0, 7), 'sa', uniqueString(resourceGroup().id, subscription().id)), 0, 20)]", + "KeyVaultName": "[substring(concat(substring(variables('FunctionName'), 0, 7), 'kv', uniqueString(resourceGroup().id, subscription().id)), 0, 20)]", "MCASAPIToken": "MCASAPIToken", "LogAnalyticsWorkspaceKey": "LogAnalyticsWorkspaceKey", "StorageContainerName": "mcasactivity-logs", @@ -207,7 +207,7 @@ "Lookback": "[parameters('Lookback')]", "MCASURL": "[parameters('MCASURL')]", "LAURI": "[variables('LogAnaltyicsUri')]", - "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/mcasactivityazurefunctionzip" + "WEBSITE_RUN_FROM_PACKAGE": "https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger.zip?raw=true" } } ] diff --git a/DataConnectors/MCASActivityFunction/readme.md b/DataConnectors/MCASActivityFunction/readme.md index f7a43fce62..7856861c3f 100644 --- a/DataConnectors/MCASActivityFunction/readme.md +++ b/DataConnectors/MCASActivityFunction/readme.md @@ -32,9 +32,7 @@ A MCAS API Token is required. See the documentation to learn more about the [API ``` ## Post Deployment Steps -1. There is a json file (lastrun-MCAS.json) in Function Dependencies folder -2. Upload the file to the storage account "mcasactivity-logs" container from -4. API Token and Workspace Key will be placed as "Secrets" in the Azure KeyVault `<><>` with only Azure Function access policy. If you want to see/update these secrets, +1. API Token and Workspace Key will be placed as "Secrets" in the Azure KeyVault `<><>` with only Azure Function access policy. If you want to see/update these secrets, ``` a. Go to Azure KeyVault `<><>` @@ -48,7 +46,7 @@ A MCAS API Token is required. See the documentation to learn more about the [API ``` -6. The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function based on your schedule provided while deploying. If you want to change +2. The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function based on your schedule provided while deploying. If you want to change the schedule ``` a. Click on Function App "Configuration" under Settings @@ -57,7 +55,7 @@ A MCAS API Token is required. See the documentation to learn more about the [API ``` **Note: For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression)(See the link for full details). A cron expression is a string with 6 separate expressions which represent a given schedule via patterns. The pattern we use to represent every 5 minutes is `0 */5 * * * *`. This, in plain text, means: "When seconds is equal to 0, minutes is divisible by 5, for any hour, day of the month, month, day of the week, or year".** -7. If you change the TimerTigger you need to configure the Lookback setting to match the number of minutes between runs. If you want to change +3. If you change the TimerTigger you need to configure the Lookback setting to match the number of minutes between runs. If you want to change the Lookback ``` a. Click on Function App "Configuration" under Settings diff --git a/DataConnectors/Netskope/AzureFunctionNetskope.zip b/DataConnectors/Netskope/AzureFunctionNetskope.zip index e4d1f51b58..ed6c91f6e8 100644 Binary files a/DataConnectors/Netskope/AzureFunctionNetskope.zip and b/DataConnectors/Netskope/AzureFunctionNetskope.zip differ diff --git a/DataConnectors/Netskope/AzureFunctionNetskope/run.ps1 b/DataConnectors/Netskope/AzureFunctionNetskope/run.ps1 index b08554a388..8f55375e97 100644 --- a/DataConnectors/Netskope/AzureFunctionNetskope/run.ps1 +++ b/DataConnectors/Netskope/AzureFunctionNetskope/run.ps1 @@ -129,6 +129,41 @@ function Netskope () { Do { $response = GetLogs -Uri $uri -ApiKey $apikey -StartTime $startTime -EndTime $endTime -LogType $logtype -Page $pageLimit -Skip $skip $netskopeevents = $response.data + $netskopeevents | Add-Member -MemberType NoteProperty dlp_incidentid -Value "" + $netskopeevents | Add-Member -MemberType NoteProperty dlp_parentid -Value "" + $netskopeevents | Add-Member -MemberType NoteProperty connectionid -Value "" + $netskopeevents | Add-Member -MemberType NoteProperty app_sessionid -Value "" + $netskopeevents | Add-Member -MemberType NoteProperty transactionid -Value "" + $netskopeevents | Add-Member -MemberType NoteProperty browser_sessionid -Value "" + $netskopeevents | Add-Member -MemberType NoteProperty requestid -Value "" + + if($null -ne $netskopeevents) + { + $netskopeevents | ForEach-Object{ + if($_.dlp_incident_id -ne $NULL){ + $_.dlp_incidentid = [string]$_.dlp_incident_id + } + if($_.dlp_parent_id -ne $NULL){ + $_.dlp_parentid = [string]$_.dlp_parent_id + } + if($_.connection_id -ne $NULL){ + $_.connectionid = [string]$_.connection_id + } + if($_.app_session_id -ne $NULL){ + $_.app_sessionid = [string]$_.app_session_id + } + if($_.transaction_id -ne $NULL){ + $_.transactionid = [string]$_.transaction_id + } + if($_.browser_session_id -ne $NULL){ + $_.browser_sessionid = [string]$_.browser_session_id + } + if($_.request_id -ne $NULL){ + $_.requestid = [string]$_.request_id + } + } + } + $dataLength = $response.data.Length $alleventobjs += $netskopeevents diff --git a/DataConnectors/Templates/Data Connectors Template Guidance.md b/DataConnectors/Templates/Data Connectors Template Guidance.md index fb8d1c309d..8633afdc98 100644 --- a/DataConnectors/Templates/Data Connectors Template Guidance.md +++ b/DataConnectors/Templates/Data Connectors Template Guidance.md @@ -2,7 +2,7 @@ To make it easy to build and validate data connectors user experience, we have data connector json templates available for partners to use, validate and submit. This guide provides information on how to fill out the json templates. -The underlying json structure of any of the data connector template is the same, hence this connector template guidance is generalized for CEF, REST or Syslog data connector types in Azure Sentinel. There will be specific recommendations provided for different types as needed. +The underlying json structure of any of the data connector template is the same, hence this connector template guidance is generalized for CEF, REST or Syslog data connector types in Microsoft Sentinel. There will be specific recommendations provided for different types as needed. # How to use the json template? @@ -13,7 +13,7 @@ Download the json template based on the data connector type and rename it to as The following nomenclatures appear in the json templates. Note these accordingly to represent your data connector and fill these values accordingly in the template. 1. **PROVIDER NAME** – The name of the vendor who is building the data connector. For e.g. Microsoft, Symantec, Barracuda, etc. -2. **APPLIANCE NAME** – The name of the specific product whose logs or data is being sent to Azure Sentinel via this data connector. For e.g. CloudGen Firewall (from Barracuda), Security Analytics (from Citrix), etc. +2. **APPLIANCE NAME** – The name of the specific product whose logs or data is being sent to Microsoft Sentinel via this data connector. For e.g. CloudGen Firewall (from Barracuda), Security Analytics (from Citrix), etc. 3. **DATATYPE\_NAME** – The name of the default table where the data / logs will be sent to. The location changes for each type of data connector. While naming these: 1. Do **not** have spaces in the data type names. 2. Represent both provider, appliance name and type of data [optionally] as a short name in the data type name. The goal is to be able to disambiguate different data types if there's going to be separate data types for different appliances from the same provider for different log types (like alerts, events, raw logs, network logs, etc.) @@ -89,7 +89,7 @@ A data connector can have multiple data types and these can be represented by co 3. **permissions** – Represents the required permissions needed for the data connector to be enabled or connected. For e.g. write permissions to the workspace is needed for connector to be enabled, etc. These appear in the connector UX in the prerequisites section. This property value need **not** be updated and can remain as-is. 4. **instructionSteps** – These are the specific instructions to connect to the data connector. * For CEF and Syslog, leverage the existing text as-is and add anything custom as needed. - * For REST API, either provide a link to your website/documentation that outlines the onboarding guidance to send data to Azure Sentinel **or** provide detailed guidance for customers to send data to Azure Sentinel. + * For REST API, either provide a link to your website/documentation that outlines the onboarding guidance to send data to Microsoft Sentinel **or** provide detailed guidance for customers to send data to Microsoft Sentinel. * If Connector is dependent on Kusto Function (Parser), **additionalRequirementBanner** and **instruction step** about Parser need to be added in Connector.

# What is the format for redirection/Short links? @@ -100,3 +100,13 @@ A data connector can have multiple data types and these can be represented by co Expand and add multiple instructions as needed by adding more title and description elements in this block. + +## Next steps + +Currently in preview, you can also publish your data connector as a Microsoft Sentinel solution. + +Microsoft Sentinel solutions provide an in-product experience for central discoverability, single-step deployment, and enablement of end-to-end product and/or domain and/or vertical scenarios in Microsoft Sentinel. For example, use solutions to deliver your data connector packaged with related analytics rules, workbooks, playbooks, and more. + +**Tip**: If your solution is being published to the content hub, also open a PR to have it listed in our [content hub catalog](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog). On the docs page, click Edit to open your PR. + +For more information, see the [Microsoft Sentinel solution overview](https://docs.microsoft.com/azure/sentinel/sentinel-solutions) and our [Guide to Building Microsoft Sentinel Solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions#readme). diff --git a/DataConnectors/Templates/Doc_Template_CEF_Connector.md b/DataConnectors/Templates/Doc_Template_CEF_Connector.md index a61ea65747..5cda5738e7 100644 --- a/DataConnectors/Templates/Doc_Template_CEF_Connector.md +++ b/DataConnectors/Templates/Doc_Template_CEF_Connector.md @@ -1,21 +1,29 @@ -# Connect your <> to Azure Sentinel +# Connect your <> to Microsoft Sentinel -This article explains how to connect your <> appliance to Azure Sentinel. The <> data connector allows you to easily connect your <> logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. <> +This article explains how to connect your <> appliance to Microsoft Sentinel. The <> data connector allows you to easily connect your <> logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. <> - -> [!NOTE] -> Data will be stored in the geographic location of the workspace on which you are running Azure Sentinel. +**Note**: Data will be stored in the geographic location of the workspace on which you are running Microsoft Sentinel. ## Forward <> logs to the Syslog agent Configure <> to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. -1. +1. 2. To use the relevant schema in Log Analytics for the <>, search for CommonSecurityLog. -3. Continue to [STEP 3: Validate connectivity](connect-cef-verify.md). - +3. Continue with [validating your CEF connectivity](https://docs.microsoft.com/azure/sentinel/troubleshooting-cef-syslog?tabs=rsyslog#validate-cef-connectivity). ## Next steps -In this document, you learned how to connect <> to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: -- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md). -- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats-built-in.md). -- [Use workbooks](tutorial-monitor-your-data.md) to monitor your data. \ No newline at end of file +In this document, you learned how to connect <> to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles: +- Learn how to [get visibility into your data, and potential threats](https://docs.microsoft.com/azure/sentinel/get-visibility). +- Get started [detecting threats with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/detect-threats-built-in). +- [Use workbooks](https://docs.microsoft.com/azure/sentinel/monitor-your-data) to monitor your data. + +<### Install as a solution (Preview) + +Include this section if you are planning on publishing your data connector as a Microsoft Sentinel solution. Microsoft Sentinel solutions provide an in-product experience for central discoverability, single-step deployment, and enablement of end-to-end product and/or domain and/or vertical scenarios in Microsoft Sentinel. For example, use solutions to deliver your data connector packaged with related analytics rules, workbooks, playbooks, and more. + +- When relevant, add instructions for installing your solution, either from the Azure Marketplace, or from the Microsoft Sentinel content hub. +- If your solution is being published to the content hub, also open a PR to have it listed in our [content hub catalog](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog). On the docs page, click Edit to open your PR. + +For more information, see the [Microsoft Sentinel solution overview](https://docs.microsoft.com/azure/sentinel/sentinel-solutions) and our [Guide to Building Microsoft Sentinel Solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions#readme).> + + diff --git a/DataConnectors/Templates/Doc_Template_REST_API_Connector.md b/DataConnectors/Templates/Doc_Template_REST_API_Connector.md index 1a9fad26cd..638db12311 100644 --- a/DataConnectors/Templates/Doc_Template_REST_API_Connector.md +++ b/DataConnectors/Templates/Doc_Template_REST_API_Connector.md @@ -1,24 +1,19 @@ -# Connect your <> to Azure Sentinel +# Connect your <> to Microsoft Sentinel -<> connector allows you to easily connect all your <> security solution logs with your Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. <>. Integration between <> and Azure Sentinel makes use of REST API. +<> connector allows you to easily connect all your <> security solution logs with your Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. <>. Integration between <> and Microsoft Sentinel makes use of REST API. > [!NOTE] -> Data will be stored in the geographic location of the workspace on which you are running Azure Sentinel. +> Data will be stored in the geographic location of the workspace on which you are running Microsoft Sentinel. ## Configure and connect <> -<> can integrate and export logs directly to Azure Sentinel. -1. In the Azure Sentinel portal, click Data connectors and select <> and then Open connector page. - -2. - -ELSE - -2. +<> can integrate and export logs directly to Microsoft Sentinel. +1. In the Microsoft Sentinel portal, click Data connectors and select <> and then Open connector page. +2. ## Find your data @@ -30,8 +25,17 @@ It may take up to 20 minutes until your logs start to appear in Log Analytics. ## Next steps -In this document, you learned how to connect <> to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: -- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md). -- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats-built-in.md). -- [Use workbooks](tutorial-monitor-your-data.md) to monitor your data. +In this document, you learned how to connect <> to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles: +- Learn how to [get visibility into your data, and potential threats](https://docs.microsoft.com/azure/sentinel/get-visibility). +- Get started [detecting threats with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/detect-threats-built-in). +- [Use workbooks](https://docs.microsoft.com/azure/sentinel/monitor-your-data) to monitor your data. + +<### Install as a solution (Preview) + +Include this section if you are planning on publishing your data connector as a Microsoft Sentinel solution. Microsoft Sentinel solutions provide an in-product experience for central discoverability, single-step deployment, and enablement of end-to-end product and/or domain and/or vertical scenarios in Microsoft Sentinel. For example, use solutions to deliver your data connector packaged with related analytics rules, workbooks, playbooks, and more. + +- When relevant, add instructions for installing your solution, either from the Azure Marketplace, or from the Microsoft Sentinel content hub. +- If your solution is being published to the content hub, also open a PR to have it listed in our [content hub catalog](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog). On the docs page, click Edit to open your PR. + +For more information, see the [Microsoft Sentinel solution overview](https://docs.microsoft.com/azure/sentinel/sentinel-solutions) and our [Guide to Building Microsoft Sentinel Solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions#readme).> diff --git a/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml b/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml new file mode 100644 index 0000000000..ed1f38ec0a --- /dev/null +++ b/Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml @@ -0,0 +1,75 @@ +id: fcb9d75c-c3c1-4910-8697-f136bfef2363 +name: Potential beaconing activity (ASIM Network Session schema) +description: | + This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\

This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any network session source that compiles with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).'' +severity: Low +requiredDataConnectors: [] +queryFrequency: 1d +queryPeriod: 2d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - CommandAndControl +relevantTechniques: + - T1071 + - T1571 +tags: + - ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml + ParentVersion: 1.0.0 + - Schema: ASIMNetworkSession + SchemaVersion: 0.2.1 + +query: | + let querystarttime = 2d; + let queryendtime = 1d; + let TimeDeltaThreshold = 10; + let TotalEventsThreshold = 15; + let PercentBeaconThreshold = 80; + imNetworkSession(starttime=querystarttime, endtime=queryendtime) + | where not(ipv4_is_private(DstIpAddr)) + | project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes + | sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc + | serialize + | extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1) + | extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated) + | where SrcIpAddr == nextSrcIpAddr + //Whitelisting criteria/ threshold criteria + | where TimeDeltainSeconds > TimeDeltaThreshold + | project TimeGenerated, TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes + | summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) + by TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber + | summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) + by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber + | where TotalEvents > TotalEventsThreshold + | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 + | where BeaconPercent > PercentBeaconThreshold +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: AccountCustomEntity + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SrcIpAddr + - entityType: IP + fieldMappings: + - identifier: Address + columnName: DstIpAddr + +alertDetailsOverride: + alertDisplayNameFormat: Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}} + alertDescriptionFormat: Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. The recurring frequency is {{MostFrequentTimeDeltaCount}} and the total transferred volume is {{TotalSrcBytes}} bytes. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/) + +customDetails: + DstPortNumber: DstPortNumber + FrequenceCount: TotalSrcBytes + FrequencyTime: MostFrequentTimeDeltaCount + TotalDstBytes: TotalDstBytes + +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Detections/ASimWebSession/PossibleDGAContacts.yaml b/Detections/ASimWebSession/PossibleDGAContacts.yaml new file mode 100644 index 0000000000..6f1b2afdcd --- /dev/null +++ b/Detections/ASimWebSession/PossibleDGAContacts.yaml @@ -0,0 +1,107 @@ +id: 9176b18f-a946-42c6-a2f6-0f6d17cd6a8a +name: Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Network Session schema) +description: | + 'This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is.
This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any network session source that compiles with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).' +severity: Medium +requiredDataConnectors: [] +queryFrequency: 6h +queryPeriod: 6h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - CommandAndControl +tags: + - ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml + version: 1.0.0 + - Schema: ASIMWebSession + SchemaVersion: 0.2.0 +relevantTechniques: + - T1568 +query: | + let triThreshold = 500; + let querystarttime = 6h; + let dgaLengthThreshold = 8; + // fetch the cisco umbrella top 1M domains + let top1M = (externaldata (Position:int, Domain:string) [@"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip"] with (format="csv", zipPattern="*.csv")); + // extract tri grams that are above our threshold - i.e. are common + let triBaseline = top1M + | extend Domain = tolower(extract("([^.]*).{0,7}$", 1, Domain)) + | extend AllTriGrams = array_concat(extract_all("(...)", Domain), extract_all("(...)", substring(Domain, 1)), extract_all("(...)", substring(Domain, 2))) + | mvexpand Trigram=AllTriGrams to typeof(string) + | summarize triCount=count() by Trigram + | sort by triCount desc + | where triCount > triThreshold + | distinct Trigram; + // collect domain information from common security log, filter and extract the DGA candidate and its trigrams + let allDataSummarized = imWebSession + | where isnotempty(Url) + | extend Name = tolower(tostring(parse_url(Url)["Host"])) + | summarize NameCount=count() by Name + | where Name has "." + | where Name !endswith ".home" and Name !endswith ".lan" + // extract DGA candidate + | extend DGADomain = extract("([^.]*).{0,7}$", 1, Name) + | where strlen(DGADomain) > dgaLengthThreshold + // throw out domains with number in them + | where DGADomain matches regex "^[A-Za-z]{0,}$" + // extract the tri grams from summarized data + | extend AllTriGrams = array_concat(extract_all("(...)", DGADomain), extract_all("(...)", substring(DGADomain, 1)), extract_all("(...)", substring(DGADomain, 2))); + // throw out domains that have repeating tri's and/or >=3 repeating letters + let nonRepeatingTris = allDataSummarized + | join kind=leftanti + ( + allDataSummarized + | mvexpand AllTriGrams + | summarize count() by tostring(AllTriGrams), DGADomain + | where count_ > 1 + | distinct DGADomain + ) + on DGADomain; + // find domains that do not have a common tri in the baseline + let dataWithRareTris = nonRepeatingTris + | join kind=leftanti + ( + nonRepeatingTris + | mvexpand AllTriGrams + | extend Trigram = tostring(AllTriGrams) + | distinct Trigram, DGADomain + | join kind=inner + ( + triBaseline + ) + on Trigram + | distinct DGADomain + ) + on DGADomain; + dataWithRareTris + // join DGAs back on connection data + | join kind=inner + ( + imWebSession + | where isnotempty(Url) + | extend Url = tolower(Url) + | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url + | extend Name=tostring(parse_url(Url)["Host"]) + | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url + ) + on Name + | project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount + +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: Url + fieldMappings: + - identifier: Url + columnName: Url +alertDetailsOverride: + alertDisplayNameFormat: Potential communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based host {{Name}} + alertDescriptionFormat: A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm. +customDetails: + DGAPattern: DGADomain + NameCount: NameCount + +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Detections/ASimWebSession/UnusualUACryptoMiners.yaml b/Detections/ASimWebSession/UnusualUACryptoMiners.yaml index 10f8ddbffe..f39228c93e 100644 --- a/Detections/ASimWebSession/UnusualUACryptoMiners.yaml +++ b/Detections/ASimWebSession/UnusualUACryptoMiners.yaml @@ -22,7 +22,7 @@ query: | with(format="csv", ignoreFirstRecord=True)); let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent)); let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent)); - let fullUAList = array_concat(knownUserAgents,customUserAgents) + let fullUAList = array_concat(knownUserAgents,customUserAgents); imWebSession(httpuseragent_has_any=fullUAList) | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername @@ -50,5 +50,5 @@ customDetails: eventGroupingSettings: aggregationKind: AlertPerResult -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Detections/ASimWebSession/UnusualUAHackTool.yaml b/Detections/ASimWebSession/UnusualUAHackTool.yaml index 56a3267d8d..3d87790583 100644 --- a/Detections/ASimWebSession/UnusualUAHackTool.yaml +++ b/Detections/ASimWebSession/UnusualUAHackTool.yaml @@ -22,7 +22,7 @@ query: | with(format="csv", ignoreFirstRecord=True)); let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent)); let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent)); - let fullUAList = array_concat(knownUserAgents,customUserAgents) + let fullUAList = array_concat(knownUserAgents,customUserAgents); imWebSession(httpuseragent_has_any=fullUAList) | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername entityMappings: @@ -48,5 +48,5 @@ customDetails: eventGroupingSettings: aggregationKind: AlertPerResult -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml b/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml index 8478af874f..4202e7fa24 100644 --- a/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml +++ b/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml @@ -15,7 +15,7 @@ requiredDataConnectors: - DeviceFileEvents - DeviceEvents queryFrequency: 1d -queryPeriod: 7d +queryPeriod: 1d triggerOperator: gt triggerThreshold: 0 tactics: @@ -79,12 +79,12 @@ query: | | join kind=leftouter ( hashTotals ) on ScriptFingerprintHash - // Calculate prevelance, while we don't need this, it may be useful for responders to know how rare this script is in relation to normal activity - | extend Prevelance = toreal(HashCount) / toreal(totals) * 100 + // Calculate prevalence, while we don't need this, it may be useful for responders to know how rare this script is in relation to normal activity + | extend Prevalence = toreal(HashCount) / toreal(totals) * 100 // Where the hash was only ever seen once. | where HashCount == 1 | extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName - | project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, IPCustomEntity, AccountCustomEntity, HostCustomEntity + | project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity entityMappings: - entityType: Account fieldMappings: @@ -98,5 +98,5 @@ entityMappings: fieldMappings: - identifier: HostName columnName: HostCustomEntity -version: 1.0.0 -kind: scheduled \ No newline at end of file +version: 1.0.1 +kind: Scheduled diff --git a/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml b/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml index 29af521c38..e5172af835 100644 --- a/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml +++ b/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml @@ -3,7 +3,7 @@ name: Azure WAF matching for Log4j vuln(CVE-2021-44228) description: | 'This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis. Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/' -severity: Medium +severity: High requiredDataConnectors: - connectorId: WAF dataTypes: @@ -36,5 +36,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled diff --git a/Detections/AzureDiagnostics/KeyVaultSensitiveOperations.yaml b/Detections/AzureDiagnostics/KeyVaultSensitiveOperations.yaml index 2a64c8ed2d..558273746d 100644 --- a/Detections/AzureDiagnostics/KeyVaultSensitiveOperations.yaml +++ b/Detections/AzureDiagnostics/KeyVaultSensitiveOperations.yaml @@ -7,7 +7,7 @@ severity: Low requiredDataConnectors: - connectorId: AzureKeyVault dataTypes: - - AzureDiagnostics + - KeyVaultData queryFrequency: 1d queryPeriod: 1d triggerOperator: gt diff --git a/Detections/AzureDiagnostics/KeyvaultMassSecretRetrieval.yaml b/Detections/AzureDiagnostics/KeyvaultMassSecretRetrieval.yaml index b18b7dcda1..b9c5393874 100644 --- a/Detections/AzureDiagnostics/KeyvaultMassSecretRetrieval.yaml +++ b/Detections/AzureDiagnostics/KeyvaultMassSecretRetrieval.yaml @@ -9,7 +9,7 @@ severity: Low requiredDataConnectors: - connectorId: AzureKeyVault dataTypes: - - AzureDiagnostics + - KeyVaultData queryFrequency: 1d queryPeriod: 1d triggerOperator: gt diff --git a/Detections/AzureDiagnostics/TimeSeriesKeyvaultAccessAnomaly.yaml b/Detections/AzureDiagnostics/TimeSeriesKeyvaultAccessAnomaly.yaml index 4f9017c2ae..b1c956b83c 100644 --- a/Detections/AzureDiagnostics/TimeSeriesKeyvaultAccessAnomaly.yaml +++ b/Detections/AzureDiagnostics/TimeSeriesKeyvaultAccessAnomaly.yaml @@ -9,7 +9,7 @@ severity: Low requiredDataConnectors: - connectorId: AzureKeyVault dataTypes: - - AzureDiagnostics + - KeyVaultData queryFrequency: 1d queryPeriod: 14d triggerOperator: gt diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml index d82bd2e980..1be2bd717b 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml @@ -1,37 +1,38 @@ -id: c9b6d281-b96b-4763-b728-9a04b9fe1246 -name: Cisco Umbrella - Connection to non-corporate private network -description: | - 'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.' -severity: Medium -requiredDataConnectors: - - connectorId: CiscoUmbrellaDataConnector - dataTypes: - - Cisco_Umbrella_proxy_CL -queryFrequency: 10m -queryPeriod: 10m -triggerOperator: gt -triggerThreshold: 0 -tactics: - - CommandandControl - - Exfiltration -query: | - let lbtime = 10m; - Cisco_Umbrella - | where TimeGenerated > ago(lbtime) - | where EventType == 'proxylogs' - | where DvcAction =~ 'Allowed' - | where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN') - | project TimeGenerated, SrcIpAddr, Identities - | extend IPCustomEntity = SrcIpAddr - | extend AccountCustomEntity = Identities -entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity - - entityType: IP - fieldMappings: - - identifier: Address - columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +id: c9b6d281-b96b-4763-b728-9a04b9fe1246 +name: Cisco Umbrella - Connection to non-corporate private network +description: | + 'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoUmbrellaDataConnector + dataTypes: + - Cisco_Umbrella_proxy_CL +queryFrequency: 10m +queryPeriod: 10m +triggerOperator: gt +triggerThreshold: 0 +tactics: + - CommandAndControl + - Exfiltration +query: | + let lbtime = 10m; + Cisco_Umbrella + | where TimeGenerated > ago(lbtime) + | where EventType == 'proxylogs' + | where DvcAction =~ 'Allowed' + | where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN') + | project TimeGenerated, SrcIpAddr, Identities + | extend IPCustomEntity = SrcIpAddr + | extend AccountCustomEntity = Identities +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.1.0 +kind: Scheduled + diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml index b946db8324..234bea385e 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml @@ -12,7 +12,7 @@ queryPeriod: 14d triggerOperator: gt triggerThreshold: 0 tactics: - - CommandandControl + - CommandAndControl query: | let domain_lookBack= 14d; let timeframe = 1d; @@ -40,5 +40,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.1.0 +kind: Scheduled diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml index 6431e51110..d277d83347 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml @@ -12,7 +12,7 @@ queryPeriod: 15m triggerOperator: gt triggerThreshold: 0 tactics: - - CommandandControl + - CommandAndControl query: | let timeframe = 15m; Cisco_Umbrella @@ -31,5 +31,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.1.0 +kind: Scheduled diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaEmptyUserAgentDetected.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaEmptyUserAgentDetected.yaml index 80fbcc2526..3a37a19eef 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaEmptyUserAgentDetected.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaEmptyUserAgentDetected.yaml @@ -12,7 +12,7 @@ queryPeriod: 15m triggerOperator: gt triggerThreshold: 0 tactics: - - CommandandControl + - CommandAndControl query: | let timeframe = 15m; Cisco_Umbrella @@ -31,5 +31,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.1.0 +kind: Scheduled diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml index 196b167667..7ff7f539a7 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml @@ -12,7 +12,7 @@ queryPeriod: 15m triggerOperator: gt triggerThreshold: 0 tactics: - - CommandandControl + - CommandAndControl query: | let timeframe = 15m; let user_agents=dynamic([ @@ -79,5 +79,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.1.0 +kind: Scheduled diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml index 0d09e7231d..232617190f 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml @@ -12,7 +12,7 @@ queryPeriod: 15m triggerOperator: gt triggerThreshold: 0 tactics: - - CommandandControl + - CommandAndControl - DefenseEvasion query: | let timeframe = 15m; @@ -32,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.1.0 +kind: Scheduled diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml index 7727140d62..fb2c39cd90 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml @@ -12,7 +12,7 @@ queryPeriod: 14d triggerOperator: gt triggerThreshold: 0 tactics: - - CommandandControl + - CommandAndControl query: | let lookBack = 14d; let timeframe = 1d; @@ -37,5 +37,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.1.0 +kind: Scheduled diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml index a1815772d9..789faa3de0 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml @@ -12,7 +12,7 @@ queryPeriod: 10m triggerOperator: gt triggerThreshold: 0 tactics: - - CommandandControl + - CommandAndControl - InitialAccess query: | let lbtime = 10m; @@ -50,5 +50,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.1.0 +kind: Scheduled diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml index 9396d0d8b0..44e4bb589e 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml @@ -12,7 +12,7 @@ queryPeriod: 10m triggerOperator: gt triggerThreshold: 0 tactics: - - CommandandControl + - CommandAndControl query: | let lbtime = 10m; Cisco_Umbrella @@ -32,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.1.0 +kind: Scheduled diff --git a/Detections/Heartbeat/MissingDCHearbeat.yaml b/Detections/Heartbeat/MissingDCHearbeat.yaml new file mode 100644 index 0000000000..32effa4e46 --- /dev/null +++ b/Detections/Heartbeat/MissingDCHearbeat.yaml @@ -0,0 +1,36 @@ +id: b8b8ba09-1e89-45a1-8bd7-691cd23bfa32 +name: Missing Domain Controller Heartbeat +description: | + 'This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.' +severity: High +requiredDataConnectors: [] +queryFrequency: 15m +queryPeriod: 2h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact + - DefenseEvasion +query: | + + let query_frequency = 15m; + let missing_period = 1h; + //Enter a reference list of hostnames for your DC servers + let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]); + //Alternatively, a Watchlist can be used + //let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName; + Heartbeat + | summarize arg_max(TimeGenerated, *) by Computer + | where Computer in (DCServersList) + //You may specify the OS type of your Domain Controllers + //| where OSType == 'Windows' + | where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period)) + | project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions + | sort by TimeGenerated asc +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: Computer +version: 1.0.0 +kind: Scheduled diff --git a/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml b/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml index 9b1020b9de..b1b752adbb 100644 --- a/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml +++ b/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml @@ -34,10 +34,10 @@ query: | | where SourceIpAddress != "127.0.0.1" | summarize count() by SourceIpAddress | where count_ > signin_threshold - | summarize make_list(SourceIpAddress); + | summarize make_set(SourceIpAddress); //See if any of those IPs have sucessfully logged into Azure AD. SigninLogs - | where ResultType !in ("0", "50125", "50140") + | where ResultType in ("0", "50125", "50140") | where IPAddress in (aws_fails) | extend Reason = "Multiple failed AWS Console logins from IP address" | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress @@ -50,5 +50,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.0.1 +kind: Scheduled diff --git a/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml b/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml index 61c8e05340..5063f990fa 100644 --- a/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml +++ b/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml @@ -10,6 +10,8 @@ tags: - CVE-2021-44228 - Schema: ASIMDns SchemaVersion: 0.1.1 + - Schema: ASIMNetworkSession + SchemaVersion: 0.2.0 requiredDataConnectors: - connectorId: Office365 dataTypes: @@ -53,8 +55,8 @@ requiredDataConnectors: - connectorId: AzureFirewall dataTypes: - AzureDiagnostics -queryFrequency: 1d -queryPeriod: 1d +queryFrequency: 1h +queryPeriod: 1h triggerOperator: gt triggerThreshold: 0 tactics: @@ -63,112 +65,130 @@ query: | let IPList = externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"] with (format="csv", ignoreFirstRecord=True); let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; + //Network logs + let CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type; + let CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type; + let CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type; + let DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type; + // If you have enabled the imDNS and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization + //let imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type; + //let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type; + //Cloud service logs + let officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type; + let signinIP = SigninLogs | summarize by IPAddress, Type; + let nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type; + let azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type; + let awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type; + //Device logs + let vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type; + let vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type; + let iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type; + let devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type; + //need to parse to get IP + let azureDiagIP = AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where Category in ("AzureFirewallApplicationRule", "AzureFirewallNetworkRule") + | where msg_s has_any (IPList) | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action | summarize by IPAddress = DestinationHost, Type; + let sysEvtIP = Event | where Source == "Microsoft-Windows-Sysmon" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData) + | extend EventDetail = EvData.DataItem.EventData.Data + | extend SourceIP = tostring(EventDetail.[9].["#text"]), DestinationIP = tostring(EventDetail.[14].["#text"]) + | where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type; + // If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization + //let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP + // If you uncomment above, then comment out the line below + let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP + | summarize by IPAddress + | where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in ('0.0.0.0','127.0.0.1'); + let ipMatch = ipsort | where IPAddress in (IPList); (union isfuzzy=true (CommonSecurityLog - | where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) + | where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch) + | project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type | extend MessageIP = extract(IPRegex, 0, Message) - | extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", MessageIP in (IPList), "Message", "No Match") - | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, MessageIP, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch, LogType = Type - | extend timestamp = StartTime, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, IPMatch == "Message", MessageIP, "No Match") + | extend IPMatch = case(SourceIP in (ipMatch), "SourceIP", DestinationIP in (ipMatch), "DestinationIP", MessageIP in (ipMatch), "Message", "No Match") + | extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, IPMatch == "Message", MessageIP, "No Match") ), - (OfficeActivity + (OfficeActivity + | where ClientIP in (ipMatch) + | project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type | extend SourceIPAddress = ClientIP, Account = UserId - | where SourceIPAddress in (IPList) - | extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account, LogType = Type + | extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account ), (DnsEvents - | where IPAddresses has_any (IPList) + | where IPAddresses has_any (ipMatch) + | project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type | extend DestinationIPAddress = IPAddresses, Host = Computer - | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host, LogType = Type - ), - (imDns (response_has_any_prefix=IPList) - | extend DestinationIPAddress = ResponseName, Host = SrcIpAddr - | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host, LogType = Type + | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host ), (VMConnection - | where SourceIp in (IPList) or DestinationIp in (IPList) - | extend IPMatch = case( SourceIp in (IPList), "SourceIP", DestinationIp in (IPList), "DestinationIP", "None") - | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIp, IPMatch == "DestinationIP", DestinationIp, "None"), Host = Computer, LogType = Type + | where SourceIp in (ipMatch) or DestinationIp in (ipMatch) + | project TimeGenerated, Computer, SourceIp, DestinationIp, Type + | extend IPMatch = case( SourceIp in (ipMatch), "SourceIP", DestinationIp in (ipMatch), "DestinationIP", "None") + | extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIp, IPMatch == "DestinationIP", DestinationIp, "None"), Host = Computer ), (Event | where Source == "Microsoft-Windows-Sysmon" | where EventID == 3 + | where EventData has_any (ipMatch) + | project TimeGenerated, EventData, UserName, Computer, Type | extend EvData = parse_xml(EventData) | extend EventDetail = EvData.DataItem.EventData.Data - | extend SourceIP = EventDetail.[9].["#text"], DestinationIP = EventDetail.[14].["#text"] - | where SourceIP in (IPList) or DestinationIP in (IPList) - | extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "None") - | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None"), LogType = Type - ), - (WireData - | where isnotempty(RemoteIP) - | where RemoteIP in (IPList) - | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, LogType = Type + | extend SourceIP = tostring(EventDetail.[9].["#text"]), DestinationIP = tostring(EventDetail.[14].["#text"]) + | where SourceIP in (ipMatch) or DestinationIP in (ipMatch) + | extend IPMatch = case( SourceIP in (ipMatch), "SourceIP", DestinationIP in (ipMatch), "DestinationIP", "None") + | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None") ), (SigninLogs - | where isnotempty(IPAddress) - | where IPAddress in (IPList) - | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, LogType = Type + | where IPAddress in (ipMatch) + | project TimeGenerated, UserPrincipalName, IPAddress, Type + | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress ), (AADNonInteractiveUserSignInLogs - | where isnotempty(IPAddress) - | where IPAddress in (IPList) - | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, LogType = Type + | where IPAddress in (ipMatch) + | project TimeGenerated, UserPrincipalName, IPAddress, Type + | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress ), (W3CIISLog - | where isnotempty(cIP) - | where cIP in (IPList) - | extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, LogType = Type + | where cIP in (ipMatch) + | project TimeGenerated, Computer, cIP, csUserName, Type + | extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName ), (AzureActivity - | where isnotempty(CallerIpAddress) - | where CallerIpAddress in (IPList) - | extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, LogType = Type + | where CallerIpAddress in (ipMatch) + | project TimeGenerated, CallerIpAddress, Caller, Type + | extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller ), ( AWSCloudTrail - | where isnotempty(SourceIpAddress) - | where SourceIpAddress in (IPList) - | extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, LogType = Type + | where SourceIpAddress in (ipMatch) + | project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type + | extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName ), ( DeviceNetworkEvents - | where isnotempty(RemoteIP) - | where RemoteIP in (IPList) - | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, LogType = Type + | where RemoteIP in (ipMatch) + | project TimeGenerated, RemoteIP, DeviceName, Type + | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName ), ( AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" - | where Category == "AzureFirewallApplicationRule" - | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action - | where isnotempty(DestinationHost) - | where DestinationHost has_any (IPList) - | extend DestinationIP = DestinationHost - | extend IPCustomEntity = SourceHost, LogType = Type - ), - ( - AzureDiagnostics - | where ResourceType == "AZUREFIREWALLS" - | where Category == "AzureFirewallNetworkRule" - | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action - | where isnotempty(DestinationHost) - | where DestinationHost has_any (IPList) - | extend DestinationIP = DestinationHost - | extend IPCustomEntity = SourceHost, LogType = Type - ), - ( - DeviceProcessEvents - | where InitiatingProcessFileName =~ "java.exe" and ProcessCommandLine has_all ('curl -s','wget') or - ProcessCommandLine has_all ('curl',@'${jndi') or - ProcessCommandLine has_any ("${jndi:ldap://", "${jndi:rmi:/", "${jndi:ldaps:/", "${jndi:dns:/", "${jndi:iiop://","${jndi:",'${web:','${jvmrunargs:') - | extend LogType = Type - ), - ( - DeviceNetworkEvents - | where RemoteIP in(IPList) and ActionType != "ConnectionFailed" - | extend LogType = Type + | where Category in ("AzureFirewallApplicationRule", "AzureFirewallNetworkRule") + | where msg_s has_any (ipMatch) + | project TimeGenerated, msg_s, Type + | parse msg_s with Protocol 'request from ' SourceIP ':' SourcePort 'to ' DestinationIP ':' DestinationPort '. Action:' Action + | where DestinationIP has_any (ipMatch) + | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP ) + // If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization + //, + //(imDns (response_has_any_prefix=IPList) + //| project TimeGenerated, ResponseName, SrcIpAddr, Type + //| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr + //| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host + //), + //(imNetworkSession (dstipaddr_has_any_prefix=IPList) + //| project TimeGenerated, DstIpAddr, SrcIpAddr, Type + //| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr + //) ) entityMappings: - entityType: Account @@ -183,5 +203,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.2 +version: 2.0.0 kind: Scheduled diff --git a/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml b/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml index 4340037745..06c74652ff 100644 --- a/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml +++ b/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml @@ -71,7 +71,7 @@ query: | | where Total > PerUserThreshold | extend ResetPivot = "PerUserReset"), (pwrmd - | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Account = arg_max(Account, TimeGenerated), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type + | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type | where Total > TotalThreshold | extend ResetPivot = "TotalUserReset") ) diff --git a/Detections/MultipleDataSources/UnusualGuestActivity.yaml b/Detections/MultipleDataSources/UnusualGuestActivity.yaml index 3df4e93f48..e244ad164e 100644 --- a/Detections/MultipleDataSources/UnusualGuestActivity.yaml +++ b/Detections/MultipleDataSources/UnusualGuestActivity.yaml @@ -2,7 +2,7 @@ id: acc4c247-aaf7-494b-b5da-17f18863878a name: External guest invitations by default guest followed by Azure AD powershell signin description: | 'By default guests have capability to invite more external guest user, who can do suspicious Azure AD enumeration. This detection will first look at guests - inviting external guests users who are then logging via Azure AD powershell after accpeting invitation. + inviting external guests users who are then logging via various powershell CLI after accepting invitation. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' severity: Medium requiredDataConnectors: @@ -29,14 +29,28 @@ query: | | where OperationName in ("Invite external user", "Bulk invite users - started (bulk)","Invite external user with reset invitation status") | extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)) - | where InitiatedByUser has_any ("live.com#", "#EXT#") - | extend parsedUser = iff(InitiatedByUser has "live.com#", tostring(split(InitiatedByUser, "#")[1]),tostring(split(InitiatedByUser, "#EXT#")[1])) , InvitationTime = TimeGenerated - | join ( - SigninLogs - | where UserType == "Guest" and AppDisplayName == "Microsoft Azure PowerShell" - | extend SigninTime = TimeGenerated + | where InitiatedByUser has_any ("live.com#", "#EXT#") + | extend + parsedUser = iff(InitiatedByUser has "live.com#", tostring(split(InitiatedByUser, "#")[1]),tostring(split(InitiatedByUser, "#EXT#")[1])), + InvitationTime = TimeGenerated + | join ( + SigninLogs + | where UserType == "Guest" + | where AppId has_any + ("1b730954-1685-4b74-9bfd-dac224a7b894",// Azure Active Directory PowerShell + "04b07795-8ddb-461a-bbee-02f9e1bf7b46",// Microsoft Azure CLI + "1950a258-227b-4e31-a9cf-717495945fc2",// Microsoft Azure PowerShell + "a0c73c16-a7e3-4564-9a95-2bdf47383716",// Microsoft Exchange Online Remote PowerShell + "fb78d390-0c51-40cd-8e17-fdbfab77341b",// Microsoft Exchange REST API Based Powershell + "d1ddf0e4-d672-4dae-b554-9d5bdfd93547",// Microsoft Intune PowerShell + "9bc3ab49-b65d-410a-85ad-de819febfddc",// Microsoft SharePoint Online Management Shell + "12128f48-ec9e-42f0-b203-ea49fb6af367",// MS Teams Powershell Cmdlets + "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",// Office365 Shell WCSS-Client + "23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd" // Power BI PowerShell + ) + | extend SigninTime = TimeGenerated ) on $left.parsedUser == $right.UserPrincipalName - | project InvitationTime, SigninTime, InitiatedByUser, OperationName, AppDisplayName , IPAddress, UserType + | project InvitationTime, SigninTime, InitiatedByUser, OperationName, AppDisplayName, IPAddress, UserType entityMappings: - entityType: Account fieldMappings: @@ -46,5 +60,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.0 -kind: scheduled \ No newline at end of file +version: 1.0.1 +kind: Scheduled diff --git a/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml b/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml index 579ff950da..d59e8f29eb 100644 --- a/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml +++ b/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml @@ -42,7 +42,7 @@ tags: - SchemaVersion: 0.2.1 query: | let UserAgentString = dynamic (["${jndi:ldap:/", "${jndi:rmi:/", "${jndi:ldaps:/", "${jndi:dns:/", "${jndi:iiop:/","${jndi:","${jndi:nds:/","${jndi:corba/"]); - let UARegex = @'\\$\\{j\\$\\{::-\\}n\\$\\{::-\\}d\\$\\{::-\\}[a-zA-Z]'; + let UARegex = @'(\\$|%24)(\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\$|%24|}|%7D)'; (union isfuzzy=true (OfficeActivity | where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex @@ -101,5 +101,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.0.1 +kind: Scheduled diff --git a/Detections/OfficeActivity/External User added to Team and immediately uploads file.yaml b/Detections/OfficeActivity/External User added to Team and immediately uploads file.yaml new file mode 100644 index 0000000000..0032d70878 --- /dev/null +++ b/Detections/OfficeActivity/External User added to Team and immediately uploads file.yaml @@ -0,0 +1,60 @@ +id: bff058b2-500e-4ae5-bb49-a5b1423cbd5b +name: Accessed files shared by temporary external user +description: | + 'This detection identifies an external user is added to a Team or Teams chat + and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be + an indicator of suspicious activity.' +severity: Low +requiredDataConnectors: + - connectorId: Office365 + dataTypes: + - OfficeActivity (Teams) +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + let fileAccessThrehold = 10; + OfficeActivity + | where OfficeWorkload =~ "MicrosoftTeams" + | where Operation =~ "MemberAdded" + | extend UPN = tostring(parse_json(Members)[0].UPN) + | where UPN contains ("#EXT#") + | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName + | join kind = inner( + OfficeActivity + | where OfficeWorkload =~ "MicrosoftTeams" + | where Operation =~ "MemberRemoved" + | extend UPN = tostring(parse_json(Members)[0].UPN) + | where UPN contains ("#EXT#") + | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName + ) on UPN + | where TimeDeleted > TimeAdded + | join kind=inner + ( + OfficeActivity + | where RecordType == "SharePointFileOperation" + | where SourceRelativeUrl has "Microsoft Teams Chat Files" + | where Operation == "FileUploaded" + | join kind = inner + ( + OfficeActivity + | where RecordType == "SharePointFileOperation" + | where Operation == "FileAccessed" + | where SourceRelativeUrl has "Microsoft Teams Chat Files" + | summarize FileAccessCount = count() by OfficeObjectId + | where FileAccessCount > fileAccessThrehold + ) on $left.OfficeObjectId == $right.OfficeObjectId + )on $left.UPN == $right.UserId + | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml b/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml index dccffd640f..68c1d24e00 100644 --- a/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml +++ b/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml @@ -35,35 +35,37 @@ query: | ( SecurityEvent | where EventID == '4656' + | where EventData has aadHealthMonAgentRegKey | extend EventData = parse_xml(EventData).EventData.Data | mv-expand bagexpansion=array EventData | evaluate bag_unpack(EventData) | extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "") | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID) + | extend ObjectName = column_ifexists("ObjectName", ""), + ObjectType = column_ifexists("ObjectType", "") + | where ObjectType == 'Key' + | where ObjectName == aadHealthMonAgentRegKey | extend SubjectUserName = column_ifexists("SubjectUserName", ""), SubjectDomainName = column_ifexists("SubjectDomainName", ""), - ObjectName = column_ifexists("ObjectName", ""), - ObjectType = column_ifexists("ObjectType", ""), ProcessName = column_ifexists("ProcessName", "") | extend Process = split(ProcessName, '\\', -1)[-1], Account = strcat(SubjectDomainName, "\\", SubjectUserName) - | where ObjectType == 'Key' - | where ObjectName == aadHealthMonAgentRegKey | where Process !in (aadConnectHealthProcs) + | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName ), ( SecurityEvent | where EventID == '4663' - | extend Process = split(ProcessName, '\\', -1)[-1] | where ObjectType == 'Key' | where ObjectName == aadHealthMonAgentRegKey + | extend Process = tostring(split(ProcessName, '\\', -1)[-1]) | where Process !in (aadConnectHealthProcs) + | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName ) ) // You can filter out potential machine accounts //| where AccountType != 'Machine' - | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer - | summarize count() by ProcessName + | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer entityMappings: - entityType: Account fieldMappings: @@ -73,5 +75,5 @@ entityMappings: fieldMappings: - identifier: FullName columnName: HostCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.0.1 +kind: Scheduled diff --git a/Detections/SecurityEvent/powershell_empire.yaml b/Detections/SecurityEvent/powershell_empire.yaml index 9638bdafa2..2508535b68 100644 --- a/Detections/SecurityEvent/powershell_empire.yaml +++ b/Detections/SecurityEvent/powershell_empire.yaml @@ -10,8 +10,8 @@ requiredDataConnectors: - connectorId: WindowsSecurityEvents dataTypes: - SecurityEvent -queryFrequency: 1d -queryPeriod: 1d +queryFrequency: 12h +queryPeriod: 12h triggerOperator: gt triggerThreshold: 0 tactics: @@ -21,28 +21,20 @@ relevantTechniques: - T1208 query: | - let regexEmpire = @"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\$Volume){\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\(\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup"; - let ProcessCreationEvents=() { - let processEvents=SecurityEvent - | where EventID==4688 - | where isnotempty(CommandLine) - | project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName; - processEvents}; - let decodedPS = ProcessCreationEvents - | where CommandLine contains " -encodedCommand" + let regexEmpire = @"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\(\$Volume\){\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\(\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup"; + SecurityEvent + | where EventID == 4688 + //consider filtering on filename if perf issues occur + //where FileName in~ ("powershell.exe","powershell_ise.exe","pwsh.exe") + | where not(ParentProcessName has_any ('gc_worker.exe', 'gc_service.exe')) + | where CommandLine has "-encodedCommand" | parse kind=regex flags=i CommandLine with * "-EncodedCommand " encodedCommand - | project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, ' ')[0]), CommandLine + | extend encodedCommand = iff(encodedCommand has " ", tostring(split(encodedCommand, " ")[0]), encodedCommand) // Note: currently the base64_decode_tostring function is limited to supporting UTF8 - | extend decodedCommand = translate('\0','', base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand); - (decodedPS - | union - (ProcessCreationEvents - | where FileName in~ ("powershell.exe","powershell_ise.exe") - | where CommandLine !contains "-encodedcommand") - | extend StartTimeUtc = TimeGenerated - ) - | where CommandLine matches regex regexEmpire - | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer + | extend decodedCommand = translate('\0','', base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand) + | extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine) + | project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName + | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer entityMappings: - entityType: Account fieldMappings: @@ -52,5 +44,5 @@ entityMappings: fieldMappings: - identifier: FullName columnName: HostCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.0.2 +kind: Scheduled diff --git a/Detections/Syslog/ssh_NewlyInternetExposed.yaml b/Detections/Syslog/ssh_NewlyInternetExposed.yaml index a506513b42..fc4382824b 100644 --- a/Detections/Syslog/ssh_NewlyInternetExposed.yaml +++ b/Detections/Syslog/ssh_NewlyInternetExposed.yaml @@ -1,7 +1,7 @@ id: 4915c713-ab38-432e-800b-8e2d46933de6 name: New internet-exposed SSH endpoints description: | - 'Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.' + 'Looks for SSH endpoints that rarely are accessed from a public IP address, in comparison with their history of sign-ins from private IP addresses.' severity: Medium requiredDataConnectors: - connectorId: Syslog @@ -63,5 +63,5 @@ entityMappings: fieldMappings: - identifier: FullName columnName: HostCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.0.1 +kind: Scheduled diff --git a/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml b/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml index 4d861a4fa3..56b6a82bbf 100644 --- a/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml +++ b/Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml @@ -28,12 +28,13 @@ query: | | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | where Active == true | where isnotempty(FileHashValue) + | extend FileHashValue = toupper(FileHashValue) // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( SecurityEvent | where TimeGenerated >= ago(dt_lookBack) | where EventID in ("8003","8002","8005") | where isnotempty(FileHash) - | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID + | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash) ) on $left.FileHashValue == $right.FileHash | where SecurityEvent_TimeGenerated < ExpirationDateTime @@ -54,5 +55,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.2.1 -kind: Scheduled \ No newline at end of file +version: 1.2.2 +kind: Scheduled diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml index d0ee62509d..ba8f763a07 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml @@ -44,7 +44,7 @@ query: | | summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId - | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost + | extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost entityMappings: - entityType: Host fieldMappings: @@ -66,5 +66,5 @@ entityMappings: fieldMappings: - identifier: ResourceId columnName: _ResourceId -version: 1.2.1 -kind: Scheduled \ No newline at end of file +version: 1.2.2 +kind: Scheduled diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml index 994faaa9a1..1b019560d3 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml @@ -39,7 +39,7 @@ query: | AzureDiagnostics | where TimeGenerated >= ago(dt_lookBack) | where OperationName in ("AzureFirewallApplicationRuleLog", "AzureFirewallNetworkRuleLog") - | parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\.? Action: ' Action @'\.' Rest_msg + | parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\.? Action: ' Firewall_Action @'\.' Rest_msg | extend SourceAddress = extract(@'([\.0-9]+)(:[\.0-9]+)?', 1, SourceHost) | extend DestinationAddress = extract(@'([\.0-9]+)(:[\.0-9]+)?', 1, DestinationHost) | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, "") @@ -51,7 +51,7 @@ query: | | where AzureFirewall_TimeGenerated < ExpirationDateTime | summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated, - TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress + TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url entityMappings: - entityType: IP @@ -62,5 +62,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.1.1 +version: 1.1.2 kind: Scheduled diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml index 5ba207c3a5..ebca7db85d 100644 --- a/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml @@ -12,7 +12,7 @@ requiredDataConnectors: - ThreatIntelligenceIndicator - connectorId: AzureKeyVault dataTypes: - - AzureDiagnostics + - KeyVaultData queryFrequency: 1h queryPeriod: 14d triggerOperator: gt diff --git a/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml b/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml new file mode 100644 index 0000000000..bee5791e07 --- /dev/null +++ b/Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml @@ -0,0 +1,54 @@ +id: 66c81ae2-1f89-4433-be00-2fbbd9ba5ebe +name: TI map IP entity to CommonSecurityLog +description: | + 'Identifies a match in CommonSecurityLog from any IP IOC from TI' +severity: Medium +requiredDataConnectors: + - connectorId: ThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: ThreatIntelligenceTaxii + dataTypes: + - ThreatIntelligenceIndicator +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +query: | + let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + ThreatIntelligenceIndicator + | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true + // Picking up only IOC's that contain the entities we want + | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) + // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty. + // Taking the first non-empty value based on potential IOC match availability + | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) + | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) + | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique ( + CommonSecurityLog + | where TimeGenerated >= ago(dt_lookBack) + | extend MessageIP = extract(IPRegex, 0, Message) + | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP) + | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity) + | extend CommonSecurityLog_TimeGenerated = TimeGenerated + ) + on $left.TI_ipEntity == $right.CS_ipEntity + | where CommonSecurityLog_TimeGenerated < ExpirationDateTime + | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity + | project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction + | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Hunting Queries/ASimProcess/imProcess_Certutil-LOLBins.yaml b/Hunting Queries/ASimProcess/imProcess_Certutil-LOLBins.yaml index b9dec87655..f0383f83c6 100644 --- a/Hunting Queries/ASimProcess/imProcess_Certutil-LOLBins.yaml +++ b/Hunting Queries/ASimProcess/imProcess_Certutil-LOLBins.yaml @@ -4,9 +4,8 @@ description: | 'This detection uses Normalized Process Events to hunt Certutil activities' requiredDataConnectors: [] - tactics: - - Command And Control + - CommandAndControl relevantTechniques: - T1105 @@ -25,4 +24,4 @@ entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity \ No newline at end of file + columnName: HostCustomEntity diff --git a/Hunting Queries/ASimProcess/imProcess_ExchangePowerShellSnapin.yaml b/Hunting Queries/ASimProcess/imProcess_ExchangePowerShellSnapin.yaml index dac6e11ae3..d14d449c83 100644 --- a/Hunting Queries/ASimProcess/imProcess_ExchangePowerShellSnapin.yaml +++ b/Hunting Queries/ASimProcess/imProcess_ExchangePowerShellSnapin.yaml @@ -11,11 +11,11 @@ tactics: relevantTechniques: - T1119 query: | - imProcessCreate - | where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe") - | where CommandLine has "Add-PSSnapin Microsoft.Exchange.Management.Powershell.Snapin" - | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Dvc, User, CommandLine, EventVendor, EventProduct - | extend timestamp = FirstSeen, AccountCustomEntity = User, HostCustomEntity = Dvc + imProcessCreate + | where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe") + | where CommandLine has "Add-PSSnapin Microsoft.Exchange.Management.Powershell.Snapin" + | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Dvc, User, CommandLine, EventVendor, EventProduct + | extend timestamp = FirstSeen, AccountCustomEntity = User, HostCustomEntity = Dvc entityMappings: - entityType: Account fieldMappings: @@ -24,4 +24,4 @@ entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity \ No newline at end of file + columnName: HostCustomEntity diff --git a/Hunting Queries/ASimProcess/imProcess_HostExportingMailboxAndRemovingExport.yaml b/Hunting Queries/ASimProcess/imProcess_HostExportingMailboxAndRemovingExport.yaml index 42b0c8c6fb..005145182f 100644 --- a/Hunting Queries/ASimProcess/imProcess_HostExportingMailboxAndRemovingExport.yaml +++ b/Hunting Queries/ASimProcess/imProcess_HostExportingMailboxAndRemovingExport.yaml @@ -16,19 +16,19 @@ tags: - NOBELIUM query: | - // Adjust the timeframe to change the window events need to occur within to alert - let timeframe = 1h; - imProcessCreate - | where Process has_any ("powershell.exe", "cmd.exe") - | where CommandLine has 'New-MailboxExportRequest' - | summarize by Dvc, timekey = bin(TimeGenerated, timeframe), CommandLine, ActorUsername, EventVendor, EventProduct - | join kind=inner (imProcessCreate - | where Process has_any ("powershell.exe", "cmd.exe") - | where CommandLine has 'Remove-MailboxExportRequest' - | summarize by Dvc, EventProduct, EventVendor, timekey = bin(TimeGenerated, timeframe), CommandLine, ActorUsername) on Dvc, timekey, ActorUsername - | summarize by timekey, Dvc, CommandLine, ActorUsername - | project-reorder timekey, Dvc, ActorUsername, CommandLine - | extend HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername + // Adjust the timeframe to change the window events need to occur within to alert + let timeframe = 1h; + imProcessCreate + | where Process has_any ("powershell.exe", "cmd.exe") + | where CommandLine has 'New-MailboxExportRequest' + | summarize by Dvc, timekey = bin(TimeGenerated, timeframe), CommandLine, ActorUsername, EventVendor, EventProduct + | join kind=inner (imProcessCreate + | where Process has_any ("powershell.exe", "cmd.exe") + | where CommandLine has 'Remove-MailboxExportRequest' + | summarize by Dvc, EventProduct, EventVendor, timekey = bin(TimeGenerated, timeframe), CommandLine, ActorUsername) on Dvc, timekey, ActorUsername + | summarize by timekey, Dvc, CommandLine, ActorUsername + | project-reorder timekey, Dvc, ActorUsername, CommandLine + | extend HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername entityMappings: - entityType: Account diff --git a/Hunting Queries/ASimProcess/imProcess_Invoke-PowerShellTcpOneLine.yaml b/Hunting Queries/ASimProcess/imProcess_Invoke-PowerShellTcpOneLine.yaml index 1cc7fd64cf..7e7dea3ec4 100644 --- a/Hunting Queries/ASimProcess/imProcess_Invoke-PowerShellTcpOneLine.yaml +++ b/Hunting Queries/ASimProcess/imProcess_Invoke-PowerShellTcpOneLine.yaml @@ -8,10 +8,10 @@ tactics: relevantTechniques: - T1011 query: | - imProcessCreate - | where Process has_any ("powershell.exe", "PowerShell_ISE.exe", "cmd.exe") - | where CommandLine has "$client = New-Object System.Net.Sockets.TCPClient" - | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Dvc, IPCustomEntity = DvcIpAddr + imProcessCreate + | where Process has_any ("powershell.exe", "PowerShell_ISE.exe", "cmd.exe") + | where CommandLine has "$client = New-Object System.Net.Sockets.TCPClient" + | extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Dvc, IPCustomEntity = DvcIpAddr entityMappings: - entityType: Account fieldMappings: @@ -24,4 +24,4 @@ entityMappings: - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity \ No newline at end of file + columnName: IPCustomEntity diff --git a/Hunting Queries/ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml b/Hunting Queries/ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml index d8bb48c4c5..6d7c8cf616 100644 --- a/Hunting Queries/ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml +++ b/Hunting Queries/ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml @@ -26,4 +26,4 @@ entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity \ No newline at end of file + columnName: HostCustomEntity diff --git a/Hunting Queries/ASimProcess/imProcess_ProcessEntropy.yaml b/Hunting Queries/ASimProcess/imProcess_ProcessEntropy.yaml index 1c77474f01..ae836613f7 100644 --- a/Hunting Queries/ASimProcess/imProcess_ProcessEntropy.yaml +++ b/Hunting Queries/ASimProcess/imProcess_ProcessEntropy.yaml @@ -8,8 +8,7 @@ description: | In general, this should identify processes on a Host that are rare and rare for the environment. References: https://medium.com/udacity/shannon-entropy-information-gain-and-picking-balls-from-buckets-5810d35d54b4 https://en.wiktionary.org/wiki/Shannon_entropy' -requiredDataConnectors: - - connectorId: [] +requiredDataConnectors: [] tactics: - Execution query: | @@ -123,5 +122,3 @@ query: | | project-reorder StartTime, EndTime, ResultCount, EventID, EventVendor, EventProduct, DvcHostname, ActorUserId, Account, AccountType, Weight, ProcessEntropy,TargetProcessFileName, TargetProcessFilePath, TargetProcessCommandLine, ActingProcessFileName, AllHostsProcessCount, ProcessCountOnHost, DistinctHostsProcessCount, _ResourceId, DvcId | sort by Weight asc, ProcessEntropy asc, TargetProcessFilePath asc | extend timestamp = StartTime, HostCustomEntity = DvcHostname, AccountCustomEntity = Account - - diff --git a/Hunting Queries/ASimProcess/imProcess_SolarWindsInventory.yaml b/Hunting Queries/ASimProcess/imProcess_SolarWindsInventory.yaml index 69fb8fd333..dbc9863317 100644 --- a/Hunting Queries/ASimProcess/imProcess_SolarWindsInventory.yaml +++ b/Hunting Queries/ASimProcess/imProcess_SolarWindsInventory.yaml @@ -1,4 +1,4 @@ -id: c3f1606e-48eb-464e-a60c-d53af5a5796e +id: c3f1606e-48eb-464e-a60c-d53af5a5796e name: SolarWinds Inventory (Normalized Process Events) description: | 'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection information to discovery any systems that have SolarWinds processes' @@ -15,4 +15,4 @@ query: | | where Process has 'solarwinds' | extend MachineName = DvcHostname , Process = TargetProcessFilePath | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), MachineCount = dcount(Dvc), AccountCount = dcount(User), MachineNames = make_set(Dvc), - Accounts = make_set(User) by Process, EventVendor, EventProduct \ No newline at end of file + Accounts = make_set(User) by Process, EventVendor, EventProduct diff --git a/Hunting Queries/ASimProcess/imProcess_Windows System Shutdown-Reboot(T1529).yaml b/Hunting Queries/ASimProcess/imProcess_Windows System Shutdown-Reboot(T1529).yaml index 74eb5ef20e..d3b48e286b 100644 --- a/Hunting Queries/ASimProcess/imProcess_Windows System Shutdown-Reboot(T1529).yaml +++ b/Hunting Queries/ASimProcess/imProcess_Windows System Shutdown-Reboot(T1529).yaml @@ -4,7 +4,7 @@ description: | 'This detection uses Normalized Process Events to detect System Shutdown/Reboot (MITRE Technique: T1529)' requiredDataConnectors: [] - + tactics: - Impact relevantTechniques: @@ -24,4 +24,4 @@ entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity \ No newline at end of file + columnName: HostCustomEntity diff --git a/Hunting Queries/ASimProcess/imProcess_cscript_summary.yaml b/Hunting Queries/ASimProcess/imProcess_cscript_summary.yaml index 42077d15bb..a87c644ed7 100644 --- a/Hunting Queries/ASimProcess/imProcess_cscript_summary.yaml +++ b/Hunting Queries/ASimProcess/imProcess_cscript_summary.yaml @@ -6,19 +6,19 @@ requiredDataConnectors: [] tactics: - Execution query: | - imProcessCreate - | where Process has "cscript.exe" - | extend FileName=tostring(split(Process, '\\')[-1]) - | where FileName =~ "cscript.exe" - | extend removeSwitches = replace(@"/+[a-zA-Z0-9:]+", "", CommandLine) - | extend CommandLine = trim(@"[a-zA-Z0-9\\:""]*cscript(.exe)?("")?(\s)+", removeSwitches) - // handle case where script name is enclosed in " characters or is not enclosed in quotes - | extend ScriptName= iff(CommandLine startswith @"""", - extract(@"([:\\a-zA-Z_\-\s0-9\.()]+)(""?)", 0, CommandLine), - extract(@"([:\\a-zA-Z_\-0-9\.()]+)(""?)", 0, CommandLine)) - | extend ScriptName=trim(@"""", ScriptName) , ScriptNameLength=strlen(ScriptName) - // extract remainder of commandline as script parameters: - | extend ScriptParams = iff(ScriptNameLength < strlen(CommandLine), substring(CommandLine, ScriptNameLength +1), "") - | summarize min(TimeGenerated), count() by Dvc, User, ScriptName, ScriptParams, EventVendor, EventProduct - | order by count_ asc nulls last - | extend timestamp = min_TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User \ No newline at end of file + imProcessCreate + | where Process has "cscript.exe" + | extend FileName=tostring(split(Process, '\\')[-1]) + | where FileName =~ "cscript.exe" + | extend removeSwitches = replace(@"/+[a-zA-Z0-9:]+", "", CommandLine) + | extend CommandLine = trim(@"[a-zA-Z0-9\\:""]*cscript(.exe)?("")?(\s)+", removeSwitches) + // handle case where script name is enclosed in " characters or is not enclosed in quotes + | extend ScriptName= iff(CommandLine startswith @"""", + extract(@"([:\\a-zA-Z_\-\s0-9\.()]+)(""?)", 0, CommandLine), + extract(@"([:\\a-zA-Z_\-0-9\.()]+)(""?)", 0, CommandLine)) + | extend ScriptName=trim(@"""", ScriptName) , ScriptNameLength=strlen(ScriptName) + // extract remainder of commandline as script parameters: + | extend ScriptParams = iff(ScriptNameLength < strlen(CommandLine), substring(CommandLine, ScriptNameLength +1), "") + | summarize min(TimeGenerated), count() by Dvc, User, ScriptName, ScriptParams, EventVendor, EventProduct + | order by count_ asc nulls last + | extend timestamp = min_TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User diff --git a/Hunting Queries/ASimProcess/imProcess_enumeration_user_and_group.yaml b/Hunting Queries/ASimProcess/imProcess_enumeration_user_and_group.yaml index c6a585768b..5cede80b7d 100644 --- a/Hunting Queries/ASimProcess/imProcess_enumeration_user_and_group.yaml +++ b/Hunting Queries/ASimProcess/imProcess_enumeration_user_and_group.yaml @@ -7,14 +7,13 @@ tactics: - Discovery query: | - imProcessCreate - | where (CommandLine has ' user ' or CommandLine has ' group ') and (CommandLine hassuffix ' /do' or CommandLine hassuffix ' /domain') - | where Process has 'net.exe' // performance pre-filtering - | extend FileName=tostring(split(Process, '\\')[-1]) - | where FileName == 'net.exe' and ActorUsername != "" and CommandLine !contains '\\' and CommandLine !contains '/add' - | extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, CommandLine) - | where Target != '' - | summarize minTimeGenerated=min(TimeGenerated), maxTimeGenerated=max(TimeGenerated), count() by ActorUsername, Target, CommandLine, Dvc, EventVendor, EventProduct - | sort by ActorUsername, Target - | extend timestamp = minTimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc - \ No newline at end of file + imProcessCreate + | where (CommandLine has ' user ' or CommandLine has ' group ') and (CommandLine hassuffix ' /do' or CommandLine hassuffix ' /domain') + | where Process has 'net.exe' // performance pre-filtering + | extend FileName=tostring(split(Process, '\\')[-1]) + | where FileName == 'net.exe' and ActorUsername != "" and CommandLine !contains '\\' and CommandLine !contains '/add' + | extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, CommandLine) + | where Target != '' + | summarize minTimeGenerated=min(TimeGenerated), maxTimeGenerated=max(TimeGenerated), count() by ActorUsername, Target, CommandLine, Dvc, EventVendor, EventProduct + | sort by ActorUsername, Target + | extend timestamp = minTimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc diff --git a/Hunting Queries/ASimProcess/imProcess_persistence_create_account.yaml b/Hunting Queries/ASimProcess/imProcess_persistence_create_account.yaml index 399b7a1d02..95361c1f29 100644 --- a/Hunting Queries/ASimProcess/imProcess_persistence_create_account.yaml +++ b/Hunting Queries/ASimProcess/imProcess_persistence_create_account.yaml @@ -14,15 +14,14 @@ tactics: relevantTechniques: - T1110 query: | - imProcessCreate - | where Process has_any ("net.exe", "net1.exe") // preformance pre-filtering - | extend FileName = tostring(split(Process, '\\')[-1]) - | extend ActingProcessFileName= tostring(split(ActingProcessName, '\\')[-1]) - | where FileName in~ ("net.exe", "net1.exe") - | parse kind=regex flags=iU CommandLine with * "user " CreatedUser " " * "/ad" - | where not(FileName =~ "net1.exe" and ActingProcessFileName =~ "net.exe" and replace("net", "net1", ActingProcessCommandLine) =~ CommandLine) - | extend CreatedOnLocalMachine=(CommandLine !has "/do") - | where CommandLine has "/add" or (CreatedOnLocalMachine == 0 and CommandLine !has "/domain") - | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), MachineCount=dcount(Dvc) by CreatedUser, CreatedOnLocalMachine, ActingProcessFileName, FileName, CommandLine, ActingProcessCommandLine, EventVendor, EventProduct - | extend timestamp = StartTimeUtc, AccountCustomEntity = CreatedUser - \ No newline at end of file + imProcessCreate + | where Process has_any ("net.exe", "net1.exe") // preformance pre-filtering + | extend FileName = tostring(split(Process, '\\')[-1]) + | extend ActingProcessFileName= tostring(split(ActingProcessName, '\\')[-1]) + | where FileName in~ ("net.exe", "net1.exe") + | parse kind=regex flags=iU CommandLine with * "user " CreatedUser " " * "/ad" + | where not(FileName =~ "net1.exe" and ActingProcessFileName =~ "net.exe" and replace("net", "net1", ActingProcessCommandLine) =~ CommandLine) + | extend CreatedOnLocalMachine=(CommandLine !has "/do") + | where CommandLine has "/add" or (CreatedOnLocalMachine == 0 and CommandLine !has "/domain") + | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), MachineCount=dcount(Dvc) by CreatedUser, CreatedOnLocalMachine, ActingProcessFileName, FileName, CommandLine, ActingProcessCommandLine, EventVendor, EventProduct + | extend timestamp = StartTimeUtc, AccountCustomEntity = CreatedUser diff --git a/Hunting Queries/ASimProcess/imProcess_powershell_downloads.yaml b/Hunting Queries/ASimProcess/imProcess_powershell_downloads.yaml index 97e94f87dd..1c2086ffcd 100644 --- a/Hunting Queries/ASimProcess/imProcess_powershell_downloads.yaml +++ b/Hunting Queries/ASimProcess/imProcess_powershell_downloads.yaml @@ -14,4 +14,4 @@ query: | | where CommandLine has_any ("Net.WebClient", "DownloadFile", "Invoke-WebRequest", "Invoke-Shellcode", "http:") | project TimeGenerated, Dvc, User, InitiatingProcessFileName, FileName, CommandLine, EventVendor, EventProduct | top 100 by TimeGenerated - | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User \ No newline at end of file + | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User diff --git a/Hunting Queries/ASimProcess/imProcess_uncommon_processes.yaml b/Hunting Queries/ASimProcess/imProcess_uncommon_processes.yaml index 4028ed2581..a5b09d0745 100644 --- a/Hunting Queries/ASimProcess/imProcess_uncommon_processes.yaml +++ b/Hunting Queries/ASimProcess/imProcess_uncommon_processes.yaml @@ -5,8 +5,7 @@ description: | These new processes could be benign new programs installed on hosts; However, especially in normally stable environments, these new processes could provide an indication of an unauthorized/malicious binary that has been installed and run. Reviewing the wider context of the logon sessions in which these binaries ran can provide a good starting point for identifying possible attacks.' -requiredDataConnectors: - - connectorId: [] +requiredDataConnectors: [] tactics: - Execution query: | @@ -26,4 +25,4 @@ query: | | project FileName, frequency, precentile_5, Since, LastSeen , EventVendor, EventProduct // restrict results to unusual processes seen in last day | where LastSeen >= ago(1d) - | extend timestamp = LastSeen \ No newline at end of file + | extend timestamp = LastSeen diff --git a/Hunting Queries/ASimProcess/inProcess_SignedBinaryProxyExecutionRundll32.yaml b/Hunting Queries/ASimProcess/inProcess_SignedBinaryProxyExecutionRundll32.yaml index a37a7c20e0..3d2b927b53 100644 --- a/Hunting Queries/ASimProcess/inProcess_SignedBinaryProxyExecutionRundll32.yaml +++ b/Hunting Queries/ASimProcess/inProcess_SignedBinaryProxyExecutionRundll32.yaml @@ -6,7 +6,7 @@ description: | requiredDataConnectors: [] tactics: - - Defense Evasion + - DefenseEvasion relevantTechniques: - T1218.011 query: | @@ -24,4 +24,4 @@ entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity \ No newline at end of file + columnName: HostCustomEntity diff --git a/Hunting Queries/AzureDevOpsAuditing/ADONewPackageFeedCreated.yaml b/Hunting Queries/AzureDevOpsAuditing/ADONewPackageFeedCreated.yaml index be94376cbc..e94a4d01f1 100644 --- a/Hunting Queries/AzureDevOpsAuditing/ADONewPackageFeedCreated.yaml +++ b/Hunting Queries/AzureDevOpsAuditing/ADONewPackageFeedCreated.yaml @@ -4,7 +4,7 @@ description: | 'An attacker could look to introduce upstream compromised software packages by creating a new package feed within Azure DevOps. This query looks for new Feeds and includes details on any Azure AD Identity Protection alerts related to the user account creating the feed to assist in triage.' requiredDataConnectors: [] tactics: - - Initial Access + - InitialAccess relevantTechniques: - T1195 query: | diff --git a/Hunting Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml b/Hunting Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml index d3d42ce8c3..0957ac8aa8 100644 --- a/Hunting Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml +++ b/Hunting Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml @@ -17,10 +17,11 @@ tags: - log4shell query: | let log4jcmdstring = dynamic(["${jndi:ldap","${jndi:dns","${jndi:rmi","${jndi:corba","${jndi:iiop","${jndi:nis","${jndi:nds"]); + let log4jRegex = @'(\\$|%24)(\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\$|%24|}|%7D)'; AzureDiagnostics | where Category in ("FrontdoorWebApplicationFirewallLog", "FrontdoorAccessLog", "ApplicationGatewayFirewallLog", "ApplicationGatewayAccessLog") //The regex and the string matching look for the most common attacks. This is not supposed to be comprehensive. - | where originalRequestUriWithArgs_s has_any (log4jcmdstring) or originalRequestUriWithArgs_s matches regex '\\$\\{j\\$\\{::-\\}n\\$\\{::-\\}d\\$\\{::-\\}[a-zA-Z]' or userAgent_s has_any (log4jcmdstring) or userAgent_s matches regex '\\$\\{j\\$\\{::-\\}n\\$\\{::-\\}d\\$\\{::-\\}[a-zA-Z]' + | where originalRequestUriWithArgs_s has_any (log4jcmdstring) or originalRequestUriWithArgs_s matches regex log4jRegex or userAgent_s has_any (log4jcmdstring) or userAgent_s matches regex log4jRegex | extend CmdLine = iff(originalRequestUriWithArgs_s has 'Base64/', split(split(originalRequestUriWithArgs_s, "Base64/",1)[0], "}", 0)[0], split(split(userAgent_s, "Base64/",1)[0], "}", 0)[0]) | extend CmdLine = base64_decode_tostring(tostring(CmdLine)) | where CmdLine has_any ("wget","curl") @@ -31,3 +32,4 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity +version: 1.0.1 diff --git a/Hunting Queries/CommonSecurityLog/NetworkConnectionToNewExternalLDAPServer.yaml b/Hunting Queries/CommonSecurityLog/NetworkConnectionToNewExternalLDAPServer.yaml new file mode 100644 index 0000000000..457283d17d --- /dev/null +++ b/Hunting Queries/CommonSecurityLog/NetworkConnectionToNewExternalLDAPServer.yaml @@ -0,0 +1,58 @@ +id: bf094505-fd2e-484f-b72a-acd79ee00ce8 +name: Network Connection to New External LDAP Server +description: | + 'This hunting query looks for outbound network connections using the LDAP protocol to external IP addresses, where that IP address has not had an LDAP network connection to it in the 14 days preceding the query timeframe. This could indicate someone exploiting a vulnerability such as CVE-2021-44228 to trigger the connection to a malicious LDAP server. + For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description + Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' +requiredDataConnectors: + - connectorId: CheckPoint + dataTypes: + - CommonSecurityLog (CheckPoint) + - connectorId: CiscoASA + dataTypes: + - CommonSecurityLog (Cisco) + - connectorId: PaloAltoNetworks + dataTypes: + - CommonSecurityLog (PaloAlto) +tactics: + - InitialAccess +relevantTechniques: + - T1190 +tags: + - CVE-2021-44228 + - Log4j + - Log4Shell +query: | + let starttime = todatetime('{{StartTimeISO}}'); + let endtime = todatetime('{{EndTimeISO}}'); + let lookback = starttime - 14d; + let legacy_ldap = ( + CommonSecurityLog + | where TimeGenerated between(lookback..starttime) + // Filter to LDAP connections only + | where ApplicationProtocol =~ "ldap" + // Check LDAP server is external + | extend private = ipv4_is_private(DestinationIP) + | where private == false + // Filter out events where network connection was blocked - change this to expand hunt + | where DeviceAction has_any ("allow", "accept", "allowed") + | summarize by DestinationIP); + CommonSecurityLog + | where TimeGenerated between(starttime..endtime) + | where ApplicationProtocol =~ "ldap" + | extend private = ipv4_is_private(DestinationIP) + | where private == false + | where DestinationIP !in (legacy_ldap) + | where DeviceAction has_any ("allow", "accept", "allowed") + | extend timestamp = TimeGenerated + | project-reorder TimeGenerated, SourceIP, DestinationIP, ApplicationProtocol, DestinationPort, SentBytes, ReceivedBytes, DeviceAction +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SourceIP + - entityType: IP + fieldMappings: + - identifier: Address + columnName: DestinationIP +version: 1.0.0 \ No newline at end of file diff --git a/Hunting Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml b/Hunting Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml index b53b2676d9..dd23948286 100644 --- a/Hunting Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml +++ b/Hunting Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml @@ -1,9 +1,9 @@ id: 19abc034-139e-4e64-a05d-cb07ce8b003b name: Malicious Connection to LDAP port for CVE-2021-44228 vulnerability description: | - 'This hunting query looks for connection to LDAP port to find possible exploitation attempts for CVE-2021-44228 involving log4j vulnerability. - Log4j is an open-source Apache logging library that is used in many Java-based applications. Awarness of normal baseline traffic of an enviornment for java.exe - while using this query will help detrmine normal from anaomalous. + 'This hunting query looks for connection to the default LDAP ports to find possible exploitation attempts for CVE-2021-44228 involving log4j vulnerability. + The attack is not limited only to these ports. Log4j is an open-source Apache logging library that is used in many Java-based applications. + Awareness of normal baseline traffic of an environment for java.exe while using this query will help determine normal from anomalous. Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/' requiredDataConnectors: - connectorId: MicrosoftThreatProtection diff --git a/Hunting Queries/MultipleDataSources/UnicodeObfuscationInCommandLine.yaml b/Hunting Queries/MultipleDataSources/UnicodeObfuscationInCommandLine.yaml index 1f5d56ba2c..87bc112096 100644 --- a/Hunting Queries/MultipleDataSources/UnicodeObfuscationInCommandLine.yaml +++ b/Hunting Queries/MultipleDataSources/UnicodeObfuscationInCommandLine.yaml @@ -12,7 +12,7 @@ requiredDataConnectors: dataTypes: - DeviceProcessEvents tactics: - - DefenceEvasion + - DefenseEvasion relevantTechniques: - T1027 query: | diff --git a/Hunting Queries/SecurityEvent/Certutil-LOLBins.yaml b/Hunting Queries/SecurityEvent/Certutil-LOLBins.yaml index 889fe91a1f..292c155a1e 100644 --- a/Hunting Queries/SecurityEvent/Certutil-LOLBins.yaml +++ b/Hunting Queries/SecurityEvent/Certutil-LOLBins.yaml @@ -8,7 +8,7 @@ requiredDataConnectors: dataTypes: - SecurityEvent tactics: - - Command And Control + - CommandAndControl relevantTechniques: - T1105 diff --git a/Hunting Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml b/Hunting Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml index 8c550687a7..5e3b51b75a 100644 --- a/Hunting Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml +++ b/Hunting Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml @@ -8,7 +8,7 @@ requiredDataConnectors: dataTypes: - SecurityEvent tactics: - - Defense Evasion + - DefenseEvasion relevantTechniques: - T1218.011 query: | diff --git a/Hunting Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml b/Hunting Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml index 69031d50ae..8cd1a09371 100644 --- a/Hunting Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml +++ b/Hunting Queries/SigninLogs/SuccessfulAccount-SigninAttemptsByIPviaDisabledAccounts.yaml @@ -1,3 +1,4 @@ +id: 53b6d42e-ff74-46a8-abee-ec72181f66ba name: Sign-ins from IPs that attempt sign-ins to disabled accounts description: | 'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. diff --git a/Hunting Queries/Syslog/Container_Miner_Activity.yaml b/Hunting Queries/Syslog/Container_Miner_Activity.yaml new file mode 100644 index 0000000000..5fe885be41 --- /dev/null +++ b/Hunting Queries/Syslog/Container_Miner_Activity.yaml @@ -0,0 +1,42 @@ +id: 6fee32b3-3271-4a3f-9b01-dbd9432a1707 +name: Possible Container Miner related artifacts detected +description: | + 'This query uses syslog data to alert on possible artifacts associated with container running image related to digital cryptocurrency mining. + Attackers may perform such operations post compromise as seen after CVE-2021-44228 log4j vulnerability exploitation to scope and prioritize post-compromise objectives. + For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description + Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431' +requiredDataConnectors: + - connectorId: Syslog + dataTypes: + - Syslog +tactics: + - Impact + - Execution +relevantTechniques: + - T1496 + - T1203 +tags: + - CVE-2021-44228 + - Log4j + - Log4Shell +query: | + Syslog + | where Facility == 'user' + | where SyslogMessage has "AUOMS_EXECVE" + | parse SyslogMessage with "type=" EventType " audit(" * "): " EventData + | where EventType =~ "AUOMS_EXECVE" + | parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" * " ppid=" ppid " pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group " gid=" gid "effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid " filesystem_user=" filesystem_user " fsuid=" fsuid " effective_group=" effective_group " egid=" egid " set_group=" set_group " sgid=" sgid " filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty " ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\"" * "name=\"" name "\"" * "cmdline=\"" cmdline "\" containerid=" containerid + | where (exe has "docker" and cmdline has_any ("monero-miner","minergate-cli","aeon-miner","xmr-miner")) or (exe has_any ("bash","dash") and cmdline has "docker kill" and cmdline has_any ("gakeaws","monero","xmr","pocosow")) + | project TimeGenerated, Computer, audit_user, user, cmdline + | extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated + | sort by TimeGenerated desc +entityMappings: +- entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity +- entityType: Account + fieldMappings: + - identifier: FullName + columnName: AccountCustomEntity +version: 1.0.0 \ No newline at end of file diff --git a/Parsers/ASimDns/ProductParsers/ASimDns.yaml b/Parsers/ASimDns/ProductParsers/ASimDns.yaml index 58205a71d4..fa0da6bfdb 100644 --- a/Parsers/ASimDns/ProductParsers/ASimDns.yaml +++ b/Parsers/ASimDns/ProductParsers/ASimDns.yaml @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports normalizing DNS activity logs from all supported sources to the ASIM DNS activity normalized schema. + Normalize DNS activity logs from all supported sources to the ASIM DNS activity normalized schema. ParserName: ASimDns EquivalentBuiltInParser: _ASim_Dns Parsers: diff --git a/Parsers/ASimDns/ProductParsers/ASimDnsAzureFirewall.yaml b/Parsers/ASimDns/ProductParsers/ASimDnsAzureFirewall.yaml index 488cc424f1..4296d8860b 100644 --- a/Parsers/ASimDns/ProductParsers/ASimDnsAzureFirewall.yaml +++ b/Parsers/ASimDns/ProductParsers/ASimDnsAzureFirewall.yaml @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports normalizing Azure Firewall logs to the ASIM DNS activity normalized schema. + Normalize Azure Firewall logs to the ASIM DNS activity normalized schema. ParserName: ASimDnsAzureFirewall EquivalentBuiltInParser: _ASim_Dns_AzureFirewall ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/ASimDnsCiscoUmbrella.yaml b/Parsers/ASimDns/ProductParsers/ASimDnsCiscoUmbrella.yaml index b27d035abb..ae50eec061 100644 --- a/Parsers/ASimDns/ProductParsers/ASimDnsCiscoUmbrella.yaml +++ b/Parsers/ASimDns/ProductParsers/ASimDnsCiscoUmbrella.yaml @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports normalizing Cisco Umbrella DNS logs to the ASIM DNS activity normalized schema. + Normalize Cisco Umbrella DNS logs to the ASIM DNS activity normalized schema. ParserName: ASimDnsCiscoUmbrella EquivalentBuiltInParser: _ASim_Dns_CiscoUmbrella ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/ASimDnsCorelightZeek.yaml b/Parsers/ASimDns/ProductParsers/ASimDnsCorelightZeek.yaml index 61004b3d9e..e70b4499ef 100644 --- a/Parsers/ASimDns/ProductParsers/ASimDnsCorelightZeek.yaml +++ b/Parsers/ASimDns/ProductParsers/ASimDnsCorelightZeek.yaml @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports normalizing Corelight Zeek DNS logs to the ASIM DNS activity normalized schema. + Normalize Corelight Zeek DNS logs to the ASIM DNS activity normalized schema. ParserName: ASimDnsCorelightZeek EquivalentBuiltInParser: _ASim_Dns_CorelightZeek ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/ASimDnsGcp.yaml b/Parsers/ASimDns/ProductParsers/ASimDnsGcp.yaml index f9b9b3c5df..d7b2dd7a79 100644 --- a/Parsers/ASimDns/ProductParsers/ASimDnsGcp.yaml +++ b/Parsers/ASimDns/ProductParsers/ASimDnsGcp.yaml @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports normalizing Google Cloud Platform (GCP) DNS logs to the ASIM DNS activity normalized schema. + Normalize Google cloud platform (GCP) DNS logs to the ASIM DNS activity normalized schema. ParserName: ASimDnsGcp EquivalentBuiltInParser: _ASim_Dns_Gcp ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/ASimDnsInfobloxNIOS.yaml b/Parsers/ASimDns/ProductParsers/ASimDnsInfobloxNIOS.yaml index 282387b3c6..ce16bcbec9 100644 --- a/Parsers/ASimDns/ProductParsers/ASimDnsInfobloxNIOS.yaml +++ b/Parsers/ASimDns/ProductParsers/ASimDnsInfobloxNIOS.yaml @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports normalizing Infoblox NIOS DNS logs to the ASIM DNS activity normalized schema. + Normalize Infoblox NIOS DNS logs to the ASIM DNS activity normalized schema. ParserName: ASimDnsInfobloxNIOS EquivalentBuiltInParser: _ASim_Dns_InfobloxNIOS ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/ASimDnsMicrosoftNXlog.yaml b/Parsers/ASimDns/ProductParsers/ASimDnsMicrosoftNXlog.yaml index 23db29f1f2..2ce65f6951 100644 --- a/Parsers/ASimDns/ProductParsers/ASimDnsMicrosoftNXlog.yaml +++ b/Parsers/ASimDns/ProductParsers/ASimDnsMicrosoftNXlog.yaml @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports normalizing Windows DNS logs collected using NXlog to the ASIM DNS activity normalized schema. + Normalize Windows DNS logs collected using NXlog to the ASIM DNS activity normalized schema. ParserName: ASimDnsMicrosoftNXlog EquivalentBuiltInParser: _ASim_Dns_MicrosoftNXlog ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/ASimDnsMicrosoftOMS.yaml b/Parsers/ASimDns/ProductParsers/ASimDnsMicrosoftOMS.yaml index 6340f9218d..3f468b9eda 100644 --- a/Parsers/ASimDns/ProductParsers/ASimDnsMicrosoftOMS.yaml +++ b/Parsers/ASimDns/ProductParsers/ASimDnsMicrosoftOMS.yaml @@ -1,5 +1,5 @@ Parser: - Title: DNS activity ASIM parser for Windows DNS Log collected using the Log Analytics Agent + Title: DNS activity ASIM parser for Windows DNS Log collected using the Log Analytics agent Version: '0.2' LastUpdated: Nov 11 2021 Product: @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports normalizing Windows DNS Log collected using the Log Analytics Agent to the ASIM DNS activity normalized schema. + Normalize Windows DNS Log collected using the Log Analytics agent to the ASIM DNS activity normalized schema. ParserName: ASimDnsMicrosoftOMS EquivalentBuiltInParser: _ASim_Dns_MicrosoftOMS ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/ASimDnsMicrosoftSysmon.yaml b/Parsers/ASimDns/ProductParsers/ASimDnsMicrosoftSysmon.yaml index 7465eba71e..b0d63236d0 100644 --- a/Parsers/ASimDns/ProductParsers/ASimDnsMicrosoftSysmon.yaml +++ b/Parsers/ASimDns/ProductParsers/ASimDnsMicrosoftSysmon.yaml @@ -12,7 +12,7 @@ References: Link: https://aka.ms/ASimDnsDoc - Title: ASIM Link: https://aka.ms/AboutASIM -Description: This ASIM parser supports normalizing Sysmon for Windows DNS events (event number 22) collected using the Log Analytic Agent to the ASIM DNS activity normalized schema. The parser supports events collected to both the Event and WindowsEvent tables. +Description: Normalize Sysmon for Windows DNS events (event number 22) collected using the Log Analytics agent to the ASIM DNS activity normalized schema. The parser supports events collected to both the Event and WindowsEvent tables. ParserName: ASimDnsMicrosoftSysmon EquivalentBuiltInParser: _ASim_Dns_MicrosoftSysmon ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/ASimDnsNative.yaml b/Parsers/ASimDns/ProductParsers/ASimDnsNative.yaml new file mode 100644 index 0000000000..3a95c3e40f --- /dev/null +++ b/Parsers/ASimDns/ProductParsers/ASimDnsNative.yaml @@ -0,0 +1,42 @@ +Parser: + Title: DNS activity ASIM parser for Microsoft Sentinel native DNS table + Version: '0.1' + LastUpdated: Jan 3 2022 +Product: + Name: Native +Normalization: + Schema: Dns + Version: '0.1.3' +References: +- Title: ASIM DNS Schema + Link: https://aka.ms/ASimDnsDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the native Microsoft Sentinel DNS table (ASimDnsActivityLogs) to the ASIM DNS activity normalized schema. While the native table is ASIM compliant, the parser is needed to add capabiliteis, such as aliases, available only at query time. +ParserName: ASimDnsNative +EquivalentBuiltInParser: _ASim_Dns_Native +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let parser=(disabled:bool=false) + { + ASimDnsActivityLogs | where not(disabled) + | extend + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated, + EventSchema = "Dns", + EventSchemaVersion="0.1.3" + // -- Aliases + | extend + Dvc = DvcHostname, + DnsResponseCodeName=EventResultDetails, + Domain=DnsQuery, + IpAddr=SrcIpAddr, + Src=SrcIpAddr, + DvcHostname = SrcIpAddr, + Hostname = SrcIpAddr + }; + parser (disabled) \ No newline at end of file diff --git a/Parsers/ASimDns/ProductParsers/ASimDnszScalerZIA.yaml b/Parsers/ASimDns/ProductParsers/ASimDnszScalerZIA.yaml index 9022ceea7b..72cb0a84c0 100644 --- a/Parsers/ASimDns/ProductParsers/ASimDnszScalerZIA.yaml +++ b/Parsers/ASimDns/ProductParsers/ASimDnszScalerZIA.yaml @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports normalizing zScaler ZIA DNS logs to the ASIM DNS activity normalized schema. + Normalize zScaler ZIA DNS logs to the ASIM DNS activity normalized schema. ParserName: ASimDnszScalerZIA EquivalentBuiltInParser: _ASim_Dns_zScalerZIA ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/VimDnsGcp.yaml b/Parsers/ASimDns/ProductParsers/VimDnsGcp.yaml index 8873f109c3..7d17205aa2 100644 --- a/Parsers/ASimDns/ProductParsers/VimDnsGcp.yaml +++ b/Parsers/ASimDns/ProductParsers/VimDnsGcp.yaml @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports filtering and normalizing Google Cloud Platform (GCP) DNS logs to the ASIM DNS activity normalized schema. + Filter and normalize Google cloud platform (GCP) DNS logs to the ASIM DNS activity normalized schema. ParserName: vimDnsGcp EquivalentBuiltInParser: _Im_Dns_Gcp ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/vimDnsAzureFirewall.yaml b/Parsers/ASimDns/ProductParsers/vimDnsAzureFirewall.yaml index a0150e663f..d711045909 100644 --- a/Parsers/ASimDns/ProductParsers/vimDnsAzureFirewall.yaml +++ b/Parsers/ASimDns/ProductParsers/vimDnsAzureFirewall.yaml @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports filtering and normalizing Azure Firewall logs to the ASIM DNS activity normalized schema. + Filter and normalize Azure Firewall logs to the ASIM DNS activity normalized schema. ParserName: vimDnsAzureFirewall EquivalentBuiltInParser: _Im_Dns_AzureFirewall ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/vimDnsCiscoUmbrella.yaml b/Parsers/ASimDns/ProductParsers/vimDnsCiscoUmbrella.yaml index 30a4e06f15..2a9f83cb9d 100644 --- a/Parsers/ASimDns/ProductParsers/vimDnsCiscoUmbrella.yaml +++ b/Parsers/ASimDns/ProductParsers/vimDnsCiscoUmbrella.yaml @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports filtering and normalizing Cisco Umbrella DNS logs to the ASIM DNS activity normalized schema. + Filter and normalize Cisco Umbrella DNS logs to the ASIM DNS activity normalized schema. ParserName: vimDnsCiscoUmbrella EquivalentBuiltInParser: _Im_Dns_CiscoUmbrella ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/vimDnsCorelightZeek.yaml b/Parsers/ASimDns/ProductParsers/vimDnsCorelightZeek.yaml index 70683710a6..f17edb473b 100644 --- a/Parsers/ASimDns/ProductParsers/vimDnsCorelightZeek.yaml +++ b/Parsers/ASimDns/ProductParsers/vimDnsCorelightZeek.yaml @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports filtering and normalizing Corelight Zeek DNS logs to the ASIM DNS activity normalized schema. + Filter and normalize Corelight Zeek DNS logs to the ASIM DNS activity normalized schema. ParserName: vimDnsCorelightZeek EquivalentBuiltInParser: _Im_Dns_CorelightZeek ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/vimDnsInfobloxNIOS.yaml b/Parsers/ASimDns/ProductParsers/vimDnsInfobloxNIOS.yaml index 7de06cd46d..097019156d 100644 --- a/Parsers/ASimDns/ProductParsers/vimDnsInfobloxNIOS.yaml +++ b/Parsers/ASimDns/ProductParsers/vimDnsInfobloxNIOS.yaml @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports filtering and normalizing Infoblox NIOS DNS logs to the ASIM DNS activity normalized schema. + Filter and normalize Infoblox NIOS DNS logs to the ASIM DNS activity normalized schema. ParserName: vimDnsInfobloxNIOS EquivalentBuiltInParser: _Im_Dns_InfobloxNIOS ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/vimDnsMicrosoftNXlog.yaml b/Parsers/ASimDns/ProductParsers/vimDnsMicrosoftNXlog.yaml index ba8c246832..7c643868d3 100644 --- a/Parsers/ASimDns/ProductParsers/vimDnsMicrosoftNXlog.yaml +++ b/Parsers/ASimDns/ProductParsers/vimDnsMicrosoftNXlog.yaml @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports filtering and normalizing Windows DNS logs collected using NXlog to the ASIM DNS activity normalized schema. + Filter and normalize Windows DNS logs collected using NXlog to the ASIM DNS activity normalized schema. ParserName: vimDnsMicrosoftNXlog EquivalentBuiltInParser: _Im_Dns_MicrosoftNXlog ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/vimDnsMicrosoftOMS.yaml b/Parsers/ASimDns/ProductParsers/vimDnsMicrosoftOMS.yaml index 89d068530e..28e26fbd0b 100644 --- a/Parsers/ASimDns/ProductParsers/vimDnsMicrosoftOMS.yaml +++ b/Parsers/ASimDns/ProductParsers/vimDnsMicrosoftOMS.yaml @@ -1,5 +1,5 @@ Parser: - Title: DNS activity ASIM filtering parser for Windows DNS Log collected using the Log Analytics Agent + Title: DNS activity ASIM filtering parser for Windows DNS Log collected using the Log Analytics agent Version: '0.2' LastUpdated: Nov 11 2021 Product: @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports filtering and normalizing Windows DNS Log collected using the Log Analytics Agent to the ASIM DNS activity normalized schema. + Filter and normalize Windows DNS Log collected using the Log Analytics agent to the ASIM DNS activity normalized schema. ParserName: vimDnsMicrosoftOMS EquivalentBuiltInParser: _Im_Dns_MicrosoftOMS ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/vimDnsMicrosoftSysmon.yaml b/Parsers/ASimDns/ProductParsers/vimDnsMicrosoftSysmon.yaml index f8e5c66f99..4f95560978 100644 --- a/Parsers/ASimDns/ProductParsers/vimDnsMicrosoftSysmon.yaml +++ b/Parsers/ASimDns/ProductParsers/vimDnsMicrosoftSysmon.yaml @@ -12,7 +12,7 @@ References: Link: https://aka.ms/ASimDnsDoc - Title: ASIM Link: https://aka.ms/AboutASIM -Description: This ASIM parser supports filtering and normalizing Sysmon for Windows DNS events (event number 22) collected using the Log Analytic Agent to the ASIM DNS activity normalized schema. The parser supports events collected to both the Event and WindowsEvent tables. +Description: Filter and normalize Sysmon for Windows DNS events (event number 22) collected using the Log Analytics agent to the ASIM DNS activity normalized schema. The parser supports events collected to both the Event and WindowsEvent tables. ParserName: vimDnsMicrosoftSysmon EquivalentBuiltInParser: _Im_Dns_MicrosoftSysmon ParserParams: diff --git a/Parsers/ASimDns/ProductParsers/vimDnsNative.yaml b/Parsers/ASimDns/ProductParsers/vimDnsNative.yaml new file mode 100644 index 0000000000..e5e2ae3a47 --- /dev/null +++ b/Parsers/ASimDns/ProductParsers/vimDnsNative.yaml @@ -0,0 +1,90 @@ +Parser: + Title: DNS activity ASIM filtering parser for Microsoft Sentinel native DNS table + Version: '0.1' + LastUpdated: Jan 3 2022 +Product: + Name: Native +Normalization: + Schema: Dns + Version: '0.1.3' +References: +- Title: ASIM DNS Schema + Link: https://aka.ms/ASimDnsDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports filtering and normalizing the native Microsoft Sentinel DNS table (ASimDnsActivityLogs) to the ASIM DNS activity normalized schema. While the native table is ASIM compliant, the parser is needed to add capabiliteis, such as aliases, available only at query time. +ParserName: vimDnsNative +EquivalentBuiltInParser: _Im_Dns_Native +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: srcipaddr + Type: string + Default: '*' + - Name: domain_has_any + Type: dynamic + Default: dynamic([]) + - Name: responsecodename + Type: string + Default: '*' + - Name: response_has_ipv4 + Type: string + Default: '*' + - Name: response_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: eventtype + Type: string + Default: 'Query' + - Name: disabled + Type: bool + Default: false + +ParserQuery: | + let parser= + ( + starttime:datetime=datetime(null), + endtime:datetime=datetime(null), + srcipaddr:string='*', + domain_has_any:dynamic=dynamic([]), + responsecodename:string='*', + response_has_ipv4:string='*', + response_has_any_prefix:dynamic=dynamic([]), + eventtype:string='Query', + disabled:bool=false + ) + { + ASimDnsActivityLogs | where not(disabled) + // -- Pre-parsing filtering: + | where + (response_has_ipv4=='*') and (response_has_any_prefix=='*') // -- Check that unsupported filters are set to default + and (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and (srcipaddr=='*' or SrcIpAddr==srcipaddr) + and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any)) + and (responsecodename=='*' or EventResultDetails == responsecodename) + //and (response_has_ipv4=='*' or has_ipv4(IPAddresses,response_has_ipv4) ) + //and (array_length(response_has_any_prefix) ==0 or has_any_ipv4_prefix(IPAddresses, response_has_any_prefix) ) + and (eventtype == "*" or eventtype == EventType or (eventtype == "lookup" and EventType == "Query")) // -- Support "lookup" as value for backward compatibility + // -- + | extend + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated, + EventSchema = "Dns", + EventSchemaVersion="0.1.3" + // -- Aliases + | extend + Dvc = DvcHostname, + DnsResponseCodeName=EventResultDetails, + Domain=DnsQuery, + IpAddr=SrcIpAddr, + Src=SrcIpAddr, + DvcHostname = SrcIpAddr, + Hostname = SrcIpAddr + }; + parser (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled) diff --git a/Parsers/ASimDns/ProductParsers/vimDnszScalerZIA.yaml b/Parsers/ASimDns/ProductParsers/vimDnszScalerZIA.yaml index b7e1feda6c..e7869ed757 100644 --- a/Parsers/ASimDns/ProductParsers/vimDnszScalerZIA.yaml +++ b/Parsers/ASimDns/ProductParsers/vimDnszScalerZIA.yaml @@ -13,7 +13,7 @@ References: - Title: ASIM Link: https://aka.ms/AboutASIM Description: | - This ASIM parser supports filtering and normalizing zScaler ZIA DNS logs to the ASIM DNS activity normalized schema. + Filter and normalize zScaler ZIA DNS logs to the ASIM DNS activity normalized schema. ParserName: vimDnszScalerZIA EquivalentBuiltInParser: _Im_Dns_zScalerZIA ParserParams: diff --git a/Parsers/DSTIM/DSTIMCorrelatedLogs.txt b/Parsers/DSTIM/DSTIMCorrelatedLogs.txt new file mode 100644 index 0000000000..a1bb88bd25 --- /dev/null +++ b/Parsers/DSTIM/DSTIMCorrelatedLogs.txt @@ -0,0 +1,45 @@ +// Usage Instruction : +// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as DSTIMCorrelatedLogs +// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. DSTIMCorrelatedLogs | take 10). +// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions +let DSTIMCorrelatedLogs = (_startDate:datetime, _endDate: datetime, _subscriptions:dynamic = dynamic("*"), _resourceGroups:dynamic = dynamic(["*"]), _userAccounts:dynamic = dynamic(["*"])) +{ +let noClassificationView = datatable(Classification: string, CorrelationId:string, AssetType:string, SensitivityLabelName:string) +['[{"Id":"","Name":"No classification","Count":"0","Confidence":"0","UniqueCount":"0"}]', "", "Unknown", "no label"]; +DSTIMAccess_CL +| project + TimeGenerated = TimeDiscovered_t, + Location = Location_s, + OperationName, + AuthenticationType = AuthenticationType_s, + RequesterAppId = iff(isempty(RequesterAppId_s), 'Anonymous app', RequesterAppId_s), + RequesterUpn = iff(isempty(RequesterUpn_s), 'Anonymous user', RequesterUpn_s), + StatusCode = StatusCode_s, + Uri = Uri_s, + CallerIPAddress, + UserAgentHeader = UserAgentHeader_s, + Category, + AggregationCount = AggregationCount_s, + AggregationLastEventTime = AggregationLastEventTime_t, + ResponseBodySize = ResponseBodySize_s, + ResourceSubscriptionId = ResourceSubscriptionId_g, + ResourceGroup, + StorageAccountName = StorageAccountName_s, + AccessCorrelationId = CorrelationId +| where TimeGenerated between (_startDate .. _endDate) or AggregationLastEventTime between (_startDate .. _endDate) +| where _subscriptions == '*' or _subscriptions has ResourceSubscriptionId +| where '["*"]' == tostring(_resourceGroups) or ResourceGroup in (_resourceGroups) +| where '["*"]' == tostring(_userAccounts) or RequesterUpn in (_userAccounts) or RequesterAppId in (_userAccounts) +| join kind=leftouter(DSTIMClassification_CL + | project + Classification = Classification_s, + ClassificationCorrelationId = CorrelationId + | join kind=leftouter (DSTIMSensitivity_CL + | project + SensitivityLabelName = iff(isempty(SensitivityLabelName_s), 'no label', SensitivityLabelName_s), + SensitivityCorrelationId = CorrelationId) + on $left.ClassificationCorrelationId == $right.SensitivityCorrelationId + | union noClassificationView) + on $left.AccessCorrelationId == $right.ClassificationCorrelationId +| project-away AccessCorrelationId, ClassificationCorrelationId, SensitivityCorrelationId + }; \ No newline at end of file diff --git a/Parsers/DSTIM/GetClassificationList.txt b/Parsers/DSTIM/GetClassificationList.txt new file mode 100644 index 0000000000..10429d3ff4 --- /dev/null +++ b/Parsers/DSTIM/GetClassificationList.txt @@ -0,0 +1,12 @@ +// Usage Instruction : +// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as GetClassificationList. +// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. GetClassificationList | take 10). +// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions +let GetClassificationList = (_startDate:datetime, _endDate: datetime, _subscriptions:dynamic = dynamic("*"), _resourceGroups:dynamic = dynamic(["*"]), _userAccounts:dynamic = dynamic(["*"])) +{ + DSTIMCorrelatedLogs(_startDate, _endDate, _subscriptions, _resourceGroups, _userAccounts) +| mv-expand Classifications = todynamic(Classification) +| where isnotempty( Classifications.['Name']) +| project Classification=tostring(Classifications.['Name']) +| distinct Classification +}; \ No newline at end of file diff --git a/Parsers/Netskope/Netskope.txt b/Parsers/Netskope/Netskope.txt index 2ca0550aff..933d43739a 100644 --- a/Parsers/Netskope/Netskope.txt +++ b/Parsers/Netskope/Netskope.txt @@ -117,6 +117,7 @@ PathId = column_ifexists("path_id_d", ""), PolicyId = column_ifexists("policy_id_d", ""), QuarantineProfileId = column_ifexists("quarantine_profile_id_d", ""), RequestId = column_ifexists("request_id_d", ""), +RequestIdNew = column_ifexists("requestid_s", ""), RiskLevelId = column_ifexists("risk_level_id_d", ""), RunId = column_ifexists("run_id_d", ""), SaProfileId = column_ifexists("sa_profile_id_d", ""), @@ -133,7 +134,9 @@ Threshold = column_ifexists("threshold_d", ""), TotalCollaboratorCount = column_ifexists("total_collaborator_count_d", ""), BinTimestamp = column_ifexists("bin_timestamp_d", ""), BrowserSessionId = column_ifexists("browser_session_id_d", ""), +BrowserSessionIdNew = column_ifexists("browser_sessionid_s", ""), ConnectionId = column_ifexists("connection_id_d", ""), +ConnectionIdNew = column_ifexists("connectionid_s", ""), LastTimestamp = column_ifexists("last_timestamp_d", ""), ScanTime = column_ifexists("scan_time_d", ""), ThresholdTime = column_ifexists("threshold_time_d", ""), @@ -143,7 +146,8 @@ ActUser = column_ifexists("act_user_s", ""), Action = column_ifexists("action_s", ""), ActivityStatus = column_ifexists("activity_status_s", ""), ActivityType = column_ifexists("activity_type_s", ""), -AppSessionId = column_ifexists("app_session_id_s", ""), +AppSessionId = column_ifexists("app_session_id_d", ""), +AppSessionIdNew = column_ifexists("app_sessionid_s", ""), Attachment = column_ifexists("attachment_s", ""), AuditCategory = column_ifexists("audit_category_s", ""), AuditType = column_ifexists("audit_type_s", ""), @@ -158,8 +162,10 @@ DeviceClassification = column_ifexists("device_classification_s", ""), DlpFile = column_ifexists("dlp_file_s", ""), DlpFingerprintClassification = column_ifexists("dlp_fingerprint_classification_s", ""), DlpFingerprintMatch = column_ifexists("dlp_fingerprint_match_s", ""), -DlpIncidentId = column_ifexists("dlp_incident_id_s", ""), -DlpParentId = column_ifexists("dlp_parent_id_s", ""), +DlpIncidentId = column_ifexists("dlp_incident_id_d", ""), +DlpIncidentIdNew = column_ifexists("dlp_incidentid_s", ""), +DlpParentId = column_ifexists("dlp_parent_id_d", ""), +DlpParentIdNew = column_ifexists("dlp_parentid_s", ""), DlpProfile = column_ifexists("dlp_profile_s", ""), DlpRule = column_ifexists("dlp_rule_s", ""), DlpRuleSeverity = column_ifexists("dlp_rule_severity_s", ""), @@ -274,7 +280,8 @@ ThreatMatchField = column_ifexists("threat_match_field_s", ""), Title = column_ifexists("title_s", ""), ToObject = column_ifexists("to_object_s", ""), ToUserCategory = column_ifexists("to_user_category_s", ""), -TransactionId = column_ifexists("transaction_id_s", ""), +TransactionId = column_ifexists("transaction_id_d", ""), +TransactionIdNew = column_ifexists("transactionid_s", ""), TssMode = column_ifexists("tss_mode_s", ""), TunnelId = column_ifexists("tunnel_id_s", ""), Url2Activity = column_ifexists("Url2Activity_s", ""), @@ -290,3 +297,4 @@ Workspace = column_ifexists("workspace_s", ""), WorkspaceId = column_ifexists("workspace_id_s", ""), ZipPassword = column_ifexists("zip_password_s", "") + diff --git a/Parsers/ProofpointPOD/ProofpointPOD b/Parsers/ProofpointPOD/ProofpointPOD index 00b7d7f91b..8f194c1c5d 100644 --- a/Parsers/ProofpointPOD/ProofpointPOD +++ b/Parsers/ProofpointPOD/ProofpointPOD @@ -3,7 +3,7 @@ // Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. ProofpointPOD | take 10). // Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions let ProofpointPOD_maillog_view = view () { - ProofpointPOD_maillog_CL + union isfuzzy=true ProofpointPOD_maillog_CL, maillog_CL | where isnotempty( pps_cid_s) and event_type_s == "maillog" | extend SmMsgid=column_ifexists('sm_msgid_g', ''), PpsCid=column_ifexists('pps_cid_s', ''), @@ -69,7 +69,7 @@ let ProofpointPOD_maillog_view = view () { NetworkDuration }; let ProofpointPOD_message_view = view () { - ProofpointPOD_message_CL + union isfuzzy=true ProofpointPOD_message_CL, message_CL | where isnotempty( pps_cid_s) and event_type_s == "message" | extend FilterModulesUrldefenseCountsNoRewriteIsLargeMsgPartSize=column_ifexists('filter_modules_urldefense_counts_noRewriteIsLargeMsgPartSize_d', ''), PpsVersion=column_ifexists('pps_version_s', ''), diff --git a/Playbooks/Watchlist-InformSubowner-IncidentTrigger/azuredeploy.json b/Playbooks/Watchlist-InformSubowner-IncidentTrigger/azuredeploy.json index 998e9c73a6..578bacae91 100644 --- a/Playbooks/Watchlist-InformSubowner-IncidentTrigger/azuredeploy.json +++ b/Playbooks/Watchlist-InformSubowner-IncidentTrigger/azuredeploy.json @@ -75,11 +75,6 @@ "apiVersion": "2016-06-01", "name": "[variables('MicrosoftTeamsConnectionName')]", "location": "[resourceGroup().location]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "PlaybookName", - "hidden-SentinelTemplateVersion": "1.0" - }, "properties": { "displayName": "[variables('MicrosoftTeamsConnectionName')]", "customParameterValues": { @@ -94,6 +89,11 @@ "apiVersion": "2017-07-01", "name": "[parameters('PlaybookName')]", "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Watchlist-InformSubowner", + "hidden-SentinelTemplateVersion": "1.0" + }, "dependsOn": [ "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", diff --git a/Sample Data/AzurePurview_SampleData.csv b/Sample Data/AzurePurview_SampleData.csv index d9e076f96f..e3413af315 100644 --- a/Sample Data/AzurePurview_SampleData.csv +++ b/Sample Data/AzurePurview_SampleData.csv @@ -1,1359 +1,10 @@ -TenantId,TimeGenerated [UTC],CorrelationId,OperationName,PurviewTenantId,PurviewSubscriptionId,PurviewAccountName,PurviewRegion,SourceName,SourceType,SourcePath,SourceSubscriptionId,SourceRegion,SourceCollectionName,SourceOwner,AssetName,AssetPath,AssetType,AssetCreationTime [UTC],AssetModifiedTime [UTC],AssetOwner,AssetLastScanTime [UTC],FileExtension,FileSize,ActivityType,ActivityTrigger,Classification,ClassificationCount,SensitivityLabelGuid,SensitivityLabelName,UserId,SourceSystem,Type,_ResourceId -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.946 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/fi-pn.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:10.107 PM",docx,25516,Classification,System,"[""Japan Passport Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.952 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/test2/denmark.txt,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:09:09.216 PM",txt,128,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.958 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.622 PM",docx,26060,Classification,System,"[""EU Passport Number"",""German Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.963 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/denmark.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.473 PM",txt,128,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.963 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/Acme Background Check-Katana.doc,File,"7/20/2020, 11:17:52.000 PM","8/12/2020, 10:48:18.000 PM",,"11/1/2021, 4:09:09.560 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.968 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aashishr01/EL.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.575 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.969 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/cz-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.529 PM",docx,26105,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.974 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.701 PM",docx,25558,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.975 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/test2/cr-oib.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:09:09.325 PM",docx,26098,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.980 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/test2/es-ssn.docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:09:09.435 PM",docx,26070,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.980 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/test2/EL.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:09:09.279 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.986 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/test2/finland.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:09:09.247 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.986 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/el-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:10.138 PM",docx,26163,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.991 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/pl-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:10.075 PM",docx,26144,Classification,System,"[""EU National Identification Number"",""Poland Identity Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.991 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aashishr01/fr-cni-pdf.pdf,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.779 PM",pdf,327291,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.996 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aashishr01/ir-pps.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:10.060 PM",docx,25964,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.997 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aashishr01/germany.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.779 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.002 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-drv.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:10.013 PM",docx,26212,Classification,System,"[""EU Driver's License Number"",""U.K. Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.003 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/sw-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:10.122 PM",docx,26070,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.008 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/test2/it-drv.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:09:09.341 PM",docx,26098,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.009 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/test2/germany.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:09:09.247 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.013 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/fi-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.654 PM",docx,26124,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.014 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/pr-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:10.107 PM",docx,26111,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.018 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aashishr01/cz.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.779 PM",txt,124,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.020 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aashishr01/cc.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.888 PM",docx,26121,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.024 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aashishr01/es-ssn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.544 PM",docx,26070,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.026 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/it-drv.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.857 PM",docx,26098,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.026 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.473 PM",docx,18847,Classification,System,"[""EU Driver's License Number"",""U.K. Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.026 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.473 PM",docx,18847,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.026 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-insee.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.520 PM",docx,20294,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""France Social Security Number (INSEE)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.026 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-insee.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.520 PM",docx,20294,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.027 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.442 PM",docx,18796,Classification,System,"[""Cyprus Driver's License Number"",""EU Driver's License Number"",""France Driver's License Number"",""Japan Driver's License Number""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.027 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.442 PM",docx,18796,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.027 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/pr-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.426 PM",docx,18769,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.027 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/pr-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.426 PM",docx,18769,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.027 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/it-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:10.138 PM",docx,19572,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.029 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-roll.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.888 PM",docx,25511,Classification,System,"[""U.K. Electoral Roll Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.032 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.442 PM",docx,18714,Classification,System,"[""EU Passport Number"",""German Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.032 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.442 PM",docx,18714,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.035 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/test2/multiple.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:09:09.404 PM",docx,24336,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.035 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aashishr01/finland.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.701 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.040 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2015.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2015.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:09:20.317 PM",docx,11141,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.041 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-cni.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.982 PM",docx,26998,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.041 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-cni.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.982 PM",docx,26998,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.041 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:10.044 PM",docx,26383,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.046 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2016.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2016.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:09:20.348 PM",docx,11916,Classification,System,"[""Belgium Driver's License Number"",""Credit Card Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""German Driver's License Number"",""Germany Identity Card Number""]",8,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.051 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cc.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.348 PM",docx,18956,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.051 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cc.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.348 PM",docx,18956,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.051 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aashishr01/multiple.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.622 PM",docx,24336,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.057 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/test2/Doc with credit cards.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:09:09.372 PM",docx,14003,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.057 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/test2/Doc with credit cards.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:09:09.372 PM",docx,14003,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.057 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/test2/de-id.docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:09:09.372 PM",docx,25558,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.062 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-insee.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.950 PM",docx,26254,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""France Social Security Number (INSEE)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.068 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-cni-pdf.pdf,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:21.051 PM",pdf,331074,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.068 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-cni-pdf.pdf,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:21.051 PM",pdf,331074,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.068 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aashishr01/IR.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.638 PM",txt,197,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.074 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-drv.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.701 PM",docx,26139,Classification,System,"[""EU Driver's License Number"",""German Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.103 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/denmark.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.223 PM",txt,128,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.110 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cr-oib.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.926 PM",docx,18746,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.110 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cr-oib.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.926 PM",docx,18746,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.111 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fi-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.926 PM",docx,18734,Classification,System,"[""Japan Passport Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.111 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fi-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.926 PM",docx,18734,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.111 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-roll.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.910 PM",docx,18608,Classification,System,"[""U.K. Electoral Roll Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.111 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-roll.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.910 PM",docx,18608,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.111 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fi-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.363 PM",docx,19582,Classification,System,"[""Japan Passport Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.111 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fi-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.363 PM",docx,19582,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.111 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cc.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.285 PM",docx,20282,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.112 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cc.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.285 PM",docx,20282,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.112 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-insee.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.363 PM",docx,21329,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""France Social Security Number (INSEE)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.112 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-insee.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.363 PM",docx,21329,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.112 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-roll.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.254 PM",docx,19575,Classification,System,"[""U.K. Electoral Roll Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.112 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-roll.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.254 PM",docx,19575,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.112 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/germany.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.301 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.119 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/sw-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.348 PM",docx,20135,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.119 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/sw-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.348 PM",docx,20135,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.120 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2018.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2018.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:09:20.379 PM",docx,16830,Classification,System,"[""Belgium Driver's License Number"",""Bulgaria Passport Number"",""Credit Card Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Czech Personal Identity Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland Driver's License Number"",""Finland National ID"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Poland Identity Card"",""Romania Passport Number"",""Russian Passport Number (International)"",""Slovakia Personal Number"",""Sweden Passport Number"",""Taiwan Passport Number"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",41,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.127 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/EL.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.660 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.134 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/it-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.645 PM",docx,18766,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.134 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/it-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.645 PM",docx,18766,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.134 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/joselw-test/finland.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.423 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.141 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/pr-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.423 PM",docx,19590,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.149 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/cr-oib.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:09:15.110 PM",docx,26098,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.149 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/IR.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.754 PM",txt,197,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.156 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/germany.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:09:15.141 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.163 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/joselw-test/IR.txt,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.860 PM",txt,197,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.170 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-nino.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:15.282 PM",docx,26184,Classification,System,"[""EU National Identification Number"",""U.K. National Insurance Number (NINO)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.171 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/sw-pn.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.407 PM",docx,19044,Classification,System,"[""EU Passport Number"",""Sweden Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.177 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/de-id.docx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:09:15.266 PM",docx,25558,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.177 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-cni.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.985 PM",docx,20854,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.177 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-cni.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.985 PM",docx,20854,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.178 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.985 PM",docx,21051,Classification,System,"[""EU Driver's License Number"",""U.K. Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.178 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.985 PM",docx,21051,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.178 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn (1).docx,https://aipclptest.blob.core.windows.net/test2/es-ssn (1).docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:09:09.247 PM",docx,26070,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.184 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.594 PM",docx,24898,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.184 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.594 PM",docx,24898,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.184 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan-open/germany.txt,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:15.266 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.186 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/test2/create samples.xlsx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:09:09.466 PM",xlsx,29140,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.191 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-roll.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:15.251 PM",docx,25511,Classification,System,"[""U.K. Electoral Roll Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.195 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/joselw-test/Acme Background Check-Katana.doc,File,"8/16/2021, 8:56:15.000 PM","8/16/2021, 8:56:15.000 PM",,"11/1/2021, 4:09:15.016 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.197 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-cni-pdf.pdf,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.532 PM",pdf,362484,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.198 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-cni-pdf.pdf,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.532 PM",pdf,362484,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.198 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/sw-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.532 PM",docx,19632,Classification,System,"[""EU Passport Number"",""Sweden Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.198 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/sw-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.532 PM",docx,19632,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.198 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/EL.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.469 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.202 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cr-oib.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.516 PM",docx,20160,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.202 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cr-oib.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.516 PM",docx,20160,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.203 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-pn.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:15.016 PM",docx,19860,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.203 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-nino.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.501 PM",docx,20246,Classification,System,"[""EU National Identification Number"",""U.K. National Insurance Number (NINO)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.203 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-nino.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.501 PM",docx,20246,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.203 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/el-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.610 PM",docx,20229,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.203 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/el-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.610 PM",docx,20229,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.203 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/it-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.626 PM",docx,20158,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.203 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/it-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.626 PM",docx,20158,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.204 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-drv.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.529 PM",docx,26094,Classification,System,"[""Cyprus Driver's License Number"",""EU Driver's License Number"",""France Driver's License Number"",""Japan Driver's License Number""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.205 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cz-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.469 PM",docx,20172,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.205 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cz-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.469 PM",docx,20172,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.206 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2015.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/Customers data2015.docx,File,"6/17/2021, 3:18:46.000 AM","6/17/2021, 3:18:46.000 AM",,"11/1/2021, 4:09:15.188 PM",docx,11141,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.210 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/joselw-test/ir-pps.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.579 PM",docx,19439,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.211 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cz-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.676 PM",docx,18764,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.211 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cz-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.676 PM",docx,18764,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.211 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/sw-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.660 PM",docx,18784,Classification,System,"[""EU Passport Number"",""Sweden Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.211 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/sw-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.660 PM",docx,18784,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.212 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aashishr01/create samples.xlsx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:10.154 PM",xlsx,29140,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.212 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/es-ssn.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:09:15.188 PM",docx,26070,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.217 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/joselw-test/fr-cni-pdf.pdf,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:15.063 PM",pdf,327291,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.219 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/finland.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.704 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.219 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/sw-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.857 PM",docx,25568,Classification,System,"[""EU Passport Number"",""Sweden Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.225 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/EL.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:09:15.079 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.227 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples (1).xlsx,https://aipclptest.blob.core.windows.net/test2/create samples (1).xlsx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:09:09.310 PM",xlsx,29140,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.227 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.516 PM",docx,20445,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.227 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.516 PM",docx,20445,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.228 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Billable vendors.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Billable vendors.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.891 PM",pptx,32114,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.232 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/joselw-test/germany.txt,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.844 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.234 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Lots of CC.docx,https://aipclptest.blob.core.windows.net/aipscan-open/Lots of CC.docx,File,"12/14/2020, 9:56:32.000 PM","12/14/2020, 9:56:32.000 PM",,"11/1/2021, 4:09:15.313 PM",docx,14132,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.234 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Lots of CC.docx,https://aipclptest.blob.core.windows.net/aipscan-open/Lots of CC.docx,File,"12/14/2020, 9:56:32.000 PM","12/14/2020, 9:56:32.000 PM",,"11/1/2021, 4:09:15.313 PM",docx,14132,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.234 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-drv.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:15.282 PM",docx,26212,Classification,System,"[""EU Driver's License Number"",""U.K. Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.235 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Billing 2018.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Billing 2018.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.876 PM",docx,20166,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.239 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.688 PM",docx,20125,Classification,System,"[""EU Passport Number"",""German Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.239 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.688 PM",docx,20125,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.239 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/es-ssn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.688 PM",docx,20135,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.240 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/es-ssn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.688 PM",docx,20135,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.240 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,AMCE Patent Application-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/AMCE Patent Application-Katana.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:09:16.110 PM",doc,42496,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.242 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Registration form.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Registration form.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.985 PM",docx,20166,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.249 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers list.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Customers list.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.985 PM",docx,20166,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.256 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Charges.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Charges.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.829 PM",docx,20166,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.264 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Doc with credit cards.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.813 PM",docx,14003,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.264 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Doc with credit cards.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.813 PM",docx,14003,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.289 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/cz.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.641 PM",txt,124,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.298 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.707 PM",docx,23407,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.298 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.707 PM",docx,23407,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.298 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/es-ssn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.738 PM",docx,18723,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.298 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/es-ssn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.738 PM",docx,18723,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.298 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fi-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.704 PM",docx,20189,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.298 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fi-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.704 PM",docx,20189,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.299 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,AMCE Patent Application.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/AMCE Patent Application.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:16.188 PM",doc,42496,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.349 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Travel Authorization Form_MY_101706-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Travel Authorization Form_MY_101706-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:16.173 PM",doc,40960,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.355 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,2020 forecast.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/2020 forecast.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.766 PM",pptx,32114,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.362 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Test Doc with Creditcard.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Test Doc with Creditcard.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.735 PM",docx,12800,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.423 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Direct Deposit Form-Katana.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Direct Deposit Form-Katana.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:16.251 PM",xls,119808,Classification,System,"[""U.S. Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.430 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Parking Form.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Parking Form.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:16.266 PM",doc,61952,Classification,System,"[""EU Driver's License Number"",""Malta Driver's License Number"",""Slovakia Driver's License Number"",""U.S. Social Security Number (SSN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.489 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Request for Time Off.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Request for Time Off.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:16.048 PM",doc,40960,Classification,System,"[""U.S. Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.495 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Credit Card Spreadsheet-Katana.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Credit Card Spreadsheet-Katana.xls,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:09:16.001 PM",xls,30208,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.961 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aashishr01/fr-cni-pdf.pdf,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.779 PM",pdf,327291,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:41.036 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/test2/finland.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:09:09.247 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:41.282 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/cz-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.529 PM",docx,26105,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:41.282 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aashishr01/finland.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.701 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:41.320 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/el-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:10.138 PM",docx,26163,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:41.362 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aashishr01/germany.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.779 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.012 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.622 PM",docx,26060,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.076 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/denmark.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.473 PM",txt,128,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.128 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/joselw-test/finland.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.423 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.154 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/de-id.docx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:09:15.266 PM",docx,25558,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.157 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Request for Time Off.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Request for Time Off.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:16.048 PM",doc,40960,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.372 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aashishr01/multiple.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.622 PM",docx,24336,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.386 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/denmark.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.223 PM",txt,128,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.422 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/it-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:10.138 PM",docx,19572,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.424 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/it-drv.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.857 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.470 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-cni.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.223 PM",docx,20795,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.470 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-cni.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.223 PM",docx,20795,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.471 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aipscan/PII/create samples.xlsx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:21.254 PM",xlsx,21343,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.471 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aipscan/PII/create samples.xlsx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:21.254 PM",xlsx,21343,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.476 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-insee.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.950 PM",docx,26254,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.476 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.701 PM",docx,25558,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.509 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2015.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/Customers data2015.docx,File,"6/17/2021, 3:18:46.000 AM","6/17/2021, 3:18:46.000 AM",,"11/1/2021, 4:09:15.188 PM",docx,11141,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.510 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-drv.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:10.013 PM",docx,26212,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.513 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/test2/de-id.docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:09:09.372 PM",docx,25558,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.530 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Parking Form-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Parking Form-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:16.094 PM",doc,57856,Classification,System,"[""EU Driver's License Number"",""Malta Driver's License Number"",""Slovakia Driver's License Number"",""U.S. Social Security Number (SSN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.546 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/Acme Background Check-Katana.doc,File,"7/20/2020, 11:17:52.000 PM","8/12/2020, 10:48:18.000 PM",,"11/1/2021, 4:09:09.560 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.566 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/finland.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.704 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.599 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-drv.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.579 PM",docx,18787,Classification,System,"[""EU Driver's License Number"",""German Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.599 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/cr-oib.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:09:15.110 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.599 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-drv.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.579 PM",docx,18787,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.600 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-roll.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.579 PM",docx,18989,Classification,System,"[""U.K. Electoral Roll Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.635 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/IR.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.754 PM",txt,197,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.636 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/germany.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:09:15.141 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.637 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/fi-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.654 PM",docx,26124,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.638 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/joselw-test/IR.txt,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.860 PM",txt,197,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.645 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aashishr01/cc.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.888 PM",docx,26121,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.649 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/joselw-test/ir-pps.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.579 PM",docx,19439,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.655 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/test2/cr-oib.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:09:09.325 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.697 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:10.044 PM",docx,26383,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.712 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aashishr01/es-ssn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.544 PM",docx,26070,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.713 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/test2/create samples.xlsx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:09:09.466 PM",xlsx,29140,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.723 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test2/Acme Background Check-Katana.doc,File,"2/16/2021, 9:34:47.000 AM","2/16/2021, 9:34:47.000 AM",,"11/1/2021, 4:09:39.895 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.728 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan-open/germany.txt,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:15.266 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.729 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/pr-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:10.107 PM",docx,26111,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.739 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2018.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2018.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:09:20.379 PM",docx,16830,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.748 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn (1).docx,https://aipclptest.blob.core.windows.net/test2/es-ssn (1).docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:09:09.247 PM",docx,26070,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.749 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers list.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Customers list.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.985 PM",docx,20166,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.764 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/EL.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.469 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.775 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aashishr01/create samples.xlsx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:10.154 PM",xlsx,29140,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.776 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/sw-pn.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.407 PM",docx,19044,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.783 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Credit Card Spreadsheet-Katana.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Credit Card Spreadsheet-Katana.xls,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:09:16.001 PM",xls,30208,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.787 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2015.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2015.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:09:20.317 PM",docx,11141,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.787 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aashishr01/ir-pps.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:10.060 PM",docx,25964,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.803 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/sw-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.857 PM",docx,25568,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.804 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-drv.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:15.282 PM",docx,26212,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.805 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/joselw-test/Acme Background Check-Katana.doc,File,"8/16/2021, 8:56:15.000 PM","8/16/2021, 8:56:15.000 PM",,"11/1/2021, 4:09:15.016 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.806 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2016.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2016.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:09:20.348 PM",docx,11916,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.810 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-roll.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.888 PM",docx,25511,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.812 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/test2/it-drv.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:09:09.341 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.819 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Charges.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Charges.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.829 PM",docx,20166,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.820 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/test2/EL.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:09:09.279 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.834 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/test2/es-ssn.docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:09:09.435 PM",docx,26070,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.846 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/sw-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:10.122 PM",docx,26070,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.848 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test4/Acme Background Check-Katana.doc,File,"2/16/2021, 9:35:05.000 AM","2/16/2021, 9:35:05.000 AM",,"11/1/2021, 4:09:39.848 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.852 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aashishr01/cz.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.779 PM",txt,124,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.858 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,2020 forecast.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/2020 forecast.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.766 PM",pptx,32114,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.863 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/EL.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.660 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.867 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/pl-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:10.075 PM",docx,26144,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.872 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Test Doc with Creditcard.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Test Doc with Creditcard.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.735 PM",docx,12800,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.878 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-nino.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:15.282 PM",docx,26184,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.883 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,AMCE Patent Application-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/AMCE Patent Application-Katana.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:09:16.110 PM",doc,42496,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.898 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/test2/multiple.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:09:09.404 PM",docx,24336,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.899 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/pr-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.423 PM",docx,19590,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.902 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Direct Deposit Form-Katana.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Direct Deposit Form-Katana.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:16.251 PM",xls,119808,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.903 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/fi-pn.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:10.107 PM",docx,25516,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.916 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/germany.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.301 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.920 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/test2/denmark.txt,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:09:09.216 PM",txt,128,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.920 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-roll.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:15.251 PM",docx,25511,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.928 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/EL.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:09:15.079 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.950 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/joselw-test/fr-cni-pdf.pdf,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:15.063 PM",pdf,327291,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.971 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-drv.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.701 PM",docx,26139,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.975 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Travel Authorization Form_MY_101706-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Travel Authorization Form_MY_101706-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:16.173 PM",doc,40960,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.977 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/joselw-test/germany.txt,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.844 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.988 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Billing 2018.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Billing 2018.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.876 PM",docx,20166,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.992 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Registration form.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Registration form.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.985 PM",docx,20166,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.994 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,AMCE Patent Application.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/AMCE Patent Application.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:16.188 PM",doc,42496,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.998 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/cz.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.641 PM",txt,124,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:42.999 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/test2/germany.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:09:09.247 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:43.004 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-pn.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:15.016 PM",docx,19860,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:43.007 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aashishr01/EL.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.575 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:43.024 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-drv.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.529 PM",docx,26094,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:43.026 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Billable vendors.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Billable vendors.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.891 PM",pptx,32114,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:43.034 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/es-ssn.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:09:15.188 PM",docx,26070,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:43.090 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aashishr01/IR.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:09:09.638 PM",txt,197,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:43.105 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Parking Form.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Parking Form.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:16.266 PM",doc,61952,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:43.111 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples (1).xlsx,https://aipclptest.blob.core.windows.net/test2/create samples (1).xlsx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:09:09.310 PM",xlsx,29140,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:43.316 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Parking Form-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Parking Form-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:16.094 PM",doc,57856,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:43.560 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-roll.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.579 PM",docx,18989,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.629 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test2/Acme Background Check-Katana.doc,File,"2/16/2021, 9:34:47.000 AM","2/16/2021, 9:34:47.000 AM",,"11/1/2021, 4:09:39.895 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.810 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/joselw-test/create samples.xlsx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.782 PM",xlsx,21343,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.810 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/joselw-test/create samples.xlsx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.782 PM",xlsx,21343,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.812 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/fi-pn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.735 PM",docx,18996,Classification,System,"[""Japan Passport Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.818 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/Change Test/Acme Background Check-Katana.doc,File,"11/4/2020, 2:11:47.000 AM","11/4/2020, 2:11:47.000 AM",,"11/1/2021, 4:09:39.833 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.825 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Request for Time Off-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Request for Time Off-Katana.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:09:39.723 PM",doc,39936,Classification,System,"[""U.S. Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.828 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Credit Card Spreadsheet.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Credit Card Spreadsheet.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:39.692 PM",xls,30208,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.831 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Background Check-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:39.848 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.837 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test5/Acme Background Check-Katana.doc,File,"2/16/2021, 9:35:29.000 AM","2/16/2021, 9:35:29.000 AM",,"11/1/2021, 4:09:39.848 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.844 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Payments.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Payments.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.782 PM",docx,20166,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.852 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/ir-pps.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.563 PM",docx,20027,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.852 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/ir-pps.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.563 PM",docx,20027,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.852 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/pl-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.563 PM",docx,20206,Classification,System,"[""EU National Identification Number"",""Poland Identity Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.852 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/pl-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.563 PM",docx,20206,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.853 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aipscan/HR/create samples.xlsx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.798 PM",xlsx,23208,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.853 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aipscan/HR/create samples.xlsx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.798 PM",xlsx,23208,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.855 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Background Check.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:39.708 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.862 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/aipscan-open/Doc with credit cards.docx,File,"11/18/2020, 12:26:00.000 AM","11/18/2020, 12:26:00.000 AM",,"11/1/2021, 4:09:15.329 PM",docx,14003,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.862 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/aipscan-open/Doc with credit cards.docx,File,"11/18/2020, 12:26:00.000 AM","11/18/2020, 12:26:00.000 AM",,"11/1/2021, 4:09:15.329 PM",docx,14003,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.863 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/satintestcontainer/create samples.xlsx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:09:15.360 PM",xlsx,29140,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.871 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test1/Acme Background Check-Katana.doc,File,"2/16/2021, 9:12:17.000 AM","2/16/2021, 9:12:17.000 AM",,"11/1/2021, 4:09:39.911 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.878 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test3/Acme Background Check-Katana.doc,File,"2/16/2021, 9:34:57.000 AM","2/16/2021, 9:34:57.000 AM",,"11/1/2021, 4:09:39.926 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:44.885 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Travel Authorization Form_MY_101706.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Travel Authorization Form_MY_101706.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:09:39.676 PM",doc,40960,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:45.171 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test4/Acme Background Check-Katana.doc,File,"2/16/2021, 9:35:05.000 AM","2/16/2021, 9:35:05.000 AM",,"11/1/2021, 4:09:39.848 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:45.352 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/fi-pn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.735 PM",docx,18996,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:45.375 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,vendors data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/vendors data.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.907 PM",xlsx,23326,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:45.502 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Payments.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Payments.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.782 PM",docx,20166,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:45.521 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/Change Test/Acme Background Check-Katana.doc,File,"11/4/2020, 2:11:47.000 AM","11/4/2020, 2:11:47.000 AM",,"11/1/2021, 4:09:39.833 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:45.531 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Request for Time Off-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Request for Time Off-Katana.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:09:39.723 PM",doc,39936,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:45.594 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test5/Acme Background Check-Katana.doc,File,"2/16/2021, 9:35:29.000 AM","2/16/2021, 9:35:29.000 AM",,"11/1/2021, 4:09:39.848 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:45.607 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Background Check-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:39.848 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:45.607 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test3/Acme Background Check-Katana.doc,File,"2/16/2021, 9:34:57.000 AM","2/16/2021, 9:34:57.000 AM",,"11/1/2021, 4:09:39.926 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:45.617 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/satintestcontainer/create samples.xlsx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:09:15.360 PM",xlsx,29140,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:45.665 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Credit Card Spreadsheet.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Credit Card Spreadsheet.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:39.692 PM",xls,30208,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:45.670 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test1/Acme Background Check-Katana.doc,File,"2/16/2021, 9:12:17.000 AM","2/16/2021, 9:12:17.000 AM",,"11/1/2021, 4:09:39.911 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:45.681 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Background Check.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:39.708 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:45.764 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Travel Authorization Form_MY_101706.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Travel Authorization Form_MY_101706.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:09:39.676 PM",doc,40960,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:46.037 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,vendors data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/vendors data.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.907 PM",xlsx,23326,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:55.157 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureFileStorage-iIy,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/testdirectory/Acme Background Check-Katana.doc,File,,"7/17/2020, 10:14:40.000 PM",,"11/1/2021, 4:09:26.044 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:55.872 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureFileStorage-iIy,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/testdirectory/Acme Background Check-Katana.doc,File,,"7/17/2020, 10:14:40.000 PM",,"11/1/2021, 4:09:26.044 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:09.912 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureFileStorage-iIy,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,YiChenTest-Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/YichenTest/YiChenTest-Acme Background Check-Katana.doc,File,,"8/5/2021, 6:40:07.000 PM",,"11/1/2021, 4:09:42.905 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:09.918 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureFileStorage-iIy,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/YichenTest/Acme Background Check-Katana.doc,File,,"8/5/2021, 6:28:20.000 PM",,"11/1/2021, 4:09:42.546 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:09.925 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureFileStorage-iIy,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/testdirectory2/Acme Background Check-Katana.doc,File,,"7/20/2020, 11:20:10.000 PM",,"11/1/2021, 4:09:26.044 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:10.562 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureFileStorage-iIy,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/YichenTest/Acme Background Check-Katana.doc,File,,"8/5/2021, 6:28:20.000 PM",,"11/1/2021, 4:09:42.546 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:10.592 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureFileStorage-iIy,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,YiChenTest-Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/YichenTest/YiChenTest-Acme Background Check-Katana.doc,File,,"8/5/2021, 6:40:07.000 PM",,"11/1/2021, 4:09:42.905 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:10.647 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureFileStorage-iIy,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/testdirectory2/Acme Background Check-Katana.doc,File,,"7/20/2020, 11:20:10.000 PM",,"11/1/2021, 4:09:26.044 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:46.349 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/joselw-test/create samples.xlsx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:56.499 PM",xlsx,21343,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:47.024 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureFileStorage-5DE,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/testdirectory/Acme Background Check-Katana.doc,File,,"7/17/2020, 10:14:40.000 PM",,"11/1/2021, 4:10:37.729 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:47.153 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureFileStorage-5DE,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/YichenTest/Acme Background Check-Katana.doc,File,,"8/5/2021, 6:28:20.000 PM",,"11/1/2021, 4:10:28.387 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:47.159 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureFileStorage-5DE,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,YiChenTest-Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/YichenTest/YiChenTest-Acme Background Check-Katana.doc,File,,"8/5/2021, 6:40:07.000 PM",,"11/1/2021, 4:10:27.856 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:47.165 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-insee.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:59.374 PM",docx,19735,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""France Social Security Number (INSEE)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:47.171 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/fi-pn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:58.046 PM",docx,18996,Classification,System,"[""Japan Passport Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:47.425 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/joselw-test/create samples.xlsx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:56.499 PM",xlsx,21343,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:47.426 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/joselw-test/es-ssn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:58.046 PM",docx,19548,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:47.432 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/joselw-test/ir-pps.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:57.109 PM",docx,19439,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:47.439 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/cz-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:58.359 PM",docx,18764,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:47.439 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/cz-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:58.359 PM",docx,18764,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:47.440 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/pr-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:56.358 PM",docx,19590,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:47.594 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureFileStorage-5DE,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/testdirectory2/Acme Background Check-Katana.doc,File,,"7/20/2020, 11:20:10.000 PM",,"11/1/2021, 4:10:31.196 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:48.066 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureFileStorage-5DE,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/testdirectory/Acme Background Check-Katana.doc,File,,"7/17/2020, 10:14:40.000 PM",,"11/1/2021, 4:10:37.729 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:48.136 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/joselw-test/es-ssn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:58.046 PM",docx,19548,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:48.167 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/fi-pn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:58.046 PM",docx,18996,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:48.190 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureFileStorage-5DE,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,YiChenTest-Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/YichenTest/YiChenTest-Acme Background Check-Katana.doc,File,,"8/5/2021, 6:40:07.000 PM",,"11/1/2021, 4:10:27.856 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:48.190 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureFileStorage-5DE,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/YichenTest/Acme Background Check-Katana.doc,File,,"8/5/2021, 6:28:20.000 PM",,"11/1/2021, 4:10:28.387 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:48.253 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-insee.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:59.374 PM",docx,19735,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:48.440 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/joselw-test/ir-pps.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:57.109 PM",docx,19439,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:48.532 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/pr-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:56.358 PM",docx,19590,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:48.690 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureFileStorage-5DE,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/testdirectory2/Acme Background Check-Katana.doc,File,,"7/20/2020, 11:20:10.000 PM",,"11/1/2021, 4:10:31.196 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:48.846 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/joselw-test/multiple.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:56.327 PM",docx,17817,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:48.852 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureFileStorage-5DE,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.file.core.windows.net/testfiles/testdirectory/Doc with credit cards.docx,File,,"5/27/2020, 1:36:01.000 AM",,"11/1/2021, 4:10:37.713 PM",docx,14003,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:49.907 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/joselw-test/multiple.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:56.327 PM",docx,17817,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:49.937 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureFileStorage-5DE,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.file.core.windows.net/testfiles/testdirectory/Doc with credit cards.docx,File,,"5/27/2020, 1:36:01.000 AM",,"11/1/2021, 4:10:37.713 PM",docx,14003,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.215 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-nino.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:59.984 PM",docx,26184,Classification,System,"[""EU National Identification Number"",""U.K. National Insurance Number (NINO)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.221 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/joselw-test/cr-oib.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:57.421 PM",docx,18746,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.221 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/joselw-test/cr-oib.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:57.421 PM",docx,18746,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.221 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/joselw-test/IR.txt,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:58.890 PM",txt,197,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.228 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-drv.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:57.718 PM",docx,18787,Classification,System,"[""EU Driver's License Number"",""German Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.228 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-drv.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:57.718 PM",docx,18787,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.228 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/aipscan-open/Doc with credit cards.docx,File,"11/18/2020, 12:26:00.000 AM","11/18/2020, 12:26:00.000 AM",,"11/1/2021, 4:10:00.812 PM",docx,14003,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.228 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/aipscan-open/Doc with credit cards.docx,File,"11/18/2020, 12:26:00.000 AM","11/18/2020, 12:26:00.000 AM",,"11/1/2021, 4:10:00.812 PM",docx,14003,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.228 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/test2/it-drv.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:10:06.399 PM",docx,26098,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.234 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/fi-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:57.812 PM",docx,19603,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.523 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-pn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:58.359 PM",docx,19539,Classification,System,"[""EU Passport Number"",""German Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.529 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/pl-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:57.812 PM",docx,19618,Classification,System,"[""EU National Identification Number"",""Poland Identity Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.536 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:56.343 PM",docx,19568,Classification,System,"[""Cyprus Driver's License Number"",""EU Driver's License Number"",""France Driver's License Number"",""Japan Driver's License Number""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.663 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-nino.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:57.109 PM",docx,19659,Classification,System,"[""EU National Identification Number"",""U.K. National Insurance Number (NINO)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.669 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/cz-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.244 PM",docx,26105,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.674 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/joselw-test/finland.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:56.374 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.679 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-drv.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:59.796 PM",docx,26212,Classification,System,"[""EU Driver's License Number"",""U.K. Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.685 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.244 PM",docx,26060,Classification,System,"[""EU Passport Number"",""German Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.692 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Lots of CC.docx,https://aipclptest.blob.core.windows.net/aipscan-open/Lots of CC.docx,File,"12/14/2020, 9:56:32.000 PM","12/14/2020, 9:56:32.000 PM",,"11/1/2021, 4:10:00.046 PM",docx,14132,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.922 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-nino.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:59.984 PM",docx,26184,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.926 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/joselw-test/IR.txt,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:58.890 PM",txt,197,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.182 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/fi-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:57.812 PM",docx,19603,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.254 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/test2/it-drv.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:10:06.399 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.510 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-pn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:58.359 PM",docx,19539,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.544 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:56.343 PM",docx,19568,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.600 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/pl-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:57.812 PM",docx,19618,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.618 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/sw-pn.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:56.358 PM",docx,19044,Classification,System,"[""EU Passport Number"",""Sweden Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.624 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:59.687 PM",docx,21051,Classification,System,"[""EU Driver's License Number"",""U.K. Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.632 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-drv.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:59.796 PM",docx,26212,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.670 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/joselw-test/finland.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:56.374 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.677 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Lots of CC.docx,https://aipclptest.blob.core.windows.net/aipscan-open/Lots of CC.docx,File,"12/14/2020, 9:56:32.000 PM","12/14/2020, 9:56:32.000 PM",,"11/1/2021, 4:10:00.046 PM",docx,14132,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.677 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/test2/multiple.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:10:06.399 PM",docx,24336,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.683 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-nino.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:57.109 PM",docx,19659,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.683 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/joselw-test/cz.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:56.343 PM",txt,124,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.689 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-roll.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:57.093 PM",docx,18989,Classification,System,"[""U.K. Electoral Roll Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.694 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/test2/Doc with credit cards.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:10:07.057 PM",docx,14003,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.694 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/test2/Doc with credit cards.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:10:07.057 PM",docx,14003,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.706 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.244 PM",docx,26060,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.731 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/cz-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.244 PM",docx,26105,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.846 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/joselw-test/Acme Background Check-Katana.doc,File,"8/16/2021, 8:56:15.000 PM","8/16/2021, 8:56:15.000 PM",,"11/1/2021, 4:09:59.562 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.852 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-drv.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:07.588 PM",docx,26094,Classification,System,"[""Cyprus Driver's License Number"",""EU Driver's License Number"",""France Driver's License Number"",""Japan Driver's License Number""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.857 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test1/Acme Background Check-Katana.doc,File,"2/16/2021, 9:12:17.000 AM","2/16/2021, 9:12:17.000 AM",,"11/1/2021, 4:10:36.889 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.862 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-pn.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:10:00.077 PM",docx,26383,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.868 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/joselw-test/cc.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:59.577 PM",docx,18956,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.868 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/joselw-test/cc.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:59.577 PM",docx,18956,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.868 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aashishr01/fr-cni-pdf.pdf,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.760 PM",pdf,327291,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.873 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-cni.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:59.468 PM",docx,20854,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.873 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-cni.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:59.468 PM",docx,20854,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.874 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-nino.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.979 PM",docx,26184,Classification,System,"[""EU National Identification Number"",""U.K. National Insurance Number (NINO)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.879 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn (1).docx,https://aipclptest.blob.core.windows.net/test2/es-ssn (1).docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:10:05.540 PM",docx,26070,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.884 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aashishr01/cr-oib.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:10.072 PM",docx,26098,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.892 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/it-drv.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:10.072 PM",docx,26098,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.898 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/test2/denmark.txt,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:10:05.524 PM",txt,128,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.905 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/test2/es-ssn.docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:10:06.399 PM",docx,26070,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:53.911 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/test2/germany.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:10:05.540 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.038 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aashishr01/cz.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:09.697 PM",txt,124,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.044 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aashishr01/germany.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:09.697 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.049 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aashishr01/IR.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:08.635 PM",txt,197,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.055 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.244 PM",docx,25558,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.328 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/sw-pn.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:56.358 PM",docx,19044,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.339 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/test2/multiple.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:10:06.399 PM",docx,24336,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.426 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/joselw-test/cz.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:56.343 PM",txt,124,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.437 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:59.687 PM",docx,21051,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.438 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/joselw-test/EL.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:58.015 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.444 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aashishr01/multiple.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:08.229 PM",docx,24336,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.448 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-roll.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:57.093 PM",docx,18989,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.450 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/dk-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:59.062 PM",docx,19576,Classification,System,"[""Denmark Personal Identification Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.456 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test2/Acme Background Check-Katana.doc,File,"2/16/2021, 9:34:47.000 AM","2/16/2021, 9:34:47.000 AM",,"11/1/2021, 4:10:36.858 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.461 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/joselw-test/denmark.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:57.405 PM",txt,128,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.467 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/joselw-test/fr-cni-pdf.pdf,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:59.187 PM",pdf,327291,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.471 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/dk-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:10.510 PM",docx,26098,Classification,System,"[""Denmark Personal Identification Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.473 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan-open/germany.txt,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:59.937 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.477 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:27.058 PM",docx,18796,Classification,System,"[""Cyprus Driver's License Number"",""EU Driver's License Number"",""France Driver's License Number"",""Japan Driver's License Number""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.477 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:27.058 PM",docx,18796,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.477 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/test2/de-id.docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:10:07.088 PM",docx,25558,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.479 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/test2/EL.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:10:06.446 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.485 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/joselw-test/germany.txt,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:58.874 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.491 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/Acme Background Check-Katana.doc,File,"7/20/2020, 11:17:52.000 PM","8/12/2020, 10:48:18.000 PM",,"11/1/2021, 4:10:07.947 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.497 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test4/Acme Background Check-Katana.doc,File,"2/16/2021, 9:35:05.000 AM","2/16/2021, 9:35:05.000 AM",,"11/1/2021, 4:10:36.889 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.504 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aashishr01/es-ssn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.010 PM",docx,26070,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.512 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test3/Acme Background Check-Katana.doc,File,"2/16/2021, 9:34:57.000 AM","2/16/2021, 9:34:57.000 AM",,"11/1/2021, 4:10:36.874 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.519 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-pn.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:59.640 PM",docx,19860,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.520 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-drv.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:07.588 PM",docx,26094,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.569 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test1/Acme Background Check-Katana.doc,File,"2/16/2021, 9:12:17.000 AM","2/16/2021, 9:12:17.000 AM",,"11/1/2021, 4:10:36.889 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.594 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/joselw-test/Acme Background Check-Katana.doc,File,"8/16/2021, 8:56:15.000 PM","8/16/2021, 8:56:15.000 PM",,"11/1/2021, 4:09:59.562 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.595 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aashishr01/fr-cni-pdf.pdf,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.760 PM",pdf,327291,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.603 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/el-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:10:11.385 PM",docx,19644,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.609 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/sw-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:10:11.166 PM",docx,19549,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.614 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-roll.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:59.780 PM",docx,25511,Classification,System,"[""U.K. Electoral Roll Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.619 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/test2/finland.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:10:05.540 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.624 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/el-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:11.057 PM",docx,26163,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.624 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aashishr01/cr-oib.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:10.072 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.629 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aashishr01/ir-pps.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:10.947 PM",docx,25964,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.634 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-pn.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:10:00.077 PM",docx,26383,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.635 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/pr-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:10.963 PM",docx,26111,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.642 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/sw-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:11.041 PM",docx,26070,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.649 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/fi-pn.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:11.010 PM",docx,25516,Classification,System,"[""Japan Passport Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.656 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/it-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:10:11.072 PM",docx,19572,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.824 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn (1).docx,https://aipclptest.blob.core.windows.net/test2/es-ssn (1).docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:10:05.540 PM",docx,26070,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.828 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-nino.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.979 PM",docx,26184,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.868 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/it-drv.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:10.072 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.900 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/test2/denmark.txt,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:10:05.524 PM",txt,128,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.911 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/test2/germany.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:10:05.540 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.940 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/test2/es-ssn.docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:10:06.399 PM",docx,26070,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.964 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aashishr01/IR.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:08.635 PM",txt,197,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.012 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aashishr01/cz.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:09.697 PM",txt,124,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.098 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.244 PM",docx,25558,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.136 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aashishr01/germany.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:09.697 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.217 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aashishr01/multiple.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:08.229 PM",docx,24336,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.242 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/joselw-test/EL.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:58.015 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.276 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan-open/germany.txt,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:59.937 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.290 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/dk-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:59.062 PM",docx,19576,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.367 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/sw-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:10:11.166 PM",docx,19549,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.506 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test2/Acme Background Check-Katana.doc,File,"2/16/2021, 9:34:47.000 AM","2/16/2021, 9:34:47.000 AM",,"11/1/2021, 4:10:36.858 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.519 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/Acme Background Check-Katana.doc,File,"7/20/2020, 11:17:52.000 PM","8/12/2020, 10:48:18.000 PM",,"11/1/2021, 4:10:07.947 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.537 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/joselw-test/fr-cni-pdf.pdf,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:59.187 PM",pdf,327291,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.576 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/test2/EL.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:10:06.446 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.588 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/dk-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:10.510 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.607 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/el-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:10:11.385 PM",docx,19644,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.624 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/joselw-test/germany.txt,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:58.874 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.657 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/joselw-test/denmark.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:57.405 PM",txt,128,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.669 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/test2/de-id.docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:10:07.088 PM",docx,25558,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.705 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aashishr01/es-ssn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.010 PM",docx,26070,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.711 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/el-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:11.057 PM",docx,26163,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.722 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/it-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:10:11.072 PM",docx,19572,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.725 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-pn.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:59.640 PM",docx,19860,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.748 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test4/Acme Background Check-Katana.doc,File,"2/16/2021, 9:35:05.000 AM","2/16/2021, 9:35:05.000 AM",,"11/1/2021, 4:10:36.889 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.759 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/test2/finland.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:10:05.540 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.800 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test3/Acme Background Check-Katana.doc,File,"2/16/2021, 9:34:57.000 AM","2/16/2021, 9:34:57.000 AM",,"11/1/2021, 4:10:36.874 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.809 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/sw-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:11.041 PM",docx,26070,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.865 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/pr-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:10.963 PM",docx,26111,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.874 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-roll.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:59.780 PM",docx,25511,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.946 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:27.386 PM",docx,18714,Classification,System,"[""EU Passport Number"",""German Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.978 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/fi-pn.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:11.010 PM",docx,25516,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.293 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:10.572 PM",docx,26383,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.299 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2016.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2016.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:10:26.230 PM",docx,11916,Classification,System,"[""Belgium Driver's License Number"",""Credit Card Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""German Driver's License Number"",""Germany Identity Card Number""]",8,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.304 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2017.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2017.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:10:26.261 PM",docx,12295,Classification,System,"[""Belgium Driver's License Number"",""Credit Card Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""German Driver's License Number"",""Germany Identity Card Number"",""Greece National ID Card""]",9,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.309 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cc.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:26.245 PM",docx,18956,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.309 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cc.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:26.245 PM",docx,18956,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.310 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/denmark.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:27.402 PM",txt,128,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.315 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/pl-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.198 PM",docx,18804,Classification,System,"[""EU National Identification Number"",""Poland Identity Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.315 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/pl-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.198 PM",docx,18804,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.315 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-insee.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.777 PM",docx,21329,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""France Social Security Number (INSEE)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.315 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-insee.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.777 PM",docx,21329,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.315 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-roll.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.824 PM",docx,19575,Classification,System,"[""U.K. Electoral Roll Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.315 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-roll.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.824 PM",docx,19575,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.315 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:26.323 PM",docx,19004,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.316 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:26.323 PM",docx,19004,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.316 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.152 PM",docx,20201,Classification,System,"[""EU Driver's License Number"",""German Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.316 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.152 PM",docx,20201,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.316 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/pr-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.277 PM",docx,20175,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.316 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/pr-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.277 PM",docx,20175,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.316 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-cni.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.308 PM",docx,20795,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.316 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-cni.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.308 PM",docx,20795,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.317 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/multiple.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.355 PM",docx,18405,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.317 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/multiple.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.355 PM",docx,18405,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.449 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/cr-oib.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:10:29.574 PM",docx,26098,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.455 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/it-drv.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:10:29.590 PM",docx,26098,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.460 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-cni-pdf.pdf,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.667 PM",pdf,331074,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.460 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-cni-pdf.pdf,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.667 PM",pdf,331074,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.461 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/multiple.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.699 PM",docx,17475,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.461 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/multiple.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.699 PM",docx,17475,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.461 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.292 PM",docx,23407,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.461 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.292 PM",docx,23407,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.461 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/germany.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.589 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.466 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/cz.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.589 PM",txt,124,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.472 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/ir-pps.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.511 PM",docx,18806,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.472 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/ir-pps.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.511 PM",docx,18806,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.472 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/de-id.docx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:10:30.043 PM",docx,25558,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.477 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/es-ssn.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:10:30.043 PM",docx,26070,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.483 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.933 PM",docx,18787,Classification,System,"[""EU Driver's License Number"",""German Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.483 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.933 PM",docx,18787,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.483 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers DB.xlsx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers DB.xlsx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:10:26.276 PM",xlsx,14058,Classification,System,"[""Austria Driver's License Number"",""Belgium Driver's License Number"",""Bulgaria Passport Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland Driver's License Number"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungary Passport Number"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Netherlands Passport Number"",""Poland Identity Card"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Passport Number"",""Spain Social Security Number (SSN)"",""Sweden Driver's License Number"",""Sweden Passport Number"",""Taiwan Passport Number"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",61,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.483 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers DB.xlsx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers DB.xlsx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:10:26.276 PM",xlsx,14058,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.484 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2015.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2015.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:10:26.261 PM",docx,11141,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.490 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cr-oib.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.690 PM",docx,20160,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.490 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cr-oib.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.690 PM",docx,20160,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.490 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-cni-pdf.pdf,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.705 PM",pdf,362484,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.490 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-cni-pdf.pdf,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.705 PM",pdf,362484,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.695 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aashishr01/ir-pps.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:10.947 PM",docx,25964,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.967 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:10.572 PM",docx,26383,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.969 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2016.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2016.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:10:26.230 PM",docx,11916,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.997 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/denmark.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:27.402 PM",txt,128,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.015 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:27.386 PM",docx,18714,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.016 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:27.073 PM",docx,18847,Classification,System,"[""EU Driver's License Number"",""U.K. Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.016 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:27.073 PM",docx,18847,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.016 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aashishr01/EL.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.213 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.022 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test5/Acme Background Check-Katana.doc,File,"2/16/2021, 9:35:29.000 AM","2/16/2021, 9:35:29.000 AM",,"11/1/2021, 4:10:36.874 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.028 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/finland.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.230 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.035 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/es-ssn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.230 PM",docx,18723,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.035 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/es-ssn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.230 PM",docx,18723,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.035 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/dk-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.261 PM",docx,18756,Classification,System,"[""Denmark Personal Identification Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.035 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/dk-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.261 PM",docx,18756,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.035 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fi-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.183 PM",docx,18734,Classification,System,"[""Japan Passport Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.036 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fi-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.183 PM",docx,18734,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.036 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-insee.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.198 PM",docx,20294,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""France Social Security Number (INSEE)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.036 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-insee.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.198 PM",docx,20294,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.036 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-nino.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.511 PM",docx,18847,Classification,System,"[""EU National Identification Number"",""U.K. National Insurance Number (NINO)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.036 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-nino.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.511 PM",docx,18847,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.036 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cr-oib.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.089 PM",docx,18746,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.036 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cr-oib.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.089 PM",docx,18746,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.037 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-roll.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.183 PM",docx,18608,Classification,System,"[""U.K. Electoral Roll Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.037 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-roll.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.183 PM",docx,18608,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.037 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/el-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.605 PM",docx,18834,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.037 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/el-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.605 PM",docx,18834,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.037 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fi-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.995 PM",docx,18792,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.037 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fi-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.995 PM",docx,18792,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.037 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cz-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.277 PM",docx,18764,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.037 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cz-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.277 PM",docx,18764,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.037 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/sw-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.261 PM",docx,18718,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.037 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/sw-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.261 PM",docx,18718,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.174 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.855 PM",docx,20154,Classification,System,"[""Cyprus Driver's License Number"",""EU Driver's License Number"",""France Driver's License Number"",""Japan Driver's License Number""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.174 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.855 PM",docx,20154,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.175 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/it-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.277 PM",docx,18766,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.175 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/it-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.277 PM",docx,18766,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.175 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/sw-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.292 PM",docx,18784,Classification,System,"[""EU Passport Number"",""Sweden Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.175 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/sw-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.292 PM",docx,18784,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.196 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/cr-oib.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:10:29.574 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.197 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/germany.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.589 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.204 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/it-drv.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:10:29.590 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.237 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2015.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2015.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:10:26.261 PM",docx,11141,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.313 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/es-ssn.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:10:30.043 PM",docx,26070,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.315 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2017.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2017.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:10:26.261 PM",docx,12295,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.320 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Background Check-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:19.214 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.326 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cz-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.643 PM",docx,20172,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.326 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cz-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.643 PM",docx,20172,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.327 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/EL.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:10:29.605 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.332 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Request for Time Off-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Request for Time Off-Katana.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:10:19.151 PM",doc,39936,Classification,System,"[""U.S. Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.338 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/germany.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:10:29.605 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.343 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:27.877 PM",docx,24898,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.343 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:27.877 PM",docx,24898,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.344 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:27.877 PM",docx,20274,Classification,System,"[""EU Driver's License Number"",""U.K. Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.344 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:27.877 PM",docx,20274,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.344 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Background Check.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:18.714 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.464 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/de-id.docx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:10:30.043 PM",docx,25558,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.517 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers registration form.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers registration form.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:10:26.292 PM",docx,17409,Classification,System,"[""Austria Driver's License Number"",""Belgium Driver's License Number"",""Bulgaria Passport Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland Driver's License Number"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungary Passport Number"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Netherlands Passport Number"",""Poland Identity Card"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Passport Number"",""Spain Social Security Number (SSN)"",""Sweden Driver's License Number"",""Sweden Passport Number"",""Taiwan Passport Number"",""U.K. Driver's License Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",60,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.523 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/dk-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:30.948 PM",docx,20162,Classification,System,"[""Denmark Personal Identification Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.523 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/dk-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:30.948 PM",docx,20162,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.524 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/cz.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:30.589 PM",txt,124,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.677 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:28.658 PM",docx,20125,Classification,System,"[""EU Passport Number"",""German Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.677 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:28.658 PM",docx,20125,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.677 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/es-ssn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:28.658 PM",docx,20135,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.677 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/es-ssn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:28.658 PM",docx,20135,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.678 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fi-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:28.658 PM",docx,20189,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.678 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fi-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:28.658 PM",docx,20189,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.678 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/cz.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:28.533 PM",txt,124,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.766 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aashishr01/EL.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.213 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.805 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples (1).xlsx,https://aipclptest.blob.core.windows.net/test2/create samples (1).xlsx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:10:05.727 PM",xlsx,29140,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.811 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/finland.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:28.955 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.816 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,2020 forecast.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/2020 forecast.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.158 PM",pptx,32114,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.821 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Doc with credit cards.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.283 PM",docx,14003,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.821 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Doc with credit cards.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.283 PM",docx,14003,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.928 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/EL.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.690 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.934 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-nino.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.690 PM",docx,20246,Classification,System,"[""EU National Identification Number"",""U.K. National Insurance Number (NINO)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.934 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-nino.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.690 PM",docx,20246,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.970 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test5/Acme Background Check-Katana.doc,File,"2/16/2021, 9:35:29.000 AM","2/16/2021, 9:35:29.000 AM",,"11/1/2021, 4:10:36.874 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.013 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/finland.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.230 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.053 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Request for Time Off.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Request for Time Off.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:30.518 PM",doc,40960,Classification,System,"[""U.S. Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.061 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Credit Card Spreadsheet-Katana.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Credit Card Spreadsheet-Katana.xls,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:10:30.299 PM",xls,30208,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.179 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customer details.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Customer details.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.783 PM",pptx,32114,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.185 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,2019 forecast.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/2019 forecast.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.783 PM",pptx,32114,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.190 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/pl-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.721 PM",docx,20206,Classification,System,"[""EU National Identification Number"",""Poland Identity Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.190 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/pl-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.721 PM",docx,20206,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.246 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Request for Time Off-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Request for Time Off-Katana.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:10:19.151 PM",doc,39936,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.247 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Background Check-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:19.214 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.286 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/EL.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:10:29.605 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.305 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/sw-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.705 PM",docx,19632,Classification,System,"[""EU Passport Number"",""Sweden Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.305 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/sw-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.705 PM",docx,19632,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.305 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/test2/cr-oib.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:10:06.446 PM",docx,26098,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.311 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/test2/create samples.xlsx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:10:06.916 PM",xlsx,29140,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.331 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Background Check.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:18.714 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.431 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/el-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:27.861 PM",docx,20229,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.431 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/el-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:27.861 PM",docx,20229,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.432 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/it-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:27.861 PM",docx,20158,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.432 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/it-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:27.861 PM",docx,20158,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.432 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.690 PM",docx,20445,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.432 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.690 PM",docx,20445,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.432 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,AMCE Patent Application-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/AMCE Patent Application-Katana.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:10:30.721 PM",doc,42496,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.438 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Direct Deposit Form-Katana.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Direct Deposit Form-Katana.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:30.658 PM",xls,119808,Classification,System,"[""U.S. Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.443 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/EL.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.589 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.448 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/IR.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.589 PM",txt,197,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.454 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,AMCE Patent Application.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/AMCE Patent Application.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:31.143 PM",doc,42496,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.459 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Parking Form.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Parking Form.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:31.393 PM",doc,61952,Classification,System,"[""EU Driver's License Number"",""Malta Driver's License Number"",""Slovakia Driver's License Number"",""U.S. Social Security Number (SSN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.518 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers registration form.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers registration form.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:10:26.292 PM",docx,17409,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.521 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples (1).xlsx,https://aipclptest.blob.core.windows.net/test2/create samples (1).xlsx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:10:05.727 PM",xlsx,29140,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.585 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-drv.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.994 PM",docx,26139,Classification,System,"[""EU Driver's License Number"",""German Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.591 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/fi-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:08.994 PM",docx,26124,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.596 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Parking Form-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Parking Form-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:30.596 PM",doc,57856,Classification,System,"[""EU Driver's License Number"",""Malta Driver's License Number"",""Slovakia Driver's License Number"",""U.S. Social Security Number (SSN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.601 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/cz.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:28.533 PM",txt,124,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.611 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/germany.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:10:29.605 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.705 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Credit Card Spreadsheet-Katana.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Credit Card Spreadsheet-Katana.xls,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:10:30.299 PM",xls,30208,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.716 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/finland.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:28.955 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.772 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/EL.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.690 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.774 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Request for Time Off.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Request for Time Off.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:30.518 PM",doc,40960,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.808 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,2020 forecast.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/2020 forecast.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.158 PM",pptx,32114,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.952 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customer details.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Customer details.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.783 PM",pptx,32114,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:58.976 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/test2/cr-oib.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:10:06.446 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.017 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/test2/create samples.xlsx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:10:06.916 PM",xlsx,29140,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.049 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,2019 forecast.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/2019 forecast.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.783 PM",pptx,32114,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.075 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Direct Deposit Form-Katana.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Direct Deposit Form-Katana.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:30.658 PM",xls,119808,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.167 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,AMCE Patent Application.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/AMCE Patent Application.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:31.143 PM",doc,42496,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.202 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/EL.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.589 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.302 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Parking Form-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Parking Form-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:30.596 PM",doc,57856,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.320 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,AMCE Patent Application-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/AMCE Patent Application-Katana.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:10:30.721 PM",doc,42496,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.322 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-drv.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:08.994 PM",docx,26139,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.386 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/IR.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:29.589 PM",txt,197,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.408 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Parking Form.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Parking Form.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:31.393 PM",doc,61952,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.625 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/fi-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:08.994 PM",docx,26124,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:00.034 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers list.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Customers list.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:30.033 PM",docx,20166,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:00.080 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Registration form.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Registration form.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:30.002 PM",docx,20166,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:00.825 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-cni.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:10.635 PM",docx,26998,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:00.825 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-cni.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:10.635 PM",docx,26998,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:00.825 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-drv.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:10.635 PM",docx,26212,Classification,System,"[""EU Driver's License Number"",""U.K. Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:00.831 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aashishr01/create samples.xlsx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:10.619 PM",xlsx,29140,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:00.836 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Charges.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Charges.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.471 PM",docx,20166,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:00.842 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/es-ssn.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.471 PM",docx,20018,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:00.847 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-cni.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.198 PM",docx,19249,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:00.847 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-cni.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.198 PM",docx,19249,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:00.847 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/pr-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.198 PM",docx,18769,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:00.847 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/pr-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:28.198 PM",docx,18769,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:01.456 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-drv.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:10.635 PM",docx,26212,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:01.507 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Charges.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Charges.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.471 PM",docx,20166,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:01.556 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/es-ssn.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.471 PM",docx,20018,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:01.611 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aashishr01/create samples.xlsx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:10.619 PM",xlsx,29140,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:01.645 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/satintestcontainer/create samples.xlsx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:10:29.793 PM",xlsx,29140,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:01.770 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aipscan/PII/create samples.xlsx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:31.073 PM",xlsx,21343,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:01.771 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aipscan/PII/create samples.xlsx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:10:31.073 PM",xlsx,21343,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:02.129 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/ir-pps.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.721 PM",docx,20027,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:02.129 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/ir-pps.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:26.721 PM",docx,20027,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:02.346 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/satintestcontainer/create samples.xlsx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:10:29.793 PM",xlsx,29140,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:02.380 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aipscan/HR/create samples.xlsx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:27.752 PM",xlsx,23208,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:02.900 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Billable vendors.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Billable vendors.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.658 PM",pptx,32114,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:02.906 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Billing 2018.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Billing 2018.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.674 PM",docx,20166,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:03.017 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aipscan/HR/create samples.xlsx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:27.752 PM",xlsx,23208,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:03.510 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Billing 2018.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Billing 2018.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.674 PM",docx,20166,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:03.551 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Billable vendors.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Billable vendors.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.658 PM",pptx,32114,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:04.005 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data v2.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/customers data v2.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.986 PM",xlsx,23326,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:04.355 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,vendors data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/vendors data.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.158 PM",xlsx,23326,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:04.478 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/customers data.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.502 PM",xlsx,23325,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:04.717 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data v2.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/customers data v2.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.986 PM",xlsx,23326,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:05.116 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Direct Deposit Form.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Direct Deposit Form.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:31.533 PM",xls,123904,Classification,System,"[""U.S. Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:05.157 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/customers data.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.502 PM",xlsx,23325,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:05.235 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,vendors data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/vendors data.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.158 PM",xlsx,23326,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:06.451 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Direct Deposit Form.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Direct Deposit Form.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:31.533 PM",xls,123904,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:09.190 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Change Test/customers data.xlsx,File,"9/1/2020, 8:58:50.000 PM","9/1/2020, 8:58:50.000 PM",,"11/1/2021, 4:10:19.370 PM",xlsx,23325,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:09.197 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/Change Test/Acme Background Check-Katana.doc,File,"11/4/2020, 2:11:47.000 AM","11/4/2020, 2:11:47.000 AM",,"11/1/2021, 4:10:19.276 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:09.896 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Change Test/customers data.xlsx,File,"9/1/2020, 8:58:50.000 PM","9/1/2020, 8:58:50.000 PM",,"11/1/2021, 4:10:19.370 PM",xlsx,23325,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:14:09.897 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/Change Test/Acme Background Check-Katana.doc,File,"11/4/2020, 2:11:47.000 AM","11/4/2020, 2:11:47.000 AM",,"11/1/2021, 4:10:19.276 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:56.569 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-drv.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:12:25.776 PM",docx,26212,Classification,System,"[""EU Driver's License Number"",""U.K. Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:56.576 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-roll.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:12:25.745 PM",docx,25511,Classification,System,"[""U.K. Electoral Roll Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:56.582 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cr-oib.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:31.844 PM",docx,18746,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.102 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-drv.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:12:25.776 PM",docx,26212,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.133 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-roll.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:12:25.745 PM",docx,25511,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.142 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cr-oib.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:31.844 PM",docx,18746,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.142 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2015.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/Customers data2015.docx,File,"6/17/2021, 3:18:46.000 AM","6/17/2021, 3:18:46.000 AM",,"11/1/2021, 4:12:23.870 PM",docx,11141,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.149 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/EL.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:12:23.854 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.155 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan-open/germany.txt,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:12:25.729 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.161 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-pn.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:12:25.760 PM",docx,26383,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.167 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/multiple.docx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:12:24.588 PM",docx,24336,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.173 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/Acme Background Check-Katana.doc,File,"7/20/2020, 11:17:52.000 PM","8/12/2020, 10:48:18.000 PM",,"11/1/2021, 4:12:18.151 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.181 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/dk-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:29.839 PM",docx,18756,Classification,System,"[""Denmark Personal Identification Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.181 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/dk-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:29.839 PM",docx,18756,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.182 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/es-ssn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:29.839 PM",docx,18723,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.182 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/es-ssn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:29.839 PM",docx,18723,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.182 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/de-id.docx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:12:25.073 PM",docx,25558,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.190 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/EL.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:30.573 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.198 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/germany.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:12:23.885 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.206 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/denmark.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.807 PM",txt,128,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.215 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/germany.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:31.110 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.347 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/multiple.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:33.344 PM",docx,17475,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.348 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/multiple.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:33.344 PM",docx,17475,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.348 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-nino.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:12:25.948 PM",docx,26184,Classification,System,"[""EU National Identification Number"",""U.K. National Insurance Number (NINO)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.355 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cc.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:26.276 PM",docx,18956,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.355 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cc.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:26.276 PM",docx,18956,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.355 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cz-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:30.370 PM",docx,18764,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.355 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/cz-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:30.370 PM",docx,18764,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.355 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2015.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2015.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:12:26.198 PM",docx,11141,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.361 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/sw-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:29.839 PM",docx,18718,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.361 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/sw-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:29.839 PM",docx,18718,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.361 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2016.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2016.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:12:26.229 PM",docx,11916,Classification,System,"[""Belgium Driver's License Number"",""Credit Card Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""German Driver's License Number"",""Germany Identity Card Number""]",8,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.367 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:34.407 PM",docx,20201,Classification,System,"[""EU Driver's License Number"",""German Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.367 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:34.407 PM",docx,20201,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.367 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-nino.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:32.594 PM",docx,18847,Classification,System,"[""EU National Identification Number"",""U.K. National Insurance Number (NINO)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.367 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-nino.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:32.594 PM",docx,18847,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.367 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fi-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:32.516 PM",docx,18734,Classification,System,"[""Japan Passport Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.367 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fi-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:32.516 PM",docx,18734,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.367 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/ir-pps.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:32.610 PM",docx,18806,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.368 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/ir-pps.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:32.610 PM",docx,18806,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.368 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-cni.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.839 PM",docx,19249,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.368 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-cni.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.839 PM",docx,19249,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.368 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-roll.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:32.079 PM",docx,18608,Classification,System,"[""U.K. Electoral Roll Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.368 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-roll.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:32.079 PM",docx,18608,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.368 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.104 PM",docx,18796,Classification,System,"[""Cyprus Driver's License Number"",""EU Driver's License Number"",""France Driver's License Number"",""Japan Driver's License Number""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.368 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.104 PM",docx,18796,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.369 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/el-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:31.610 PM",docx,18834,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.369 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/el-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:31.610 PM",docx,18834,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.369 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/IR.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:31.110 PM",txt,197,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.510 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/finland.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:29.292 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.516 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.089 PM",docx,18714,Classification,System,"[""EU Passport Number"",""German Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.516 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.089 PM",docx,18714,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.516 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/aipscan-open/Doc with credit cards.docx,File,"11/18/2020, 12:26:00.000 AM","11/18/2020, 12:26:00.000 AM",,"11/1/2021, 4:12:25.745 PM",docx,14003,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.517 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/aipscan-open/Doc with credit cards.docx,File,"11/18/2020, 12:26:00.000 AM","11/18/2020, 12:26:00.000 AM",,"11/1/2021, 4:12:25.745 PM",docx,14003,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.517 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/pr-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.089 PM",docx,18769,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.517 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/pr-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.089 PM",docx,18769,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.517 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cc.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:35.438 PM",docx,20282,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.517 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cc.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:35.438 PM",docx,20282,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.517 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-roll.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:35.360 PM",docx,19575,Classification,System,"[""U.K. Electoral Roll Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.517 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-roll.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:35.360 PM",docx,19575,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.518 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/germany.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:35.704 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.523 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-cni.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:34.922 PM",docx,20795,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.523 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-cni.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:34.922 PM",docx,20795,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.524 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/IR.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:35.110 PM",txt,197,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.530 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fi-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:36.079 PM",docx,19582,Classification,System,"[""Japan Passport Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.530 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fi-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:36.079 PM",docx,19582,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.530 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/sw-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:36.422 PM",docx,20135,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.530 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/sw-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:36.422 PM",docx,20135,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.530 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/cr-oib.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:12:23.901 PM",docx,26098,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.536 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/it-drv.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:12:23.901 PM",docx,26098,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.542 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/finland.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:12:25.276 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.549 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/pl-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:29.323 PM",docx,18804,Classification,System,"[""EU National Identification Number"",""Poland Identity Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.549 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/pl-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:29.323 PM",docx,18804,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.550 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Lots of CC.docx,https://aipclptest.blob.core.windows.net/aipscan-open/Lots of CC.docx,File,"12/14/2020, 9:56:32.000 PM","12/14/2020, 9:56:32.000 PM",,"11/1/2021, 4:12:25.760 PM",docx,14132,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.550 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Lots of CC.docx,https://aipclptest.blob.core.windows.net/aipscan-open/Lots of CC.docx,File,"12/14/2020, 9:56:32.000 PM","12/14/2020, 9:56:32.000 PM",,"11/1/2021, 4:12:25.760 PM",docx,14132,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.673 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:25.626 PM",docx,19568,Classification,System,"[""Cyprus Driver's License Number"",""EU Driver's License Number"",""France Driver's License Number"",""Japan Driver's License Number""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.680 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/multiple.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:34.922 PM",docx,18405,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.680 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/multiple.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:34.922 PM",docx,18405,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.681 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fi-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:31.625 PM",docx,18792,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.681 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fi-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:31.625 PM",docx,18792,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.681 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2017.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2017.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:12:26.276 PM",docx,12295,Classification,System,"[""Belgium Driver's License Number"",""Credit Card Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""German Driver's License Number"",""Germany Identity Card Number"",""Greece National ID Card""]",9,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.689 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/pr-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:25.626 PM",docx,19590,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.697 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:30.604 PM",docx,23407,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.698 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:30.604 PM",docx,23407,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.698 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/sw-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:30.370 PM",docx,18784,Classification,System,"[""EU Passport Number"",""Sweden Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.698 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/sw-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:30.370 PM",docx,18784,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.698 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/joselw-test/germany.txt,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:30.006 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.704 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/el-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:25.626 PM",docx,19644,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.711 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:35.907 PM",docx,20154,Classification,System,"[""Cyprus Driver's License Number"",""EU Driver's License Number"",""France Driver's License Number"",""Japan Driver's License Number""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.712 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:35.907 PM",docx,20154,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.712 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/joselw-test/finland.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:25.626 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.863 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/fi-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:28.814 PM",docx,19603,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.871 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/joselw-test/EL.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:28.298 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.878 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-insee.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:35.876 PM",docx,21329,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""France Social Security Number (INSEE)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.878 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-insee.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:35.876 PM",docx,21329,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.878 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-drv.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:27.048 PM",docx,18787,Classification,System,"[""EU Driver's License Number"",""German Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.878 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-drv.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:27.048 PM",docx,18787,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.878 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:28.079 PM",docx,23407,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.879 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:28.079 PM",docx,23407,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.959 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-pn.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:12:25.760 PM",docx,26383,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.980 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2015.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/Customers data2015.docx,File,"6/17/2021, 3:18:46.000 AM","6/17/2021, 3:18:46.000 AM",,"11/1/2021, 4:12:23.870 PM",docx,11141,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:58.999 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/it-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:25.626 PM",docx,19572,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.000 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/Acme Background Check-Katana.doc,File,"7/20/2020, 11:17:52.000 PM","8/12/2020, 10:48:18.000 PM",,"11/1/2021, 4:12:18.151 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.008 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/joselw-test/ir-pps.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:26.876 PM",docx,19439,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.015 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/cz.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:32.610 PM",txt,124,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.021 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/dk-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:33.829 PM",docx,20162,Classification,System,"[""Denmark Personal Identification Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.021 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/dk-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:33.829 PM",docx,20162,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.138 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/joselw-test/cz.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:25.579 PM",txt,124,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.147 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/sw-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:25.610 PM",docx,19549,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.154 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/sw-pn.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:25.626 PM",docx,19044,Classification,System,"[""EU Passport Number"",""Sweden Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.638 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/denmark.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.807 PM",txt,128,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.703 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/EL.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:30.573 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.716 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-insee.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.839 PM",docx,20294,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""France Social Security Number (INSEE)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.716 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-insee.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.839 PM",docx,20294,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.739 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/EL.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:12:23.854 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.740 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/germany.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:12:23.885 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.761 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/de-id.docx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:12:25.073 PM",docx,25558,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.784 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan-open/germany.txt,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:12:25.729 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.785 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/multiple.docx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:12:24.588 PM",docx,24336,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.833 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/joselw-test/EL.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:28.298 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.844 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-cni-pdf.pdf,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:32.625 PM",pdf,331074,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.844 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-cni-pdf.pdf,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:32.625 PM",pdf,331074,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.845 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-cni.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:30.771 PM",docx,20854,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.845 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-cni.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:30.771 PM",docx,20854,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.845 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-insee.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:30.787 PM",docx,19735,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""France Social Security Number (INSEE)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.853 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/joselw-test/cr-oib.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:28.017 PM",docx,18746,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.853 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/joselw-test/cr-oib.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:28.017 PM",docx,18746,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.853 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/joselw-test/denmark.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:28.001 PM",txt,128,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.859 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/it-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:30.370 PM",docx,18766,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.859 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/it-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:30.370 PM",docx,18766,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.859 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-roll.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:27.329 PM",docx,18989,Classification,System,"[""U.K. Electoral Roll Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.862 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2016.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2016.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:12:26.229 PM",docx,11916,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.864 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/cz.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:32.610 PM",txt,124,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.865 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/germany.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:31.110 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.876 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/IR.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:31.110 PM",txt,197,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.883 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-nino.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:12:25.948 PM",docx,26184,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.892 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/it-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:25.626 PM",docx,19572,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.948 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/germany.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:35.704 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.953 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2015.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2015.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:12:26.198 PM",docx,11141,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.988 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/joselw-test/multiple.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:26.860 PM",docx,17817,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.994 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Request for Time Off-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Request for Time Off-Katana.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:12:46.857 PM",doc,39936,Classification,System,"[""U.S. Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:15:59.995 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/finland.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:29.292 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.000 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Travel Authorization Form_MY_101706.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Travel Authorization Form_MY_101706.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:12:45.278 PM",doc,40960,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.006 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Background Check.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:45.310 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.014 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Credit Card Spreadsheet.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Credit Card Spreadsheet.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:45.310 PM",xls,30208,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.017 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/IR.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:35.110 PM",txt,197,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.021 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.089 PM",docx,18847,Classification,System,"[""EU Driver's License Number"",""U.K. Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.021 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.089 PM",docx,18847,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.021 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/joselw-test/cc.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:31.021 PM",docx,18956,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.021 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/joselw-test/cc.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:31.021 PM",docx,18956,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.021 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/joselw-test/fr-cni-pdf.pdf,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:30.881 PM",pdf,327291,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.027 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.120 PM",docx,19004,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.027 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:28.120 PM",docx,19004,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.027 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-pn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:28.954 PM",docx,19539,Classification,System,"[""EU Passport Number"",""German Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.033 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/joselw-test/es-ssn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:29.032 PM",docx,19548,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.040 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/dk-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:30.568 PM",docx,19576,Classification,System,"[""Denmark Personal Identification Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.046 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/cz-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:29.552 PM",docx,18764,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.046 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/cz-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:29.552 PM",docx,18764,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.081 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:25.626 PM",docx,19568,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.166 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/it-drv.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:12:23.901 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.171 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-nino.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:27.251 PM",docx,19659,Classification,System,"[""EU National Identification Number"",""U.K. National Insurance Number (NINO)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.177 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/finland.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:12:25.276 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.178 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/fi-pn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:28.532 PM",docx,18996,Classification,System,"[""Japan Passport Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.184 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/pl-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:28.314 PM",docx,19618,Classification,System,"[""EU National Identification Number"",""Poland Identity Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.189 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/joselw-test/finland.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:25.626 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.190 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/joselw-test/IR.txt,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:30.021 PM",txt,197,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.191 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/pr-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:25.626 PM",docx,19590,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.195 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/Change Test/Acme Background Check-Katana.doc,File,"11/4/2020, 2:11:47.000 AM","11/4/2020, 2:11:47.000 AM",,"11/1/2021, 4:12:47.653 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.201 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test4/Acme Background Check-Katana.doc,File,"2/16/2021, 9:35:05.000 AM","2/16/2021, 9:35:05.000 AM",,"11/1/2021, 4:12:47.638 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.207 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test3/Acme Background Check-Katana.doc,File,"2/16/2021, 9:34:57.000 AM","2/16/2021, 9:34:57.000 AM",,"11/1/2021, 4:12:49.107 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.227 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/cr-oib.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:12:23.901 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.250 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2017.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2017.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:12:26.276 PM",docx,12295,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.254 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/joselw-test/germany.txt,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:30.006 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.335 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/test2/de-id.docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:12:16.816 PM",docx,25558,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.342 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/test2/multiple.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:12:16.941 PM",docx,24336,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.347 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Background Check-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:47.919 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.353 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/test2/finland.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:12:14.941 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.359 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test5/Acme Background Check-Katana.doc,File,"2/16/2021, 9:35:29.000 AM","2/16/2021, 9:35:29.000 AM",,"11/1/2021, 4:12:47.903 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.365 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers DB.xlsx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers DB.xlsx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:12:26.245 PM",xlsx,14058,Classification,System,"[""Austria Driver's License Number"",""Belgium Driver's License Number"",""Bulgaria Passport Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland Driver's License Number"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungary Passport Number"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Netherlands Passport Number"",""Poland Identity Card"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Passport Number"",""Spain Social Security Number (SSN)"",""Sweden Driver's License Number"",""Sweden Passport Number"",""Taiwan Passport Number"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",61,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.365 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers DB.xlsx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers DB.xlsx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:12:26.245 PM",xlsx,14058,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.366 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aashishr01/fr-cni-pdf.pdf,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:18.894 PM",pdf,327291,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.377 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/fi-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:28.814 PM",docx,19603,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.482 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-drv.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:18.754 PM",docx,26139,Classification,System,"[""EU Driver's License Number"",""German Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.488 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-nino.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:18.894 PM",docx,26184,Classification,System,"[""EU National Identification Number"",""U.K. National Insurance Number (NINO)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.546 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/joselw-test/ir-pps.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:26.876 PM",docx,19439,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.571 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/el-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:25.626 PM",docx,19644,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.586 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-pn.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:31.553 PM",docx,19860,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.595 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/joselw-test/Acme Background Check-Katana.doc,File,"8/16/2021, 8:56:15.000 PM","8/16/2021, 8:56:15.000 PM",,"11/1/2021, 4:12:31.021 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.600 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/test2/denmark.txt,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:12:15.300 PM",txt,128,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.606 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/test2/germany.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:12:15.238 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.606 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cr-oib.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:23.225 PM",docx,20160,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.606 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cr-oib.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:23.225 PM",docx,20160,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.607 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-nino.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:23.460 PM",docx,20246,Classification,System,"[""EU National Identification Number"",""U.K. National Insurance Number (NINO)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.607 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-nino.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:23.460 PM",docx,20246,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.612 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2018.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2018.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:12:26.245 PM",docx,16830,Classification,System,"[""Belgium Driver's License Number"",""Bulgaria Passport Number"",""Credit Card Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Czech Personal Identity Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland Driver's License Number"",""Finland National ID"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Poland Identity Card"",""Romania Passport Number"",""Russian Passport Number (International)"",""Slovakia Personal Number"",""Sweden Passport Number"",""Taiwan Passport Number"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",41,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.617 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:31.490 PM",docx,21051,Classification,System,"[""EU Driver's License Number"",""U.K. Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.629 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/sw-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:25.610 PM",docx,19549,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.698 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/joselw-test/cz.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:25.579 PM",txt,124,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.741 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-roll.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:27.329 PM",docx,18989,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.761 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/sw-pn.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:25.626 PM",docx,19044,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.789 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/cz.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:25.448 PM",txt,124,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.795 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/it-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:25.038 PM",docx,20158,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.795 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/it-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:25.038 PM",docx,20158,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.796 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/es-ssn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:25.510 PM",docx,20135,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.796 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/es-ssn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:25.510 PM",docx,20135,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.796 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:25.464 PM",docx,20274,Classification,System,"[""EU Driver's License Number"",""U.K. Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.796 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:25.464 PM",docx,20274,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.807 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-insee.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:30.787 PM",docx,19735,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.818 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/joselw-test/denmark.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:28.001 PM",txt,128,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.849 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/joselw-test/multiple.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:26.860 PM",docx,17817,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.855 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Background Check.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:45.310 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.891 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Request for Time Off-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Request for Time Off-Katana.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:12:46.857 PM",doc,39936,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.896 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/joselw-test/fr-cni-pdf.pdf,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:30.881 PM",pdf,327291,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.898 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Credit Card Spreadsheet.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Credit Card Spreadsheet.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:45.310 PM",xls,30208,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.898 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/joselw-test/es-ssn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:29.032 PM",docx,19548,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.936 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/dk-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:30.568 PM",docx,19576,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.938 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Travel Authorization Form_MY_101706.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Travel Authorization Form_MY_101706.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:12:45.278 PM",doc,40960,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.944 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aashishr01/EL.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:17.769 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.951 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:17.925 PM",docx,25558,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.957 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:17.925 PM",docx,26060,Classification,System,"[""EU Passport Number"",""German Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.963 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aashishr01/multiple.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:17.925 PM",docx,24336,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.968 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,2020 forecast.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/2020 forecast.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:27.135 PM",pptx,32114,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.975 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Test Doc with Creditcard.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Test Doc with Creditcard.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:27.151 PM",docx,12800,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.981 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:25.635 PM",docx,20125,Classification,System,"[""EU Passport Number"",""German Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.981 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:25.635 PM",docx,20125,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.982 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fi-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:26.417 PM",docx,20189,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.982 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fi-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:26.417 PM",docx,20189,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.982 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,2019 forecast.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/2019 forecast.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.339 PM",pptx,32114,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:00.987 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Billable vendors.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Billable vendors.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.339 PM",pptx,32114,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.001 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aashishr01/finland.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:18.879 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.008 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aashishr01/IR.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:18.379 PM",txt,197,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.015 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/fi-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:18.394 PM",docx,26124,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.024 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-drv.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:22.225 PM",docx,26212,Classification,System,"[""EU Driver's License Number"",""U.K. Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.027 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-nino.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:27.251 PM",docx,19659,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.030 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aashishr01/ir-pps.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:22.491 PM",docx,25964,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.037 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/pl-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:22.491 PM",docx,26144,Classification,System,"[""EU National Identification Number"",""Poland Identity Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.043 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aashishr01/cz.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:19.803 PM",txt,124,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.049 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/it-drv.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:19.850 PM",docx,26098,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.051 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/fi-pn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:28.532 PM",docx,18996,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.053 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-pn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:28.954 PM",docx,19539,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.055 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/dk-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:21.756 PM",docx,26098,Classification,System,"[""Denmark Personal Identification Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.061 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-cni.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:21.756 PM",docx,26998,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.070 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/pl-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:28.314 PM",docx,19618,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.111 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/finland.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:26.401 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.117 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Billing 2018.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Billing 2018.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.370 PM",docx,20166,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.122 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/es-ssn.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.354 PM",docx,20018,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.128 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/sw-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:23.694 PM",docx,19632,Classification,System,"[""EU Passport Number"",""Sweden Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.128 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/sw-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:23.694 PM",docx,19632,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.128 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Credit Card Spreadsheet-Katana.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Credit Card Spreadsheet-Katana.xls,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:12:29.292 PM",xls,30208,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.134 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers list.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Customers list.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:29.057 PM",docx,20166,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.139 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:23.803 PM",docx,20445,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.139 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:23.803 PM",docx,20445,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.139 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customer details.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Customer details.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.557 PM",pptx,32114,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.145 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Registration form.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Registration form.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.854 PM",docx,20166,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.150 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/el-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:23.147 PM",docx,26163,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.155 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/fi-pn.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:22.975 PM",docx,25516,Classification,System,"[""Japan Passport Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.185 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/test2/de-id.docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:12:16.816 PM",docx,25558,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.202 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test4/Acme Background Check-Katana.doc,File,"2/16/2021, 9:35:05.000 AM","2/16/2021, 9:35:05.000 AM",,"11/1/2021, 4:12:47.638 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.267 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/test2/finland.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:12:14.941 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.281 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,AMCE Patent Application-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/AMCE Patent Application-Katana.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:12:30.229 PM",doc,42496,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.287 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aashishr01/fr-cni-pdf.pdf,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:18.894 PM",pdf,327291,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.288 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Parking Form-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Parking Form-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:30.276 PM",doc,57856,Classification,System,"[""EU Driver's License Number"",""Malta Driver's License Number"",""Slovakia Driver's License Number"",""U.S. Social Security Number (SSN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.290 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Background Check-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:47.919 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.294 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Direct Deposit Form.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Direct Deposit Form.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:32.157 PM",xls,123904,Classification,System,"[""U.S. Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.300 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,AMCE Patent Application.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/AMCE Patent Application.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:31.219 PM",doc,42496,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.309 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/test2/multiple.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:12:16.941 PM",docx,24336,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.315 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-nino.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:18.894 PM",docx,26184,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.341 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test5/Acme Background Check-Katana.doc,File,"2/16/2021, 9:35:29.000 AM","2/16/2021, 9:35:29.000 AM",,"11/1/2021, 4:12:47.903 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.343 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-drv.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:18.754 PM",docx,26139,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.359 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test3/Acme Background Check-Katana.doc,File,"2/16/2021, 9:34:57.000 AM","2/16/2021, 9:34:57.000 AM",,"11/1/2021, 4:12:49.107 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.380 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/joselw-test/IR.txt,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:30.021 PM",txt,197,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.429 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Parking Form.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Parking Form.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:31.813 PM",doc,61952,Classification,System,"[""EU Driver's License Number"",""Malta Driver's License Number"",""Slovakia Driver's License Number"",""U.S. Social Security Number (SSN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.436 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aipscan/PII/create samples.xlsx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:33.985 PM",xlsx,21343,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.436 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aipscan/PII/create samples.xlsx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:33.985 PM",xlsx,21343,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.437 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers registration form.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers registration form.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:12:26.260 PM",docx,17409,Classification,System,"[""Austria Driver's License Number"",""Belgium Driver's License Number"",""Bulgaria Passport Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland Driver's License Number"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungary Passport Number"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Netherlands Passport Number"",""Poland Identity Card"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Passport Number"",""Spain Social Security Number (SSN)"",""Sweden Driver's License Number"",""Sweden Passport Number"",""Taiwan Passport Number"",""U.K. Driver's License Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",60,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.438 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/Change Test/Acme Background Check-Katana.doc,File,"11/4/2020, 2:11:47.000 AM","11/4/2020, 2:11:47.000 AM",,"11/1/2021, 4:12:47.653 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.444 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/satintestcontainer/create samples.xlsx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:12:24.057 PM",xlsx,29140,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.450 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/denmark.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:34.875 PM",txt,128,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.456 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/pr-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:34.672 PM",docx,20175,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.456 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/pr-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:34.672 PM",docx,20175,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.456 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureFileStorage-uQc,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/testdirectory/Acme Background Check-Katana.doc,File,,"7/17/2020, 10:14:40.000 PM",,"11/1/2021, 4:12:36.920 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.462 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:33.829 PM",docx,18787,Classification,System,"[""EU Driver's License Number"",""German Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.462 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:12:33.829 PM",docx,18787,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.462 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureFileStorage-uQc,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.file.core.windows.net/testfiles/testdirectory/Doc with credit cards.docx,File,,"5/27/2020, 1:36:01.000 AM",,"11/1/2021, 4:12:36.670 PM",docx,14003,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.462 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureFileStorage-uQc,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.file.core.windows.net/testfiles/testdirectory/Doc with credit cards.docx,File,,"5/27/2020, 1:36:01.000 AM",,"11/1/2021, 4:12:36.670 PM",docx,14003,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.577 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/es-ssn.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:12:25.089 PM",docx,26070,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.584 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Charges.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Charges.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:27.885 PM",docx,20166,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.590 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Doc with credit cards.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.089 PM",docx,14003,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.590 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Doc with credit cards.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.089 PM",docx,14003,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.591 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureFileStorage-uQc,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,YiChenTest-Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/YichenTest/YiChenTest-Acme Background Check-Katana.doc,File,,"8/5/2021, 6:40:07.000 PM",,"11/1/2021, 4:12:50.379 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.596 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureFileStorage-uQc,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/testdirectory2/Acme Background Check-Katana.doc,File,,"7/20/2020, 11:20:10.000 PM",,"11/1/2021, 4:12:50.395 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.656 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/cz.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:25.448 PM",txt,124,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.717 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureFileStorage-uQc,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/YichenTest/Acme Background Check-Katana.doc,File,,"8/5/2021, 6:28:20.000 PM",,"11/1/2021, 4:12:50.395 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.781 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:17.925 PM",docx,25558,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.834 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/de-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:17.925 PM",docx,26060,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.844 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/test2/create samples.xlsx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:12:15.863 PM",xlsx,29140,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.849 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aashishr01/EL.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:17.769 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.857 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,2020 forecast.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/2020 forecast.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:27.135 PM",pptx,32114,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.868 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,2019 forecast.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/2019 forecast.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.339 PM",pptx,32114,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.878 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aashishr01/multiple.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:17.925 PM",docx,24336,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.942 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Billable vendors.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Billable vendors.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.339 PM",pptx,32114,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:01.949 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Test Doc with Creditcard.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Test Doc with Creditcard.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:27.151 PM",docx,12800,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.004 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Billing 2018.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Billing 2018.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.370 PM",docx,20166,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.013 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/es-ssn.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.354 PM",docx,20018,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.023 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Registration form.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Registration form.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.854 PM",docx,20166,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.041 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Credit Card Spreadsheet-Katana.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Credit Card Spreadsheet-Katana.xls,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:12:29.292 PM",xls,30208,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.057 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/finland.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:26.401 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.063 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customer details.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Customer details.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.557 PM",pptx,32114,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.080 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Parking Form-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Parking Form-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:30.276 PM",doc,57856,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.091 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/el-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:23.147 PM",docx,26163,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.105 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,AMCE Patent Application-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/AMCE Patent Application-Katana.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:12:30.229 PM",doc,42496,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.112 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/fi-pn.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:22.975 PM",docx,25516,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.157 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Direct Deposit Form.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Direct Deposit Form.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:32.157 PM",xls,123904,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.219 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers list.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Customers list.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:29.057 PM",docx,20166,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.246 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,AMCE Patent Application.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/AMCE Patent Application.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:31.219 PM",doc,42496,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.253 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureFileStorage-uQc,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/testdirectory/Acme Background Check-Katana.doc,File,,"7/17/2020, 10:14:40.000 PM",,"11/1/2021, 4:12:36.920 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.290 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/satintestcontainer/create samples.xlsx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:12:24.057 PM",xlsx,29140,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.352 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers registration form.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers registration form.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:12:26.260 PM",docx,17409,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.416 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/test2/germany.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:12:15.238 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.431 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Parking Form.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Parking Form.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:31.813 PM",doc,61952,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.437 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/denmark.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:34.875 PM",txt,128,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.452 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureFileStorage-uQc,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/testdirectory2/Acme Background Check-Katana.doc,File,,"7/20/2020, 11:20:10.000 PM",,"11/1/2021, 4:12:50.395 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.461 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/es-ssn.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:12:25.089 PM",docx,26070,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.464 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-pn.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:31.553 PM",docx,19860,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.479 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:12:31.490 PM",docx,21051,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.480 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/test2/EL.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:12:15.957 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.487 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/test2/es-ssn.docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:12:16.457 PM",docx,26070,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.493 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/test2/it-drv.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:12:16.472 PM",docx,26098,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.499 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/test2/cr-oib.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:12:15.972 PM",docx,26098,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.504 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/cz-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:17.425 PM",docx,26105,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.508 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureFileStorage-uQc,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,YiChenTest-Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/YichenTest/YiChenTest-Acme Background Check-Katana.doc,File,,"8/5/2021, 6:40:07.000 PM",,"11/1/2021, 4:12:50.379 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.510 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aashishr01/es-ssn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:17.425 PM",docx,26070,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.511 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureFileStorage-uQc,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.file.core.windows.net/testfiles/YichenTest/Acme Background Check-Katana.doc,File,,"8/5/2021, 6:28:20.000 PM",,"11/1/2021, 4:12:50.395 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.515 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test1/Acme Background Check-Katana.doc,File,"2/16/2021, 9:12:17.000 AM","2/16/2021, 9:12:17.000 AM",,"11/1/2021, 4:12:48.825 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.521 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test2/Acme Background Check-Katana.doc,File,"2/16/2021, 9:34:47.000 AM","2/16/2021, 9:34:47.000 AM",,"11/1/2021, 4:12:48.591 PM",doc,90624,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.527 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/test2/Doc with credit cards.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:12:16.722 PM",docx,14003,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.527 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.blob.core.windows.net/test2/Doc with credit cards.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:12:16.722 PM",docx,14003,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.527 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-drv.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:16.941 PM",docx,26094,Classification,System,"[""Cyprus Driver's License Number"",""EU Driver's License Number"",""France Driver's License Number"",""Japan Driver's License Number""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.538 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/joselw-test/Acme Background Check-Katana.doc,File,"8/16/2021, 8:56:15.000 PM","8/16/2021, 8:56:15.000 PM",,"11/1/2021, 4:12:31.021 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.622 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2018.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2018.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:12:26.245 PM",docx,16830,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.663 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/test2/denmark.txt,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:12:15.300 PM",txt,128,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.759 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Charges.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Charges.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:27.885 PM",docx,20166,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.791 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/test2/create samples.xlsx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:12:15.863 PM",xlsx,29140,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.923 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-drv.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:22.225 PM",docx,26212,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.928 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-cni.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:21.756 PM",docx,26998,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.929 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/pr-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:22.725 PM",docx,26111,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.935 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/sw-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:22.772 PM",docx,26070,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.937 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/dk-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:21.756 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.941 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aashishr01/cr-oib.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:20.772 PM",docx,26098,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.948 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-roll.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:21.006 PM",docx,25511,Classification,System,"[""U.K. Electoral Roll Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.948 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/pl-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:22.491 PM",docx,26144,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.953 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Change Test/customers data.xlsx,File,"9/1/2020, 8:58:50.000 PM","9/1/2020, 8:58:50.000 PM",,"11/1/2021, 4:12:47.544 PM",xlsx,23325,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.954 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:21.991 PM",docx,26383,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.960 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/pl-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:24.475 PM",docx,20206,Classification,System,"[""EU National Identification Number"",""Poland Identity Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.960 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/pl-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:24.475 PM",docx,20206,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.969 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/fi-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:18.394 PM",docx,26124,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.974 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aashishr01/finland.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:18.879 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.979 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn (1).docx,https://aipclptest.blob.core.windows.net/test2/es-ssn (1).docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:12:15.003 PM",docx,26070,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.982 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aashishr01/cz.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:19.803 PM",txt,124,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.985 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples (1).xlsx,https://aipclptest.blob.core.windows.net/test2/create samples (1).xlsx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:12:15.191 PM",xlsx,29140,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:02.991 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cz-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:23.475 PM",docx,20172,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.005 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aashishr01/ir-pps.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:22.491 PM",docx,25964,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.027 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/it-drv.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:19.850 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.095 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/ir-pps.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:24.194 PM",docx,20027,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.245 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aashishr01/IR.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:18.379 PM",txt,197,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.364 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/test2/EL.txt,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:12:15.957 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.405 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/test2/it-drv.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:12:16.472 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.419 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/test2/cr-oib.docx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:12:15.972 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.420 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:24.678 PM",docx,24898,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.467 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/cz-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:17.425 PM",docx,26105,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.533 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/test2/es-ssn.docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:12:16.457 PM",docx,26070,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.556 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Payments.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Payments.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:27.151 PM",docx,20166,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.563 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,vendors data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/vendors data.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:26.604 PM",xlsx,23326,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.570 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/customers data.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:27.323 PM",xlsx,23325,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.682 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-drv.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:16.941 PM",docx,26094,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.708 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Direct Deposit Form-Katana.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Direct Deposit Form-Katana.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:29.854 PM",xls,119808,Classification,System,"[""U.S. Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.714 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Request for Time Off.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Request for Time Off.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:29.542 PM",doc,40960,Classification,System,"[""U.S. Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.719 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Travel Authorization Form_MY_101706-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Travel Authorization Form_MY_101706-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:30.813 PM",doc,40960,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.731 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-insee.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:21.069 PM",docx,26254,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""France Social Security Number (INSEE)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.740 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aashishr01/create samples.xlsx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:21.209 PM",xlsx,29140,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.798 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-roll.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:21.006 PM",docx,25511,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.910 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/pr-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:22.725 PM",docx,26111,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.954 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aashishr01/cr-oib.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:20.772 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.957 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/sw-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:22.772 PM",docx,26070,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:03.959 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:21.991 PM",docx,26383,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.035 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data v2.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/customers data v2.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.542 PM",xlsx,23326,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.390 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test1/Acme Background Check-Katana.doc,File,"2/16/2021, 9:12:17.000 AM","2/16/2021, 9:12:17.000 AM",,"11/1/2021, 4:12:48.825 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.402 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aashishr01/es-ssn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:17.425 PM",docx,26070,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.570 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptest.blob.core.windows.net/satintestcontainer/test2/Acme Background Check-Katana.doc,File,"2/16/2021, 9:34:47.000 AM","2/16/2021, 9:34:47.000 AM",,"11/1/2021, 4:12:48.591 PM",doc,90624,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.864 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples (1).xlsx,https://aipclptest.blob.core.windows.net/test2/create samples (1).xlsx,File,"5/13/2021, 6:37:49.000 PM","5/13/2021, 6:37:49.000 PM",,"11/1/2021, 4:12:15.191 PM",xlsx,29140,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.880 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn (1).docx,https://aipclptest.blob.core.windows.net/test2/es-ssn (1).docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM",,"11/1/2021, 4:12:15.003 PM",docx,26070,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.888 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cz-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:23.475 PM",docx,20172,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.888 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-cni-pdf.pdf,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:23.506 PM",pdf,362484,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.888 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni-pdf.pdf,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-cni-pdf.pdf,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:23.506 PM",pdf,362484,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.889 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/joselw-test/create samples.xlsx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:27.314 PM",xlsx,21343,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.889 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/joselw-test/create samples.xlsx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:12:27.314 PM",xlsx,21343,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.890 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aashishr01/cc.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:19.881 PM",docx,26121,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.896 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/sw-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:19.881 PM",docx,25568,Classification,System,"[""EU Passport Number"",""Sweden Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.902 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aashishr01/denmark.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:19.379 PM",txt,128,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.910 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aashishr01/germany.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:19.725 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.915 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/EL.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:24.084 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:04.973 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Change Test/customers data.xlsx,File,"9/1/2020, 8:58:50.000 PM","9/1/2020, 8:58:50.000 PM",,"11/1/2021, 4:12:47.544 PM",xlsx,23325,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.016 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Payments.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Payments.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:27.151 PM",docx,20166,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.023 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/customers data.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:27.323 PM",xlsx,23325,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.030 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:24.678 PM",docx,24898,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.031 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/el-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:24.913 PM",docx,20229,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.031 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/el-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:24.913 PM",docx,20229,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.031 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,vendors data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/vendors data.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:26.604 PM",xlsx,23326,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.048 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/ir-pps.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:24.194 PM",docx,20027,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.049 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aipscan/HR/create samples.xlsx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:24.975 PM",xlsx,23208,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.049 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aipscan/HR/create samples.xlsx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:24.975 PM",xlsx,23208,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.137 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Travel Authorization Form_MY_101706-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Travel Authorization Form_MY_101706-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:30.813 PM",doc,40960,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.227 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-insee.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:21.069 PM",docx,26254,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.270 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,create samples.xlsx,https://aipclptest.blob.core.windows.net/aashishr01/create samples.xlsx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:21.209 PM",xlsx,29140,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.302 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Direct Deposit Form-Katana.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Direct Deposit Form-Katana.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:29.854 PM",xls,119808,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.427 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Request for Time Off.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Request for Time Off.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:12:29.542 PM",doc,40960,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.805 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aashishr01/cc.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:19.881 PM",docx,26121,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.827 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aashishr01/germany.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:12:19.725 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.857 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/sw-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:19.881 PM",docx,25568,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:05.885 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aashishr01/denmark.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:12:19.379 PM",txt,128,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:06.095 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data v2.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/customers data v2.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:12:28.542 PM",xlsx,23326,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:06.825 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureBlob-eXR,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/EL.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:12:24.084 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:41.763 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureDataLakeStore-3Hc,AzureDataLakeGen1,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DataLakeStore/accounts/aipclptest2,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus2,BugBashTest,,Acme Background Check-Katana.doc,adl://aipclptest2.azuredatalakestore.net/Acme Background Check-Katana.doc,File,,"7/8/2020, 9:25:44.000 PM",,"11/1/2021, 4:12:53.781 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:16:43.197 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,AzureDataLakeStore-3Hc,AzureDataLakeGen1,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DataLakeStore/accounts/aipclptest2,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus2,BugBashTest,,Acme Background Check-Katana.doc,adl://aipclptest2.azuredatalakestore.net/Acme Background Check-Katana.doc,File,,"7/8/2020, 9:25:44.000 PM",,"11/1/2021, 4:12:53.781 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:18:01.056 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,CosmosDB-PXO,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,featurecontrol,https://classification-test.documents.azure.com/dbs/database/colls/featurecontrol,Generic,,,,"11/1/2021, 4:15:05.304 PM",,0,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:18:01.056 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,CosmosDB-PXO,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,featurecontrol,https://classification-test.documents.azure.com/dbs/database/colls/featurecontrol,Generic,,,,"11/1/2021, 4:15:05.304 PM",,0,Labeling,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:18:01.057 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,CosmosDB-PXO,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-2a727772-c6a7-4d93-8c48-3690b390ab6c,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-2a727772-c6a7-4d93-8c48-3690b390ab6c,Generic,,,,"11/1/2021, 4:15:05.288 PM",,0,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:18:01.057 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,CosmosDB-PXO,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-2a727772-c6a7-4d93-8c48-3690b390ab6c,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-2a727772-c6a7-4d93-8c48-3690b390ab6c,Generic,,,,"11/1/2021, 4:15:05.288 PM",,0,Labeling,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:18:01.057 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,CosmosDB-PXO,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-c53010a4-8ba3-48b9-81aa-0ab701b70c4d,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-c53010a4-8ba3-48b9-81aa-0ab701b70c4d,Generic,,,,"11/1/2021, 4:15:05.272 PM",,0,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:18:01.057 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,CosmosDB-PXO,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-c53010a4-8ba3-48b9-81aa-0ab701b70c4d,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-c53010a4-8ba3-48b9-81aa-0ab701b70c4d,Generic,,,,"11/1/2021, 4:15:05.272 PM",,0,Labeling,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:18:01.057 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,CosmosDB-PXO,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,featureWhitelist,https://classification-test.documents.azure.com/dbs/database/colls/featureWhitelist,Generic,,,,"11/1/2021, 4:15:05.304 PM",,0,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:18:01.057 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,CosmosDB-PXO,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,featureWhitelist,https://classification-test.documents.azure.com/dbs/database/colls/featureWhitelist,Generic,,,,"11/1/2021, 4:15:05.304 PM",,0,Labeling,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:18:01.058 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,CosmosDB-PXO,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-0e73693e-826b-449b-9407-33b3254fcf6f,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-0e73693e-826b-449b-9407-33b3254fcf6f,Generic,,,,"11/1/2021, 4:15:05.304 PM",,0,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:18:01.058 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-SoutheastAsia,southeastasia,CosmosDB-PXO,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-0e73693e-826b-449b-9407-33b3254fcf6f,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-0e73693e-826b-449b-9407-33b3254fcf6f,Generic,,,,"11/1/2021, 4:15:05.304 PM",,0,Labeling,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-southeastasia -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:19:19.234 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureDataLakeStore-ICo,AzureDataLakeGen1,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DataLakeStore/accounts/aipclptest2,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus2,BugBashTest,,Acme Background Check-Katana.doc,adl://aipclptest2.azuredatalakestore.net/Acme Background Check-Katana.doc,File,,"7/8/2020, 9:25:44.000 PM",,"11/1/2021, 4:15:41.189 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:19:19.912 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureDataLakeStore-ICo,AzureDataLakeGen1,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DataLakeStore/accounts/aipclptest2,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus2,BugBashTest,,Acme Background Check-Katana.doc,adl://aipclptest2.azuredatalakestore.net/Acme Background Check-Katana.doc,File,,"7/8/2020, 9:25:44.000 PM",,"11/1/2021, 4:15:41.189 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:21:22.850 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureDataLakeStorage-oVg,AzureDataLakeGen2,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptestadlsgen2,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptestadlsgen2.dfs.core.windows.net/testcontainer/aipclptest/anotherDirectory/Acme Background Check-Katana.doc,File,,"7/21/2020, 6:58:10.000 PM",$superuser,"11/1/2021, 4:18:36.935 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:21:23.856 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureDataLakeStorage-oVg,AzureDataLakeGen2,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptestadlsgen2,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptestadlsgen2.dfs.core.windows.net/testcontainer/aipclptest/anotherDirectory/Acme Background Check-Katana.doc,File,,"7/21/2020, 6:58:10.000 PM",$superuser,"11/1/2021, 4:18:36.935 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:27:23.875 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Jon Smith's Sales Team.xlsx,s3://finance-department/Jon Smith's Sales Team.xlsx,File,,"2/2/2021, 12:23:27.000 PM",,"11/1/2021, 4:23:55.530 PM",xlsx,10909,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:27:24.312 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,List of US East accounts.docx,s3://finance-department/List of US East accounts.docx,File,,"2/2/2021, 12:17:00.000 PM",,"11/1/2021, 4:23:35.522 PM",docx,19599,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:27:24.318 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Australia project bank accounts.csv,s3://finance-department/Australia project bank accounts.csv,File,,"2/2/2021, 12:16:59.000 PM",,"11/1/2021, 4:23:35.417 PM",csv,1195,Classification,System,"[""Australia Bank Account Number"",""Person's Name""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:27:24.875 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Jon Smith's Sales Team.xlsx,s3://finance-department/Jon Smith's Sales Team.xlsx,File,,"2/2/2021, 12:23:27.000 PM",,"11/1/2021, 4:23:55.530 PM",xlsx,10909,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:27:24.876 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Sales Force Expense Cards.xlsx,s3://finance-department/Sales Force Expense Cards.xlsx,File,,"2/2/2021, 12:23:28.000 PM",,"11/1/2021, 4:23:36.099 PM",xlsx,15834,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:27:24.882 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,January Sales Orders.xlsx,s3://finance-department/January Sales Orders.xlsx,File,,"2/2/2021, 12:23:27.000 PM",,"11/1/2021, 4:23:55.447 PM",xlsx,148219,Classification,System,"[""U.S. Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:27:24.887 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,EU Frankfurt receipt.txt,s3://finance-department/EU Frankfurt receipt.txt,File,,"2/2/2021, 11:41:39.000 AM",,"11/1/2021, 4:23:34.396 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:27:24.894 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,2017 Expense Records.xlsx,s3://finance-department/2017 Expense Records.xlsx,File,,"2/2/2021, 12:23:25.000 PM",,"11/1/2021, 4:23:35.943 PM",xlsx,57644,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:27:25.281 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Australia project bank accounts.csv,s3://finance-department/Australia project bank accounts.csv,File,,"2/2/2021, 12:16:59.000 PM",,"11/1/2021, 4:23:35.417 PM",csv,1195,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:27:25.296 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,List of US East accounts.docx,s3://finance-department/List of US East accounts.docx,File,,"2/2/2021, 12:17:00.000 PM",,"11/1/2021, 4:23:35.522 PM",docx,19599,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:27:25.563 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,January Sales Orders.xlsx,s3://finance-department/January Sales Orders.xlsx,File,,"2/2/2021, 12:23:27.000 PM",,"11/1/2021, 4:23:55.447 PM",xlsx,148219,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:27:25.820 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Sales Force Expense Cards.xlsx,s3://finance-department/Sales Force Expense Cards.xlsx,File,,"2/2/2021, 12:23:28.000 PM",,"11/1/2021, 4:23:36.099 PM",xlsx,15834,Labeling,Automatic,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:27:25.838 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,EU Frankfurt receipt.txt,s3://finance-department/EU Frankfurt receipt.txt,File,,"2/2/2021, 11:41:39.000 AM",,"11/1/2021, 4:23:34.396 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:27:26.297 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,2017 Expense Records.xlsx,s3://finance-department/2017 Expense Records.xlsx,File,,"2/2/2021, 12:23:25.000 PM",,"11/1/2021, 4:23:35.943 PM",xlsx,57644,Labeling,Automatic,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:30:08.556 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Alice Stevens Sales Team Cards.xlsx,s3://finance-department/Alice Stevens Sales Team Cards.xlsx,File,,"2/2/2021, 12:23:26.000 PM",,"11/1/2021, 4:23:34.312 PM",xlsx,11446,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:30:08.562 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,User Accounts.docx,s3://finance-department/User Accounts.docx,File,,"2/2/2021, 12:16:58.000 PM",,"11/1/2021, 4:23:54.249 PM",docx,19548,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:30:09.513 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,User Accounts.docx,s3://finance-department/User Accounts.docx,File,,"2/2/2021, 12:16:58.000 PM",,"11/1/2021, 4:23:54.249 PM",docx,19548,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:30:09.539 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:finance-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Alice Stevens Sales Team Cards.xlsx,s3://finance-department/Alice Stevens Sales Team Cards.xlsx,File,,"2/2/2021, 12:23:26.000 PM",,"11/1/2021, 4:23:34.312 PM",xlsx,11446,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:34:54.105 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:operations-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Users.csv,s3://operations-department/Users.csv,File,,"10/28/2021, 7:31:59.000 AM",,"11/1/2021, 4:31:40.011 PM",csv,444,Classification,System,"[""Credit Card Number"",""Email Address"",""EU Debit Card Number"",""Person's Name""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:34:55.154 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:operations-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Users.csv,s3://operations-department/Users.csv,File,,"10/28/2021, 7:31:59.000 AM",,"11/1/2021, 4:31:40.011 PM",csv,444,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:35:31.841 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,CosmosDB-sO2,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,featureWhitelist,https://classification-test.documents.azure.com/dbs/database/colls/featureWhitelist,Generic,,,,"11/1/2021, 4:32:24.880 PM",,0,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:35:31.841 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,CosmosDB-sO2,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,featureWhitelist,https://classification-test.documents.azure.com/dbs/database/colls/featureWhitelist,Generic,,,,"11/1/2021, 4:32:24.880 PM",,0,Labeling,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:35:31.841 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,CosmosDB-sO2,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-0e73693e-826b-449b-9407-33b3254fcf6f,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-0e73693e-826b-449b-9407-33b3254fcf6f,Generic,,,,"11/1/2021, 4:32:25.146 PM",,0,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:35:31.841 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,CosmosDB-sO2,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-0e73693e-826b-449b-9407-33b3254fcf6f,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-0e73693e-826b-449b-9407-33b3254fcf6f,Generic,,,,"11/1/2021, 4:32:25.146 PM",,0,Labeling,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:35:31.842 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,CosmosDB-sO2,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,featurecontrol,https://classification-test.documents.azure.com/dbs/database/colls/featurecontrol,Generic,,,,"11/1/2021, 4:32:25.161 PM",,0,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:35:31.842 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,CosmosDB-sO2,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,featurecontrol,https://classification-test.documents.azure.com/dbs/database/colls/featurecontrol,Generic,,,,"11/1/2021, 4:32:25.161 PM",,0,Labeling,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:35:31.842 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,CosmosDB-sO2,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-2a727772-c6a7-4d93-8c48-3690b390ab6c,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-2a727772-c6a7-4d93-8c48-3690b390ab6c,Generic,,,,"11/1/2021, 4:32:25.161 PM",,0,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:35:31.842 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,CosmosDB-sO2,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-2a727772-c6a7-4d93-8c48-3690b390ab6c,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-2a727772-c6a7-4d93-8c48-3690b390ab6c,Generic,,,,"11/1/2021, 4:32:25.161 PM",,0,Labeling,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:35:31.842 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,CosmosDB-sO2,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-c53010a4-8ba3-48b9-81aa-0ab701b70c4d,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-c53010a4-8ba3-48b9-81aa-0ab701b70c4d,Generic,,,,"11/1/2021, 4:32:25.161 PM",,0,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:35:31.842 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,CosmosDB-sO2,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-c53010a4-8ba3-48b9-81aa-0ab701b70c4d,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-c53010a4-8ba3-48b9-81aa-0ab701b70c4d,Generic,,,,"11/1/2021, 4:32:25.161 PM",,0,Labeling,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:37:17.859 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:sales-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Customers' applications.docx,s3://sales-departments/Customers' applications.docx,File,,"2/2/2021, 11:42:12.000 AM",,"11/1/2021, 4:33:58.106 PM",docx,19576,Classification,System,"[""Denmark Personal Identification Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:37:17.865 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:sales-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Contoso Purchasing Permissions - Q3.docx,s3://sales-departments/Contoso Purchasing Permissions - Q3.docx,File,,"2/2/2021, 12:19:58.000 PM",,"11/1/2021, 4:33:36.843 PM",docx,31671,Classification,System,"[""Credit Card Number"",""EU Debit Card Number"",""U.S. Bank Account Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:37:17.871 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:sales-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Contoso Purchasing Permissions - Q2.docx,s3://sales-departments/Contoso Purchasing Permissions - Q2.docx,File,,"2/2/2021, 12:19:58.000 PM",,"11/1/2021, 4:33:36.713 PM",docx,31671,Classification,System,"[""Credit Card Number"",""EU Debit Card Number"",""U.S. Bank Account Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:37:17.876 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:sales-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Contoso_contract_March.docx,s3://sales-departments/Contoso_contract_March.docx,File,,"2/2/2021, 11:42:10.000 AM",,"11/1/2021, 4:33:36.992 PM",docx,19590,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:37:17.882 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:sales-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Contoso contract_February.docx,s3://sales-departments/Contoso contract_February.docx,File,,"2/2/2021, 11:42:11.000 AM",,"11/1/2021, 4:33:37.123 PM",docx,19586,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:37:17.888 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:sales-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Contoso Purchasing Permissions - Q1.docx,s3://sales-departments/Contoso Purchasing Permissions - Q1.docx,File,,"2/2/2021, 12:19:57.000 PM",,"11/1/2021, 4:33:58.393 PM",docx,31671,Classification,System,"[""Credit Card Number"",""EU Debit Card Number"",""U.S. Bank Account Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:37:18.859 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:sales-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Contoso Purchasing Permissions - Q2.docx,s3://sales-departments/Contoso Purchasing Permissions - Q2.docx,File,,"2/2/2021, 12:19:58.000 PM",,"11/1/2021, 4:33:36.713 PM",docx,31671,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:37:18.911 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:sales-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Contoso_contract_March.docx,s3://sales-departments/Contoso_contract_March.docx,File,,"2/2/2021, 11:42:10.000 AM",,"11/1/2021, 4:33:36.992 PM",docx,19590,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:37:18.919 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:sales-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Contoso Purchasing Permissions - Q1.docx,s3://sales-departments/Contoso Purchasing Permissions - Q1.docx,File,,"2/2/2021, 12:19:57.000 PM",,"11/1/2021, 4:33:58.393 PM",docx,31671,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:37:18.959 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:sales-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Customers' applications.docx,s3://sales-departments/Customers' applications.docx,File,,"2/2/2021, 11:42:12.000 AM",,"11/1/2021, 4:33:58.106 PM",docx,19576,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:37:19.004 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:sales-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Contoso Purchasing Permissions - Q3.docx,s3://sales-departments/Contoso Purchasing Permissions - Q3.docx,File,,"2/2/2021, 12:19:58.000 PM",,"11/1/2021, 4:33:36.843 PM",docx,31671,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:37:19.035 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:sales-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Contoso contract_February.docx,s3://sales-departments/Contoso contract_February.docx,File,,"2/2/2021, 11:42:11.000 AM",,"11/1/2021, 4:33:37.123 PM",docx,19586,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:37:53.840 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:operations-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Passengers.doc,s3://operations-department/Passengers.doc,File,,"10/28/2021, 7:32:48.000 AM",,"11/1/2021, 4:31:39.285 PM",doc,222720,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:37:54.818 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:operations-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Passengers.doc,s3://operations-department/Passengers.doc,File,,"10/28/2021, 7:32:48.000 AM",,"11/1/2021, 4:31:39.285 PM",doc,222720,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:39:07.026 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:marketing-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Contoso Marketing Principles.pptx,s3://marketing-departments/Contoso Marketing Principles.pptx,File,,"2/2/2021, 12:19:32.000 PM",,"11/1/2021, 4:35:35.800 PM",pptx,4172096,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:39:07.026 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:marketing-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Contoso Marketing Principles.pptx,s3://marketing-departments/Contoso Marketing Principles.pptx,File,,"2/2/2021, 12:19:32.000 PM",,"11/1/2021, 4:35:35.800 PM",pptx,4172096,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:41:38.758 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:marketing-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Web Marketing Goals and Strategies.docx,s3://marketing-departments/Web Marketing Goals and Strategies.docx,File,,"2/2/2021, 12:19:33.000 PM",,"11/1/2021, 4:35:34.814 PM",docx,116593,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:41:39.774 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:marketing-departments,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Web Marketing Goals and Strategies.docx,s3://marketing-departments/Web Marketing Goals and Strategies.docx,File,,"2/2/2021, 12:19:33.000 PM",,"11/1/2021, 4:35:34.814 PM",docx,116593,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:47:01.054 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,"HR Employee Profile - Smith, James.xlsx","s3://hr-department/Employees/HR Employee Profile - Smith, James.xlsx",File,,"9/1/2021, 2:15:38.000 PM",,"11/1/2021, 4:43:43.203 PM",xlsx,17510,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:47:02.208 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,"HR Employee Profile - Smith, James.xlsx","s3://hr-department/Employees/HR Employee Profile - Smith, James.xlsx",File,,"9/1/2021, 2:15:38.000 PM",,"11/1/2021, 4:43:43.203 PM",xlsx,17510,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:47:02.208 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Offer Letter - Christopher Beyer.doc,s3://hr-department/Contracts/Offer Letter - Christopher Beyer.doc,File,,"9/1/2021, 2:15:00.000 PM",,"11/1/2021, 4:43:47.858 PM",doc,139776,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:47:02.214 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Offer Letter - Eric Wright.doc,s3://hr-department/Contracts/Offer Letter - Eric Wright.doc,File,,"9/1/2021, 2:15:00.000 PM",,"11/1/2021, 4:43:48.029 PM",doc,139776,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:47:02.220 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Visa Application (Turkey) - Walter Thurmond.doc,s3://hr-department/Visa Application (Turkey) - Walter Thurmond.doc,File,,"2/2/2021, 12:21:14.000 PM",,"11/1/2021, 4:43:25.425 PM",doc,222720,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:47:02.226 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,User Accounts.docx,s3://hr-department/Employees/User Accounts.docx,File,,"9/1/2021, 2:15:39.000 PM",,"11/1/2021, 4:43:43.359 PM",docx,19548,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:47:02.226 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,User Accounts.docx,s3://hr-department/Employees/User Accounts.docx,File,,"9/1/2021, 2:15:39.000 PM",,"11/1/2021, 4:43:43.359 PM",docx,19548,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:47:02.226 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,HR_report_January.parquet,s3://hr-department/HR_report_January.parquet,File,,"2/2/2021, 12:15:49.000 PM",,"11/1/2021, 4:43:30.476 PM",parquet,1584758,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:47:02.226 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,HR_report_January.parquet,s3://hr-department/HR_report_January.parquet,File,,"2/2/2021, 12:15:49.000 PM",,"11/1/2021, 4:43:30.476 PM",parquet,1584758,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:47:02.906 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Offer Letter - Christopher Beyer.doc,s3://hr-department/Contracts/Offer Letter - Christopher Beyer.doc,File,,"9/1/2021, 2:15:00.000 PM",,"11/1/2021, 4:43:47.858 PM",doc,139776,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:47:03.255 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Visa Application (Turkey) - Walter Thurmond.doc,s3://hr-department/Visa Application (Turkey) - Walter Thurmond.doc,File,,"2/2/2021, 12:21:14.000 PM",,"11/1/2021, 4:43:25.425 PM",doc,222720,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:47:03.556 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Offer Letter - Eric Wright.doc,s3://hr-department/Contracts/Offer Letter - Eric Wright.doc,File,,"9/1/2021, 2:15:00.000 PM",,"11/1/2021, 4:43:48.029 PM",doc,139776,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:49:59.432 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Employee_list_US.avro,s3://hr-department/Employees/Employee_list_US.avro,File,,"9/1/2021, 2:15:39.000 PM",,"11/1/2021, 4:43:48.498 PM",avro,93421,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:49:59.432 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,Employee_list_US.avro,s3://hr-department/Employees/Employee_list_US.avro,File,,"9/1/2021, 2:15:39.000 PM",,"11/1/2021, 4:43:48.498 PM",avro,93421,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:49:59.433 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,empdetails.parquet,s3://hr-department/Employees/empdetails.parquet,File,,"9/1/2021, 2:15:38.000 PM",,"11/1/2021, 4:43:51.002 PM",parquet,8045,Classification,System,"[""EU Tax Identification Number (TIN)"",""Person's Name"",""U.S. Social Security Number (SSN)""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:50:00.414 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AmazonAccount-gq6,AmazonS3,arn:aws:s3:us-east-2:911296716343:hr-department,9.11297E+11,US East (Ohio),sentinel-bug-bash-westeurope,,empdetails.parquet,s3://hr-department/Employees/empdetails.parquet,File,,"9/1/2021, 2:15:38.000 PM",,"11/1/2021, 4:43:51.002 PM",parquet,8045,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:24.779 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,CosmosDB-sOv,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-0e73693e-826b-449b-9407-33b3254fcf6f,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-0e73693e-826b-449b-9407-33b3254fcf6f,Generic,,,,"11/1/2021, 4:09:22.288 PM",,0,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:24.779 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,CosmosDB-sOv,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-0e73693e-826b-449b-9407-33b3254fcf6f,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-0e73693e-826b-449b-9407-33b3254fcf6f,Generic,,,,"11/1/2021, 4:09:22.288 PM",,0,Labeling,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:24.779 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,CosmosDB-sOv,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,featurecontrol,https://classification-test.documents.azure.com/dbs/database/colls/featurecontrol,Generic,,,,"11/1/2021, 4:09:22.288 PM",,0,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:24.779 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,CosmosDB-sOv,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,featurecontrol,https://classification-test.documents.azure.com/dbs/database/colls/featurecontrol,Generic,,,,"11/1/2021, 4:09:22.288 PM",,0,Labeling,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:24.780 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,CosmosDB-sOv,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-2a727772-c6a7-4d93-8c48-3690b390ab6c,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-2a727772-c6a7-4d93-8c48-3690b390ab6c,Generic,,,,"11/1/2021, 4:09:22.288 PM",,0,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:24.780 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,CosmosDB-sOv,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-2a727772-c6a7-4d93-8c48-3690b390ab6c,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-2a727772-c6a7-4d93-8c48-3690b390ab6c,Generic,,,,"11/1/2021, 4:09:22.288 PM",,0,Labeling,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:24.780 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,CosmosDB-sOv,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,featureWhitelist,https://classification-test.documents.azure.com/dbs/database/colls/featureWhitelist,Generic,,,,"11/1/2021, 4:09:22.288 PM",,0,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:24.780 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,CosmosDB-sOv,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,featureWhitelist,https://classification-test.documents.azure.com/dbs/database/colls/featureWhitelist,Generic,,,,"11/1/2021, 4:09:22.288 PM",,0,Labeling,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:24.780 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,CosmosDB-sOv,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-c53010a4-8ba3-48b9-81aa-0ab701b70c4d,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-c53010a4-8ba3-48b9-81aa-0ab701b70c4d,Generic,,,,"11/1/2021, 4:09:22.273 PM",,0,Classification,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:24.780 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,CosmosDB-sOv,AzureCosmosDb,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.DocumentDB/databaseAccounts/classification-test,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,test-retry-c53010a4-8ba3-48b9-81aa-0ab701b70c4d,https://classification-test.documents.azure.com/dbs/database/colls/test-retry-c53010a4-8ba3-48b9-81aa-0ab701b70c4d,Generic,,,,"11/1/2021, 4:09:22.273 PM",,0,Labeling,System,[],0,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.687 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aashishr01/cr-oib.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.919 PM",docx,26098,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.694 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/dk-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.982 PM",docx,26098,Classification,System,"[""Denmark Personal Identification Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.700 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-cni.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.582 PM",docx,19249,Classification,System,"[""EU National Identification Number"",""France National ID Card (CNI)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.700 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-cni.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fr-cni.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.582 PM",docx,19249,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.701 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/sw-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.613 PM",docx,18718,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.701 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/sw-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.613 PM",docx,18718,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.701 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fi-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.879 PM",docx,18792,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.701 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/fi-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.879 PM",docx,18792,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.701 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/el-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.801 PM",docx,18834,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.701 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/el-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.801 PM",docx,18834,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.702 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aashishr01/denmark.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.716 PM",txt,128,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.708 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/pl-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.535 PM",docx,18804,Classification,System,"[""EU National Identification Number"",""Poland Identity Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.708 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/pl-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.535 PM",docx,18804,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.708 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-nino.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.732 PM",docx,26184,Classification,System,"[""EU National Identification Number"",""U.K. National Insurance Number (NINO)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.715 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers registration form.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers registration form.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:09:20.395 PM",docx,17409,Classification,System,"[""Austria Driver's License Number"",""Belgium Driver's License Number"",""Bulgaria Passport Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland Driver's License Number"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungary Passport Number"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Netherlands Passport Number"",""Poland Identity Card"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Passport Number"",""Spain Social Security Number (SSN)"",""Sweden Driver's License Number"",""Sweden Passport Number"",""Taiwan Passport Number"",""U.K. Driver's License Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",60,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.723 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/ir-pps.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.988 PM",docx,18806,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.723 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,ir-pps.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/ir-pps.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.988 PM",docx,18806,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.723 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-nino.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.957 PM",docx,18847,Classification,System,"[""EU National Identification Number"",""U.K. National Insurance Number (NINO)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.723 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-nino.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.957 PM",docx,18847,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.724 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/finland.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.535 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.731 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2017.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2017.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:09:20.363 PM",docx,12295,Classification,System,"[""Belgium Driver's License Number"",""Credit Card Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""German Driver's License Number"",""Germany Identity Card Number"",""Greece National ID Card""]",9,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.738 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.348 PM",docx,20154,Classification,System,"[""Cyprus Driver's License Number"",""EU Driver's License Number"",""France Driver's License Number"",""Japan Driver's License Number""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.738 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.348 PM",docx,20154,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.738 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/IR.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.192 PM",txt,197,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.859 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/germany.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.770 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.867 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/joselw-test/EL.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.688 PM",txt,200,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.874 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/joselw-test/es-ssn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.688 PM",docx,19548,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.882 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/dk-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.629 PM",docx,18756,Classification,System,"[""Denmark Personal Identification Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.882 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/dk-id.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.629 PM",docx,18756,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.883 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/joselw-test/multiple.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.438 PM",docx,17817,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.891 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/cz.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:21.004 PM",txt,124,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.898 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/dk-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.129 PM",docx,20162,Classification,System,"[""Denmark Personal Identification Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.898 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/dk-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.129 PM",docx,20162,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.898 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/multiple.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:21.020 PM",docx,17475,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.898 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/multiple.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:21.020 PM",docx,17475,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.899 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/joselw-test/cz.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.438 PM",txt,124,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.906 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/multiple.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.223 PM",docx,18405,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.906 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/multiple.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.223 PM",docx,18405,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.907 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/joselw-test/denmark.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.563 PM",txt,128,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.913 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.160 PM",docx,20201,Classification,System,"[""EU Driver's License Number"",""German Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.913 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/de-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.160 PM",docx,20201,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.913 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/pr-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.176 PM",docx,20175,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.914 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pr-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/pr-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.176 PM",docx,20175,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.914 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.426 PM",docx,19004,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.914 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/uk-pn.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.426 PM",docx,19004,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.914 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/fi-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.798 PM",docx,19603,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.922 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers DB.xlsx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers DB.xlsx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:09:20.395 PM",xlsx,14058,Classification,System,"[""Austria Driver's License Number"",""Belgium Driver's License Number"",""Bulgaria Passport Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland Driver's License Number"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungary Passport Number"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Netherlands Passport Number"",""Poland Identity Card"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Passport Number"",""Spain Social Security Number (SSN)"",""Sweden Driver's License Number"",""Sweden Passport Number"",""Taiwan Passport Number"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",61,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:39.922 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers DB.xlsx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers DB.xlsx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:09:20.395 PM",xlsx,14058,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.045 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.423 PM",docx,19568,Classification,System,"[""Cyprus Driver's License Number"",""EU Driver's License Number"",""France Driver's License Number"",""Japan Driver's License Number""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.053 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureDataLakeStorage-trP,AzureDataLakeGen2,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptestadlsgen2,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptestadlsgen2.dfs.core.windows.net/testcontainer/aipclptest/anotherDirectory/Acme Background Check-Katana.doc,File,,"7/21/2020, 6:58:10.000 PM",$superuser,"11/1/2021, 4:09:37.705 PM",doc,95232,Classification,System,"[""Credit Card Number"",""U.S. Social Security Number (SSN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.061 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/cz-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.798 PM",docx,18764,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.062 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/cz-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.798 PM",docx,18764,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.062 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-pn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.782 PM",docx,19539,Classification,System,"[""EU Passport Number"",""German Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.070 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/el-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.423 PM",docx,19644,Classification,System,"[""EU National Identification Number"",""Greece National ID Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.076 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/sw-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.423 PM",docx,19549,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.083 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.673 PM",docx,23407,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.083 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.673 PM",docx,23407,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.083 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/pl-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.673 PM",docx,19618,Classification,System,"[""EU National Identification Number"",""Poland Identity Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.089 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/dk-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.907 PM",docx,19576,Classification,System,"[""Denmark Personal Identification Number"",""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.095 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/joselw-test/cr-oib.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.657 PM",docx,18746,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.095 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/joselw-test/cr-oib.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.657 PM",docx,18746,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.095 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-nino.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.594 PM",docx,19659,Classification,System,"[""EU National Identification Number"",""U.K. National Insurance Number (NINO)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.101 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:21.082 PM",docx,18787,Classification,System,"[""EU Driver's License Number"",""German Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.101 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/PII/de-drv.docx,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:21.082 PM",docx,18787,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.101 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-insee.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.985 PM",docx,19735,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""France Social Security Number (INSEE)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.107 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/it-drv.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:09:15.110 PM",docx,26098,Classification,System,"[""EU Driver's License Number"",""Italy Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.113 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/joselw-test/cc.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.985 PM",docx,18956,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.113 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/joselw-test/cc.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.985 PM",docx,18956,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.113 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/multiple.docx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:09:15.110 PM",docx,24336,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.228 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/finland.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:09:15.188 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.234 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-pn.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:15.313 PM",docx,26383,Classification,System,"[""Bulgaria Passport Number"",""Croatia Passport Number"",""Denmark Passport Number"",""EU Passport Number"",""Ireland Passport Number"",""Italy Passport Number"",""Romania Passport Number"",""Russian Passport Number (International)"",""Taiwan Passport Number"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",11,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.240 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.641 PM",docx,20274,Classification,System,"[""EU Driver's License Number"",""U.K. Driver's License Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.240 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-drv.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/uk-drv.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:15.641 PM",docx,20274,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.240 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,2019 forecast.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/2019 forecast.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.876 PM",pptx,32114,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.247 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/es-ssn.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.844 PM",docx,20018,Classification,System,"[""Spain Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.421 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aashishr01/denmark.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.716 PM",txt,128,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.421 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cr-oib.docx,https://aipclptest.blob.core.windows.net/aashishr01/cr-oib.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.919 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.435 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/dk-id.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.982 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.447 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/IR.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:09:21.192 PM",txt,197,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.457 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers registration form.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers registration form.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:09:20.395 PM",docx,17409,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.511 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/joselw-test/es-ssn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.688 PM",docx,19548,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.518 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/finland.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.535 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.528 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-nino.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:09:09.732 PM",docx,26184,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.536 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2017.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2017.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:09:20.363 PM",docx,12295,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.551 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/cz.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:21.004 PM",txt,124,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.601 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cz.txt,https://aipclptest.blob.core.windows.net/joselw-test/cz.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.438 PM",txt,124,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.642 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/joselw-test/denmark.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.563 PM",txt,128,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.647 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/joselw-test/multiple.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.438 PM",docx,17817,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.670 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/fi-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.798 PM",docx,19603,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.679 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan/PII/germany.txt,File,"2/13/2020, 7:54:22.000 PM","2/13/2020, 7:54:22.000 PM",,"11/1/2021, 4:09:20.770 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.700 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,EL.txt,https://aipclptest.blob.core.windows.net/joselw-test/EL.txt,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.688 PM",txt,200,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.765 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-drv.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-drv.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.423 PM",docx,19568,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.793 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-nino.docx,https://aipclptest.blob.core.windows.net/joselw-test/uk-nino.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.594 PM",docx,19659,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.799 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureDataLakeStorage-trP,AzureDataLakeGen2,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptestadlsgen2,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Background Check-Katana.doc,https://aipclptestadlsgen2.dfs.core.windows.net/testcontainer/aipclptest/anotherDirectory/Acme Background Check-Katana.doc,File,,"7/21/2020, 6:58:10.000 PM",$superuser,"11/1/2021, 4:09:37.705 PM",doc,95232,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.827 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,el-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/el-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.423 PM",docx,19644,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.860 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/pl-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.673 PM",docx,19618,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.864 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/multiple.docx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:09:15.110 PM",docx,24336,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.871 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,it-drv.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/it-drv.docx,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:09:15.110 PM",docx,26098,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.879 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,dk-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/dk-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.907 PM",docx,19576,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.882 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/joselw-test/fr-insee.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.985 PM",docx,19735,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.930 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-pn.docx,https://aipclptest.blob.core.windows.net/aipscan-open/uk-pn.docx,File,"12/10/2020, 5:58:29.000 PM","12/10/2020, 5:58:29.000 PM",,"11/1/2021, 4:09:15.313 PM",docx,26383,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.944 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,es-ssn.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/es-ssn.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.844 PM",docx,20018,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:40.999 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/sw-id.docx,File,"8/16/2021, 8:56:13.000 PM","8/16/2021, 8:56:13.000 PM",,"11/1/2021, 4:09:14.423 PM",docx,19549,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:41.042 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,2019 forecast.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/2019 forecast.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.876 PM",pptx,32114,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:41.070 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/finland.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:09:15.188 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:41.200 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-pn.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-pn.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:14.782 PM",docx,19539,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:46.409 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data v2.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/customers data v2.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:16.063 PM",xlsx,23326,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:46.415 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Direct Deposit Form.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Direct Deposit Form.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:16.329 PM",xls,123904,Classification,System,"[""U.S. Social Security Number (SSN)""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:47.148 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Acme Direct Deposit Form.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Acme Direct Deposit Form.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:09:16.329 PM",xls,123904,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:47.179 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data v2.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/customers data v2.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:16.063 PM",xlsx,23326,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:48.657 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customer details.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Customer details.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.923 PM",pptx,32114,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:48.663 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/customers data.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.954 PM",xlsx,23325,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:48.786 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Change Test/customers data.xlsx,File,"9/1/2020, 8:58:50.000 PM","9/1/2020, 8:58:50.000 PM",,"11/1/2021, 4:09:39.973 PM",xlsx,23325,Classification,System,"[""ABA Routing Number"",""Argentina National Identity (DNI) Number"",""Australia Bank Account Number"",""Australia Driver's License Number"",""Australia Medical Account Number"",""Australia Passport Number"",""Australia Tax File Number"",""Austria Driver's License Number"",""Austria Passport Number"",""Belgium Driver's License Number"",""Belgium Passport Number"",""Brazil CPF Number"",""Brazil Legal Entity Number (CNPJ)"",""Brazil National ID Card (RG)"",""Bulgaria Driver's License Number"",""Bulgaria Passport Number"",""Canada Bank Account Number"",""Canada Driver's License Number"",""Canada Health Service Number"",""Canada Passport Number"",""Canada Personal Health Identification Number (PHIN)"",""Canada Social Insurance Number"",""Chile Identity Card Number"",""China Resident Identity Card (PRC) Number"",""Credit Card Number"",""Croatia Driver's License Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Cyprus Identity Card"",""Czech Personal Identity Number"",""Czech Republic Passport Number"",""Denmark Driver's License Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""Estonia Passport Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Finland Passport Number"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece Driver's License Number"",""Greece National ID Card"",""Greece Passport Number"",""Hungarian Social Security Number (TAJ)"",""Hungary Passport Number"",""India Permanent Account Number (PAN)"",""India Unique Identification (Aadhaar) Number"",""Indonesia Identity Card (KTP) Number"",""International Banking Account Number (IBAN)"",""IP Address"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Israel Bank Account Number"",""Israel National ID"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Bank Account Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Japan Resident Registration Number"",""Japan Social Insurance Number (SIN)"",""Lithuania Driver's License Number"",""Lithuania Passport Number"",""Luxemburg Passport Number"",""Malaysia Identity Card Number"",""Malta Driver's License Number"",""Malta Passport Number"",""Netherlands Driver's License Number"",""Netherlands Passport Number"",""New Zealand Ministry of Health Number"",""Norway Identity Number"",""Philippines Unified Multi-Purpose ID Number"",""Poland Identity Card"",""Romania Driver's License Number"",""Romania Passport Number"",""Russian Passport Number (Domestic)"",""Russian Passport Number (International)"",""Saudi Arabia National ID"",""Singapore National Registration Identity Card (NRIC) Number"",""Slovakia Driver's License Number"",""Slovakia Passport Number"",""Slovakia Personal Number"",""Slovenia Driver's License Number"",""Slovenia Passport Number"",""South Africa Identification Number"",""South Korea Resident Registration Number"",""Spain Social Security Number (SSN)"",""Sweden National ID"",""Sweden Passport Number"",""Sweden Tax Identification Number"",""SWIFT Code"",""Taiwan National ID"",""Taiwan Passport Number"",""Taiwan Resident Certificate (ARC/TARC)"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.K. Unique Taxpayer Reference Number"",""U.S. / U.K. Passport Number"",""U.S. Bank Account Number"",""U.S. Individual Taxpayer Identification Number (ITIN)"",""U.S. Social Security Number (SSN)"",""Ukraine Passport Number (Domestic)"",""Ukraine Passport Number (International)""]",114,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:49.296 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customer details.pptx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Customer details.pptx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.923 PM",pptx,32114,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:49.313 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Finance/customers data.xlsx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:09:15.954 PM",xlsx,23325,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:49.483 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureBlob-Bc2,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,customers data.xlsx,https://aipclptest.blob.core.windows.net/aipscan/Change Test/customers data.xlsx,File,"9/1/2020, 8:58:50.000 PM","9/1/2020, 8:58:50.000 PM",,"11/1/2021, 4:09:39.973 PM",xlsx,23325,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:55.206 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureFileStorage-iIy,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.file.core.windows.net/testfiles/testdirectory/Doc with credit cards.docx,File,,"5/27/2020, 1:36:01.000 AM",,"11/1/2021, 4:09:25.716 PM",docx,14003,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:12:55.206 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-EastUS2,eastus2,AzureFileStorage-iIy,AzureFile,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Doc with credit cards.docx,https://aipclptest.file.core.windows.net/testfiles/testdirectory/Doc with credit cards.docx,File,,"5/27/2020, 1:36:01.000 AM",,"11/1/2021, 4:09:25.716 PM",docx,14003,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-eastus2 -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:52.952 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:57.734 PM",docx,23407,Classification,System,"[""EU National Identification Number"",""Germany Identity Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.084 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,de-id.docx,https://aipclptest.blob.core.windows.net/joselw-test/de-id.docx,File,"8/16/2021, 8:56:14.000 PM","8/16/2021, 8:56:14.000 PM",,"11/1/2021, 4:09:57.734 PM",docx,23407,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.208 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aashishr01/denmark.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:09.354 PM",txt,128,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.214 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aashishr01/finland.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:09.354 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.332 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-insee.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:10.197 PM",docx,26254,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""France Social Security Number (INSEE)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.337 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-roll.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:10.197 PM",docx,25511,Classification,System,"[""U.K. Electoral Roll Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.342 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aashishr01/cc.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:09.979 PM",docx,26121,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.348 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/sw-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:09.979 PM",docx,25568,Classification,System,"[""EU Passport Number"",""Sweden Passport Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.353 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/pl-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:10.947 PM",docx,26144,Classification,System,"[""EU National Identification Number"",""Poland Identity Card""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:54.906 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aashishr01/denmark.txt,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:09.354 PM",txt,128,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.346 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/aashishr01/finland.txt,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:09.354 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.439 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fr-insee.docx,https://aipclptest.blob.core.windows.net/aashishr01/fr-insee.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:10.197 PM",docx,26254,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.471 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,uk-roll.docx,https://aipclptest.blob.core.windows.net/aashishr01/uk-roll.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:10.197 PM",docx,25511,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.554 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-pn.docx,https://aipclptest.blob.core.windows.net/aashishr01/sw-pn.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:09.979 PM",docx,25568,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.592 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,pl-id.docx,https://aipclptest.blob.core.windows.net/aashishr01/pl-id.docx,File,"12/11/2020, 8:59:33.000 PM","12/11/2020, 8:59:33.000 PM",,"11/1/2021, 4:10:10.947 PM",docx,26144,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:55.733 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aashishr01/cc.docx,File,"12/11/2020, 8:59:35.000 PM","12/11/2020, 8:59:35.000 PM",,"11/1/2021, 4:10:09.979 PM",docx,26121,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.582 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2018.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2018.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:10:26.308 PM",docx,16830,Classification,System,"[""Belgium Driver's License Number"",""Bulgaria Passport Number"",""Credit Card Number"",""Croatia Passport Number"",""Cyprus Driver's License Number"",""Czech Personal Identity Number"",""Denmark Passport Number"",""Denmark Personal Identification Number"",""EU Debit Card Number"",""EU Driver's License Number"",""EU National Identification Number"",""EU Passport Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland Driver's License Number"",""Finland National ID"",""France Driver's License Number"",""France National ID Card (CNI)"",""France Social Security Number (INSEE)"",""German Driver's License Number"",""German Passport Number"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Passport Number"",""Ireland Personal Public Service (PPS) Number"",""Italy Driver's License Number"",""Italy Passport Number"",""Japan Driver's License Number"",""Japan Passport Number"",""Poland Identity Card"",""Romania Passport Number"",""Russian Passport Number (International)"",""Slovakia Personal Number"",""Sweden Passport Number"",""Taiwan Passport Number"",""U.K. Driver's License Number"",""U.K. Electoral Roll Number"",""U.K. National Health Service Number"",""U.K. National Insurance Number (NINO)"",""U.S. / U.K. Passport Number"",""Ukraine Passport Number (Domestic)""]",41,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.708 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2015.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/Customers data2015.docx,File,"6/17/2021, 3:18:46.000 AM","6/17/2021, 3:18:46.000 AM",,"11/1/2021, 4:10:29.605 PM",docx,11141,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.714 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/multiple.docx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:10:29.605 PM",docx,24336,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]",7,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.719 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Credit Card Spreadsheet.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Credit Card Spreadsheet.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:17.933 PM",xls,30208,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.725 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/IR.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.433 PM",txt,197,Classification,System,"[""EU National Identification Number"",""EU Tax Identification Number (TIN)"",""Ireland Personal Public Service (PPS) Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.732 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/denmark.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.573 PM",txt,128,Classification,System,"[""EU National Identification Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.738 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Travel Authorization Form_MY_101706.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Travel Authorization Form_MY_101706.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:10:17.948 PM",doc,40960,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.743 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/finland.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:10:30.355 PM",txt,89,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)"",""Finland National ID""]",4,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.862 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cc.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.605 PM",docx,20282,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.862 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,cc.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/cc.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.605 PM",docx,20282,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:56.862 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/germany.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.698 PM",txt,42,Classification,System,"[""EU National Identification Number"",""EU Social Security Number (SSN) or Equivalent ID"",""Germany Identity Card Number""]",3,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.286 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2018.docx,https://aipclptest.blob.core.windows.net/aipscan/CustomerData/Customers data2018.docx,File,"2/13/2020, 7:53:51.000 PM","2/13/2020, 7:53:51.000 PM",,"11/1/2021, 4:10:26.308 PM",docx,16830,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.383 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers data2015.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/Customers data2015.docx,File,"6/17/2021, 3:18:46.000 AM","6/17/2021, 3:18:46.000 AM",,"11/1/2021, 4:10:29.605 PM",docx,11141,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.386 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Credit Card Spreadsheet.xls,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Credit Card Spreadsheet.xls,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:17.933 PM",xls,30208,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.466 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,denmark.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/denmark.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.573 PM",txt,128,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.466 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,multiple.docx,https://aipclptest.blob.core.windows.net/satintestcontainer/multiple.docx,File,"5/12/2021, 6:56:20.000 PM","5/12/2021, 6:56:20.000 PM",,"11/1/2021, 4:10:29.605 PM",docx,24336,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.529 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,IR.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/IR.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.433 PM",txt,197,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.682 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,finland.txt,https://aipclptest.blob.core.windows.net/satintestcontainer/finland.txt,File,"5/12/2021, 6:56:19.000 PM","5/12/2021, 6:56:19.000 PM",,"11/1/2021, 4:10:30.355 PM",txt,89,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.698 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Travel Authorization Form_MY_101706.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Travel Authorization Form_MY_101706.doc,File,"2/13/2020, 7:53:38.000 PM","2/13/2020, 7:53:38.000 PM",,"11/1/2021, 4:10:17.948 PM",doc,40960,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:57.920 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,germany.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/germany.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:31.698 PM",txt,42,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.113 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Travel Authorization Form_MY_101706-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Travel Authorization Form_MY_101706-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:30.986 PM",doc,40960,Classification,System,"[""Credit Card Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.118 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Payments.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Payments.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.065 PM",docx,20166,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.124 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Test Doc with Creditcard.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Test Doc with Creditcard.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:28.971 PM",docx,12800,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.253 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fi-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:32.042 PM",docx,19582,Classification,System,"[""Japan Passport Number""]",1,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.253 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,fi-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fi-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:32.042 PM",docx,19582,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.253 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/sw-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:32.042 PM",docx,20135,Classification,System,"[""EU Social Security Number (SSN) or Equivalent ID"",""EU Tax Identification Number (TIN)""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.253 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,sw-id.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/sw-id.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM",,"11/1/2021, 4:10:32.042 PM",docx,20135,Labeling,External,[],0,f42aa342-8706-4288-bd11-ebb85995028c,General,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.386 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Customers list.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Customers list.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:30.033 PM",docx,20166,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.391 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Registration form.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Registration form.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:30.002 PM",docx,20166,Classification,System,"[""Credit Card Number"",""EU Debit Card Number""]",2,,,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.773 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Test Doc with Creditcard.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Test Doc with Creditcard.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:28.971 PM",docx,12800,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.785 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Payments.docx,https://aipclptest.blob.core.windows.net/aipscan/Finance/Payments.docx,File,"2/13/2020, 7:54:02.000 PM","2/13/2020, 7:54:02.000 PM",,"11/1/2021, 4:10:29.065 PM",docx,20166,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope -d80e74e9-da11-4572-babc-79349f7685cc,"11/1/2021, 4:13:59.795 PM",00000000-0000-0000-0000-000000000000,DataSensitivityLogEvent,72f988bf-86f1-41af-91ab-2d7cd011db47,458b9821-8f00-483f-acf9-ff6ab17332c4,Sentinel-Bug-Bash-WestEurope,westeurope,AzureBlob-6Pi,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,BugBashTest,,Travel Authorization Form_MY_101706-Katana.doc,https://aipclptest.blob.core.windows.net/aipscan/CredScan/Travel Authorization Form_MY_101706-Katana.doc,File,"2/13/2020, 7:53:39.000 PM","2/13/2020, 7:53:39.000 PM",,"11/1/2021, 4:10:30.986 PM",doc,40960,Labeling,Default,[],0,9fbde396-1a24-4c79-8edf-9254a0f35055,Confidential\Microsoft Extended,,,PurviewDataSensitivityLogs,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourcegroups/purview-sentinel-bug-bash/providers/microsoft.purview/accounts/sentinel-bug-bash-westeurope +TenantId,TimeGenerated [UTC],PurviewTenantId,PurviewAccountName,PurviewRegion,SourceName,SourceType,SourcePath,SourceSubscriptionId,SourceRegion,SourceCollectionName,SourceScanId,AssetName,AssetPath,AssetType,AssetCreationTime [UTC],AssetModifiedTime [UTC],AssetLastScanTime [UTC],FileExtension,FileSize,ActivityType,ClassificationTrigger,Classification,ClassificationDetails,SensitivityLabelTrigger,SensitivityLabel,SensitivityLabelDetails,SourceSystem,Type,_ResourceId +fbb21831-7ba1-44ce-823f-c0d0033446db,"12/3/2021, 9:27:11.955 PM",72f988bf-86f1-41af-91ab-2d7cd011db47,test-la-integration,eastus2euap,AzureBlob-vMq,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,test-la-integration,e17538ca-447b-4955-9eef-f4aae614fff0,multiple.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/multiple.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM","12/3/2021, 9:23:24.876 PM",docx,18405,Classification,System,"[""Finland National ID"",""Germany Identity Card Number"",""Greece National ID Card"",""Ireland Personal Public Service (PPS) Number""]","[{""UniqueCount"":1,""Confidence"":85,""Count"":1,""Name"":""Finland National ID"",""Id"":""338fd995-4cb5-4f87-ad35-79bd1dd926c1""},{""UniqueCount"":1,""Confidence"":65,""Count"":1,""Name"":""Germany Identity Card Number"",""Id"":""e577372f-c42e-47a0-9d85-bebed1c237d4""},{""UniqueCount"":2,""Confidence"":85,""Count"":2,""Name"":""Greece National ID Card"",""Id"":""82568215-1da1-46d3-874a-d2294d81b5ac""},{""UniqueCount"":2,""Confidence"":85,""Count"":4,""Name"":""Ireland Personal Public Service (PPS) Number"",""Id"":""1cdb674d-c19a-4fcf-9f4b-7f56cc87345a""}]",,[],[],,PurviewDataSensitivityLogs,/subscriptions/47e8596d-ee73-4eb2-b6b4-cc13c2b87d6d/resourcegroups/aip-shoebox-testing/providers/microsoft.purview/accounts/test-la-integration +fbb21831-7ba1-44ce-823f-c0d0033446db,"12/3/2021, 9:27:11.955 PM",72f988bf-86f1-41af-91ab-2d7cd011db47,test-la-integration,eastus2euap,AzureBlob-vMq,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,test-la-integration,e17538ca-447b-4955-9eef-f4aae614fff0,germany.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/germany.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM","12/3/2021, 9:23:25.298 PM",txt,42,Classification,System,"[""Germany Identity Card Number""]","[{""UniqueCount"":1,""Confidence"":65,""Count"":1,""Name"":""Germany Identity Card Number"",""Id"":""e577372f-c42e-47a0-9d85-bebed1c237d4""}]",,[],[],,PurviewDataSensitivityLogs,/subscriptions/47e8596d-ee73-4eb2-b6b4-cc13c2b87d6d/resourcegroups/aip-shoebox-testing/providers/microsoft.purview/accounts/test-la-integration +fbb21831-7ba1-44ce-823f-c0d0033446db,"12/3/2021, 9:27:11.955 PM",72f988bf-86f1-41af-91ab-2d7cd011db47,test-la-integration,eastus2euap,AzureBlob-vMq,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,test-la-integration,e17538ca-447b-4955-9eef-f4aae614fff0,multiple.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/multiple.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM","12/3/2021, 9:23:24.876 PM",docx,18405,Labeling,,[],,External,"[""General""]","[{""Order"":2,""Name"":""General"",""Id"":""f42aa342-8706-4288-bd11-ebb85995028c""}]",,PurviewDataSensitivityLogs,/subscriptions/47e8596d-ee73-4eb2-b6b4-cc13c2b87d6d/resourcegroups/aip-shoebox-testing/providers/microsoft.purview/accounts/test-la-integration +fbb21831-7ba1-44ce-823f-c0d0033446db,"12/3/2021, 9:27:11.955 PM",72f988bf-86f1-41af-91ab-2d7cd011db47,test-la-integration,eastus2euap,AzureBlob-vMq,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,test-la-integration,e17538ca-447b-4955-9eef-f4aae614fff0,germany.txt,https://aipclptest.blob.core.windows.net/aipscan/HR/germany.txt,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM","12/3/2021, 9:23:25.298 PM",txt,42,Labeling,,[],,Default,"[""Microsoft Extended""]","[{""Order"":3,""Name"":""Microsoft Extended"",""Id"":""9fbde396-1a24-4c79-8edf-9254a0f35055""}]",,PurviewDataSensitivityLogs,/subscriptions/47e8596d-ee73-4eb2-b6b4-cc13c2b87d6d/resourcegroups/aip-shoebox-testing/providers/microsoft.purview/accounts/test-la-integration +fbb21831-7ba1-44ce-823f-c0d0033446db,"12/3/2021, 9:27:12.435 PM",72f988bf-86f1-41af-91ab-2d7cd011db47,test-la-integration,eastus2euap,AzureBlob-vMq,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,test-la-integration,e17538ca-447b-4955-9eef-f4aae614fff0,es-ssn.docx,https://aipclptest.blob.core.windows.net/test2/es-ssn.docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM","12/3/2021, 9:23:24.423 PM",docx,26070,Classification,System,"[""Spain Social Security Number (SSN)""]","[{""UniqueCount"":1,""Confidence"":85,""Count"":2,""Name"":""Spain Social Security Number (SSN)"",""Id"":""5df987c0-8eae-4bce-ace7-b316347f3070""}]",,[],[],,PurviewDataSensitivityLogs,/subscriptions/47e8596d-ee73-4eb2-b6b4-cc13c2b87d6d/resourcegroups/aip-shoebox-testing/providers/microsoft.purview/accounts/test-la-integration +fbb21831-7ba1-44ce-823f-c0d0033446db,"12/3/2021, 9:27:12.435 PM",72f988bf-86f1-41af-91ab-2d7cd011db47,test-la-integration,eastus2euap,AzureBlob-vMq,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,test-la-integration,e17538ca-447b-4955-9eef-f4aae614fff0,fr-insee.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-insee.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM","12/3/2021, 9:23:24.829 PM",docx,21329,Classification,System,"[""France Social Security Number (INSEE)""]","[{""UniqueCount"":1,""Confidence"":85,""Count"":1,""Name"":""France Social Security Number (INSEE)"",""Id"":""71f62b97-efe0-4aa1-aa49-e14de253619d""}]",,[],[],,PurviewDataSensitivityLogs,/subscriptions/47e8596d-ee73-4eb2-b6b4-cc13c2b87d6d/resourcegroups/aip-shoebox-testing/providers/microsoft.purview/accounts/test-la-integration +fbb21831-7ba1-44ce-823f-c0d0033446db,"12/3/2021, 9:27:12.436 PM",72f988bf-86f1-41af-91ab-2d7cd011db47,test-la-integration,eastus2euap,AzureBlob-vMq,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,test-la-integration,e17538ca-447b-4955-9eef-f4aae614fff0,es-ssn.docx,https://aipclptest.blob.core.windows.net/test2/es-ssn.docx,File,"5/13/2021, 6:37:48.000 PM","5/13/2021, 6:37:48.000 PM","12/3/2021, 9:23:24.423 PM",docx,26070,Labeling,,[],,Default,"[""Microsoft Extended""]","[{""Order"":3,""Name"":""Microsoft Extended"",""Id"":""9fbde396-1a24-4c79-8edf-9254a0f35055""}]",,PurviewDataSensitivityLogs,/subscriptions/47e8596d-ee73-4eb2-b6b4-cc13c2b87d6d/resourcegroups/aip-shoebox-testing/providers/microsoft.purview/accounts/test-la-integration +fbb21831-7ba1-44ce-823f-c0d0033446db,"12/3/2021, 9:27:12.436 PM",72f988bf-86f1-41af-91ab-2d7cd011db47,test-la-integration,eastus2euap,AzureBlob-vMq,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,test-la-integration,e17538ca-447b-4955-9eef-f4aae614fff0,fr-insee.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fr-insee.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM","12/3/2021, 9:23:24.829 PM",docx,21329,Labeling,,[],,External,"[""General""]","[{""Order"":2,""Name"":""General"",""Id"":""f42aa342-8706-4288-bd11-ebb85995028c""}]",,PurviewDataSensitivityLogs,/subscriptions/47e8596d-ee73-4eb2-b6b4-cc13c2b87d6d/resourcegroups/aip-shoebox-testing/providers/microsoft.purview/accounts/test-la-integration +fbb21831-7ba1-44ce-823f-c0d0033446db,"12/3/2021, 9:27:12.436 PM",72f988bf-86f1-41af-91ab-2d7cd011db47,test-la-integration,eastus2euap,AzureBlob-vMq,AzureBlob,/subscriptions/458b9821-8f00-483f-acf9-ff6ab17332c4/resourceGroups/classification-test/providers/Microsoft.Storage/storageAccounts/aipclptest,458b9821-8f00-483f-acf9-ff6ab17332c4,eastus,test-la-integration,e17538ca-447b-4955-9eef-f4aae614fff0,fi-pn.docx,https://aipclptest.blob.core.windows.net/aipscan/HR/fi-pn.docx,File,"2/13/2020, 7:54:12.000 PM","2/13/2020, 7:54:12.000 PM","12/3/2021, 9:23:24.845 PM",docx,19582,Classification,System,"[""Japan Passport Number""]","[{""UniqueCount"":3,""Confidence"":75,""Count"":3,""Name"":""Japan Passport Number"",""Id"":""75177310-1a09-4613-bf6d-833aae3743f8""}]",,[],[],,PurviewDataSensitivityLogs,/subscriptions/47e8596d-ee73-4eb2-b6b4-cc13c2b87d6d/resourcegroups/aip-shoebox-testing/providers/microsoft.purview/accounts/test-la-integration diff --git a/Sample Data/Custom/DSTIMAccess_CL.json b/Sample Data/Custom/DSTIMAccess_CL.json new file mode 100644 index 0000000000..a76c510ee6 --- /dev/null +++ b/Sample Data/Custom/DSTIMAccess_CL.json @@ -0,0 +1,62 @@ +[ + { + "TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "2021-11-18T21:58:38.0289591Z", + "Computer": "", + "RawData": "", + "TimeDiscovered": "2021-06-18T21:58:38.0289591Z", + "Location": "eastus", + "OperationName": "GetBlob", + "StatusCode": "200", + "Uri": "https://aipclptest.blob.core.windows.net/test2/es-ssn (1).docx", + "CallerIPAddress": "10.1.0.38", + "UserAgentHeader": "Azure-Storage/9.3.0 (.NET CLR 4.0.30319.42000; Win32NT 6.2.9200.0)", + "ResourceSubscriptionId": "bbbabe37-eda3-48ea-98ed-f0a70c31a45b", + "ResourceGroup": "BreachManagement-dev", + "StorageAccountName": "breachmanagement-dev", + "ResponseBodySize": "26070", + "RequesterUpn": "sanitized@sanitized.com", + "RequesterAppId": "7d466dae-af28-449e-a12a-c7ae13a25ca8", + "AuthenticationType": "Application", + "AggregationLastEventTime": "2021-06-18T21:58:38.0289591Z", + "AggregationCount": "1", + "Category": "StorageRead", + "CorrelationId": "437701000000000000", + "RequesterAppId": "", + "Type": "DSTIMAccess_CL", + "_ResourceId": "" + }, + { + "TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "2021-11-18T21:58:38.0289591Z", + "Computer": "", + "RawData": "", + "TimeDiscovered": "2021-06-18T21:58:38.0289591Z", + "Location": "eastus", + "OperationName": "GetBlob", + "StatusCode": "200", + "Uri": "https://aipclptest.blob.core.windows.net/test2/es-ssn (2).docx", + "CallerIPAddress": "10.1.0.38", + "UserAgentHeader": "Azure-Storage/9.3.0 (.NET CLR 4.0.30319.42000; Win32NT 6.2.9200.0)", + "ResourceSubscriptionId": "bbbabe37-eda3-48ea-98ed-f0a70c31a45b", + "ResourceGroup": "BreachManagement-dev", + "StorageAccountName": "breachmanagement-dev", + "ResponseBodySize": "26070", + "RequesterUpn": "sanitized@sanitized.com", + "RequesterAppId": "7d466dae-af28-449e-a12a-c7ae13a25ca8", + "AuthenticationType": "Application", + "AggregationLastEventTime": "2021-06-18T21:58:38.0289591Z", + "AggregationCount": "1", + "Category": "StorageRead", + "CorrelationId": "3167380000000000000", + "RequesterAppId": "", + "Type": "DSTIMAccess_CL", + "_ResourceId": "" + } +] diff --git a/Sample Data/Custom/DSTIMClassification_CL.json b/Sample Data/Custom/DSTIMClassification_CL.json new file mode 100644 index 0000000000..873ac90945 --- /dev/null +++ b/Sample Data/Custom/DSTIMClassification_CL.json @@ -0,0 +1,30 @@ +[ + { + "TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "2021-11-18T21:58:38.0289591Z", + "Computer": "", + "RawData": "", + "Classification": "[{\"Id\":\"54115c6e-5a50-468a-88cb-fc537eb48e69\",\"Name\":\"Credit Card Number\",\"Count\":\"4\",\"Confidence\":\"85\",\"UniqueCount\":\"4\"}, {\"Id\": \"0e9b3178-9678-47dd-a509-37222ca96b42\",\"Name\":\"EU Debit Card Number\",\"Count\":\"5\",\"Confidence\":\"85\",\"UniqueCount\":\"5\"}]", + "CorrelationId": "437701000000000000", + "AssetType": "file", + "Type": "DSTIMClassification_CL", + "_ResourceId": "" + }, + { + "TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "2021-11-18T21:58:38.0289591Z", + "Computer": "", + "RawData": "", + "Classification": "[{\"Id\":\"5df987c0-8eae-4bce-ace7-b316347f3070\",\"Name\":\"Spain Social Security Number(SSN)\",\"Count\":\"4\",\"Confidence\":\"85\",\"UniqueCount\":\"4\"}]", + "CorrelationId": "3167380000000000000", + "AssetType": "file", + "Type": "DSTIMClassification_CL", + "_ResourceId": "" + } +] \ No newline at end of file diff --git a/Sample Data/Custom/DSTIMSensitivity_CL.json b/Sample Data/Custom/DSTIMSensitivity_CL.json new file mode 100644 index 0000000000..ff8024fefd --- /dev/null +++ b/Sample Data/Custom/DSTIMSensitivity_CL.json @@ -0,0 +1,28 @@ +[ + { + "TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "2021-11-18T21:58:38.0289591Z", + "Computer": "", + "RawData": "", + "SensitivityLabelName_s": "Confidential", + "CorrelationId": "437701000000000000", + "Type": "DSTIMSensitivity_CL", + "_ResourceId": "" + }, + { + "TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "2021-11-18T21:58:38.0289591Z", + "Computer": "", + "RawData": "", + "SensitivityLabelName_s": "Confidential", + "CorrelationId": "3167380000000000000", + "Type": "DSTIMSensitivity_CL", + "_ResourceId": "" + } +] \ No newline at end of file diff --git a/Sample Data/Feeds/Log4j_IOC_List.csv b/Sample Data/Feeds/Log4j_IOC_List.csv index 0294da436f..d7b4fd9787 100644 --- a/Sample Data/Feeds/Log4j_IOC_List.csv +++ b/Sample Data/Feeds/Log4j_IOC_List.csv @@ -1,22 +1,66 @@ IPAddress 1.116.59.211 +1.15.84.219 1.179.247.182 101.204.24.28 +101.33.228.224 101.35.154.34 +103.103.0.129 103.103.0.141 103.103.0.142 103.232.136.60 104.161.20.173 +104.233.163.172 +104.244.72.115 +104.244.72.132 +104.244.72.7 +104.244.73.85 +104.244.77.101 +104.244.77.235 +104.244.77.80 +104.248.130.92 104.248.144.120 +106.54.222.51 +107.107.58.199 107.151.148.53 +107.170.69.93 +107.181.180.166 +107.189.1.160 +107.189.1.175 +107.189.13.254 +107.189.14.182 +107.189.14.27 +107.189.14.76 +107.189.28.84 +107.189.30.23 +107.189.31.195 +107.189.31.87 +107.189.5.206 +107.189.6.166 +107.189.8.65 +107.77.106.17 +107.77.224.231 +107.77.224.94 +107.77.226.5 +107.77.226.83 +107.77.70.58 +107.77.76.84 +108.61.210.108 +109.201.133.100 109.205.176.248 109.237.96.124 +109.70.100.19 +109.70.100.23 +109.70.100.26 +109.70.100.28 +109.70.100.31 109.73.65.32 110.42.200.96 111.28.189.51 111.59.85.209 112.74.185.158 112.74.34.48 +112.74.52.90 113.141.64.14 113.219.171.101 113.98.224.68 @@ -28,69 +72,169 @@ IPAddress 115.151.229.16 115.151.229.27 117.192.11.154 +118.121.27.103 +118.190.216.163 118.27.36.56 119.28.91.153 120.195.30.152 120.211.140.116 120.24.23.84 +120.53.243.154 121.4.56.143 +121.5.219.20 +121.5.226.36 123.113.254.22 +123.30.212.84 +123.60.215.208 124.224.87.11 124.224.87.29 +128.199.15.215 +128.199.222.221 +128.199.24.9 +128.199.60.26 +13.234.30.19 131.100.148.7 133.18.201.195 134.122.33.6 134.122.34.12 134.209.24.42 +134.209.82.14 135.125.217.87 -135.125.217.87 +137.184.102.82 +137.184.104.197 +137.184.104.73 +137.184.106.119 +137.184.107.109 137.184.107.41 +137.184.137.242 +137.184.218.211 137.184.60.5 +137.184.67.89 +137.184.96.216 137.184.96.227 +137.184.98.160 +137.184.98.176 +137.184.99.8 +138.197.106.234 +138.197.108.154 138.197.167.229 138.197.175.206 +138.197.193.220 138.197.197.97 138.197.202.163 +138.197.216.230 138.197.221.77 +138.197.72.76 +138.197.9.239 138.68.13.60 +138.68.155.222 +138.68.167.19 138.68.22.2 138.68.231.58 138.68.241.212 138.68.246.18 138.68.249.132 +138.68.250.214 138.68.4.129 138.68.57.60 +139.177.177.82 +139.177.178.127 +139.177.178.140 +139.177.178.141 +139.177.178.164 +139.177.178.165 +139.177.178.19 +139.177.178.8 +139.177.180.102 +139.177.180.91 139.224.104.121 +139.59.101.242 +139.59.103.254 +139.59.108.31 139.59.108.5 +139.59.118.136 139.59.138.109 +139.59.162.124 +139.59.163.74 +139.59.182.104 +139.59.188.119 +139.59.224.7 139.59.237.99 139.59.247.28 +139.59.4.192 +139.59.70.139 +139.59.8.39 +139.59.96.42 +139.59.97.205 +139.59.99.80 140.246.171.141 +140.83.85.168 +141.95.18.207 +142.93.107.14 142.93.148.12 +142.93.151.166 +142.93.151.76 +142.93.157.150 142.93.18.229 142.93.209.113 +142.93.36.237 143.110.208.87 143.110.216.17 143.110.216.190 143.110.216.221 143.110.216.245 143.110.216.75 +143.110.221.204 +143.110.221.219 +143.198.180.150 +143.198.183.66 +143.198.47.235 143.244.153.32 +143.244.184.81 +144.217.86.109 146.56.131.161 146.56.148.181 146.70.75.93 147.135.6.221 +147.139.80.217 +147.182.150.124 +147.182.150.37 +147.182.154.100 +147.182.154.110 +147.182.154.113 +147.182.169.254 +147.182.179.141 +147.182.187.229 147.182.191.32 +147.182.213.12 +147.182.216.21 +147.182.242.144 +147.182.242.241 150.158.189.96 +150.158.91.179 +150.158.95.54 +151.80.148.159 152.67.63.150 -152.67.63.150 -152.67.63.150 -152.67.63.150 +152.69.196.1 154.65.28.250 155.94.154.170 -155.94.154.170 +156.146.60.79 +156.146.60.8 +157.230.32.67 +157.245.102.218 +157.245.108.125 +157.245.111.218 +157.245.129.50 +157.90.35.190 +158.101.118.198 +159.146.42.186 +159.203.187.141 159.203.29.42 +159.203.58.73 +159.223.22.123 +159.223.81.193 159.223.88.139 +159.223.9.17 159.65.102.23 159.65.106.11 159.65.106.130 @@ -98,40 +242,130 @@ IPAddress 159.65.110.107 159.65.110.144 159.65.110.157 +159.65.146.60 +159.65.150.167 +159.65.155.208 +159.65.189.107 +159.65.194.103 159.65.222.206 +159.65.43.94 159.65.48.154 +159.65.51.145 +159.65.58.66 +159.65.59.77 159.65.79.52 159.65.97.137 159.65.97.81 159.65.98.251 +159.89.107.117 +159.89.115.238 +159.89.122.19 +159.89.146.147 +159.89.154.102 +159.89.154.185 +159.89.154.64 159.89.158.150 159.89.159.168 159.89.4.39 +159.89.94.219 +161.35.119.60 +161.35.155.230 +161.35.156.13 +161.97.138.227 +162.155.56.106 +162.247.74.201 +162.247.74.74 +162.255.202.246 +163.172.54.124 164.52.53.163 +164.90.199.211 +164.90.199.216 +164.90.199.218 +164.90.199.221 +164.90.199.238 +164.90.211.0 +164.90.211.176 +164.90.211.90 +164.90.221.16 +164.90.221.7 +164.92.249.134 +164.92.254.149 +164.92.254.33 +165.22.100.216 +165.22.200.18 +165.22.213.246 165.22.231.66 165.22.232.67 165.22.237.1 165.227.0.252 -165.227.239.108 +165.227.209.202 165.227.32.109 +165.227.37.189 165.227.4.86 165.227.46.96 165.227.49.32 165.227.6.93 +165.232.80.166 +165.232.80.22 +165.232.84.226 166.172.60.107 +166.172.63.179 +167.172.151.211 +167.172.179.113 +167.172.44.255 +167.172.71.96 +167.172.94.250 +167.71.1.144 +167.71.13.196 167.71.175.10 +167.71.238.9 +167.71.4.81 +167.71.67.189 +167.99.162.76 +167.99.164.201 +167.99.172.111 +167.99.186.227 +167.99.204.151 +167.99.216.68 +167.99.221.217 +167.99.221.249 +167.99.36.245 +167.99.44.32 +167.99.88.151 168.149.106.110 170.210.45.163 171.221.235.43 +171.25.193.20 +171.25.193.25 +171.25.193.77 +171.25.193.78 +172.104.143.131 +172.104.230.234 +172.104.230.25 +172.104.232.81 +172.105.249.93 +172.105.68.32 +172.105.88.234 172.107.194.164 172.107.194.165 +175.24.179.175 175.6.210.66 +176.10.104.240 +176.10.99.200 177.185.117.129 177.52.40.22 -177.52.40.22 +178.128.226.212 +178.128.229.113 +178.128.232.114 178.128.38.105 +178.17.170.23 +178.17.174.14 178.176.202.121 178.176.203.190 +178.62.23.146 +178.62.32.211 +178.62.61.47 +18.27.197.252 180.149.231.196 182.99.234.10 182.99.234.208 @@ -143,100 +377,437 @@ IPAddress 182.99.246.199 182.99.247.181 182.99.247.75 +185.100.87.129 +185.100.87.139 +185.100.87.41 +185.100.87.72 +185.107.47.171 +185.107.47.215 +185.107.70.56 +185.117.118.15 +185.129.61.6 +185.18.52.155 +185.184.152.140 +185.191.127.212 +185.191.127.215 +185.191.127.231 185.213.155.168 +185.220.100.240 +185.220.100.241 +185.220.100.242 +185.220.100.243 +185.220.100.244 +185.220.100.245 +185.220.100.248 +185.220.100.249 +185.220.100.251 +185.220.100.252 +185.220.100.253 +185.220.100.254 +185.220.100.255 +185.220.101.131 +185.220.101.132 +185.220.101.134 +185.220.101.135 +185.220.101.137 +185.220.101.138 +185.220.101.142 +185.220.101.143 +185.220.101.144 +185.220.101.146 +185.220.101.148 +185.220.101.150 +185.220.101.151 +185.220.101.152 +185.220.101.153 +185.220.101.154 +185.220.101.156 +185.220.101.158 +185.220.101.16 +185.220.101.160 +185.220.101.162 +185.220.101.165 +185.220.101.166 +185.220.101.167 +185.220.101.168 +185.220.101.171 +185.220.101.172 +185.220.101.173 +185.220.101.174 +185.220.101.175 +185.220.101.180 +185.220.101.181 +185.220.101.182 +185.220.101.183 +185.220.101.184 +185.220.101.185 +185.220.101.186 +185.220.101.187 +185.220.101.188 +185.220.101.190 +185.220.101.191 +185.220.101.25 +185.220.101.32 +185.220.101.34 +185.220.101.35 +185.220.101.36 +185.220.101.37 +185.220.101.40 +185.220.101.42 +185.220.101.44 +185.220.101.45 +185.220.101.46 +185.220.101.47 +185.220.101.50 +185.220.101.53 +185.220.101.55 +185.220.101.57 +185.220.101.58 +185.220.101.62 +185.220.101.63 +185.220.101.7 +185.220.102.242 +185.220.102.243 +185.220.102.248 +185.220.102.250 +185.220.102.251 +185.220.102.252 +185.220.102.254 +185.220.102.6 +185.220.103.116 +185.220.103.4 +185.220.103.5 +185.225.28.119 +185.225.28.124 +185.225.28.141 +185.233.100.23 +185.38.175.130 +185.38.175.132 +185.51.76.187 +185.56.80.65 185.56.83.81 +185.83.214.69 +188.166.102.47 +188.166.105.150 188.166.170.135 -192.241.197.105 +188.166.225.104 +188.166.45.93 +188.166.48.55 +188.166.86.206 +188.235.114.54 +188.68.62.150 +189.188.33.125 +190.2.138.14 +192.160.102.170 +192.241.194.251 +192.241.195.138 +192.241.196.175 +192.241.197.43 +192.241.215.149 +192.241.215.194 +192.241.215.196 +192.241.215.209 +192.241.215.216 +192.241.215.222 +192.241.215.223 +192.241.215.227 +192.241.215.230 +192.241.215.233 +192.241.215.236 +192.241.215.237 +192.241.215.240 +192.241.215.244 +192.241.215.252 +192.241.216.102 +192.241.216.106 +192.241.216.109 +192.241.216.126 +192.241.216.128 +192.241.216.129 +192.241.216.13 +192.241.216.130 +192.241.216.14 +192.241.216.31 +192.241.216.38 +192.241.216.5 +192.241.216.53 +192.241.216.62 +192.241.216.72 +192.241.216.81 +192.241.216.93 +192.40.57.234 +192.42.116.26 +192.46.237.113 +192.46.237.59 +192.46.237.70 +192.46.237.71 192.81.219.134 +193.110.95.34 +193.189.100.195 +193.218.118.183 +193.218.118.231 +193.31.24.154 +193.46.198.147 194.163.148.53 194.163.44.188 194.163.45.31 +194.195.241.242 +194.195.244.206 +194.195.244.207 +194.195.244.218 +194.195.244.222 +194.195.244.27 +194.195.244.74 +194.195.244.78 +194.195.244.79 +194.195.244.81 +194.195.246.87 +194.195.246.93 +194.195.246.96 +194.195.246.98 +194.233.160.165 +194.233.164.102 +194.233.164.103 +194.233.164.117 +194.233.164.125 +194.233.164.129 +194.233.164.81 +194.233.164.97 +194.40.243.149 194.48.199.78 195.154.119.181 +195.176.3.23 +195.195.206.68 +195.206.105.47 195.251.41.139 -195.54.160.149 196.196.150.38 197.246.171.41 197.246.171.83 -198.199.118.67 +197.246.175.186 +197.246.175.231 +198.144.121.43 +198.199.104.56 +198.199.106.98 +198.199.110.89 +198.199.119.230 198.211.103.63 198.58.104.209 +198.98.56.248 +198.98.57.191 +198.98.61.102 +199.195.250.77 +199.249.230.110 +199.249.230.163 +199.249.230.167 +2.58.46.178 200.60.27.131 +202.141.176.9 202.47.39.97 +205.185.113.72 +206.189.115.6 +206.189.20.141 +206.189.233.219 207.180.202.75 +209.141.46.114 +209.141.59.180 209.58.146.134 +209.97.133.112 +209.97.136.164 +209.97.147.103 +209.97.187.34 +210.31.144.181 211.154.194.21 211.218.126.140 +213.142.157.68 +213.202.216.189 217.112.83.246 +217.138.206.83 217.146.83.165 217.146.83.169 217.70.162.253 217.79.189.13 +218.104.71.166 +218.22.21.22 218.29.217.234 218.89.222.71 221.199.187.100 221.226.159.22 221.228.87.37 +223.111.180.119 +23.129.64.131 +23.129.64.133 +23.129.64.135 +23.129.64.136 +23.129.64.139 +23.154.177.2 +23.154.177.4 3.26.198.32 +3.71.74.164 +31.42.186.101 +34.121.5.117 +34.124.226.216 +34.239.142.245 +34.64.152.129 +34.64.236.64 34.65.121.142 +34.75.39.119 +34.80.118.173 +35.166.85.114 +35.232.163.113 +36.111.88.33 +36.138.125.108 +36.138.125.111 +36.138.125.117 +36.138.125.119 +36.138.125.72 +36.138.125.82 36.155.14.163 +36.227.164.189 +36.67.163.82 +37.123.163.58 +37.187.196.70 39.102.236.51 41.203.140.114 +42.192.11.192 42.192.69.45 43.230.65.80 43.254.54.195 +45.12.134.108 45.123.15.153 +45.128.36.154 +45.129.56.200 45.137.21.9 +45.138.102.211 45.146.164.160 -45.155.205.233 +45.146.165.168 +45.153.160.129 +45.153.160.132 +45.153.160.133 +45.153.160.139 +45.154.255.147 +45.159.58.241 +45.56.80.11 45.61.146.242 +45.61.185.114 +45.61.185.168 +45.61.185.90 +45.61.186.113 45.64.75.134 +45.79.178.110 45.80.149.175 45.80.151.69 +46.1.28.147 46.101.26.182 +46.101.35.138 46.101.52.226 +46.101.76.121 46.105.95.220 +46.166.139.111 +46.232.249.138 47.102.199.233 47.102.205.237 +47.104.88.52 +47.241.208.155 47.243.226.247 +47.252.38.12 +49.234.30.148 +49.234.8.144 49.37.144.105 49.7.224.217 5.157.38.50 +5.182.210.216 +5.183.209.217 5.188.62.245 5.188.62.250 +5.188.62.253 +5.2.69.50 +5.2.72.73 +5.2.76.221 +51.15.43.205 +51.15.80.14 +51.161.43.237 +51.178.86.137 +51.195.103.74 +51.195.42.226 +51.77.52.216 51.81.147.9 +52.23.146.157 54.211.219.103 60.31.180.149 61.175.202.154 61.19.24.122 61.19.25.207 +62.102.148.68 +62.102.148.69 62.112.11.79 62.112.11.81 62.210.130.250 -62.210.130.250 62.76.41.46 +64.113.32.29 64.227.178.55 64.227.188.164 64.227.188.168 64.227.188.216 64.227.188.251 +64.227.67.110 64.227.8.178 +66.220.242.222 +67.205.170.85 +67.207.93.79 +68.183.192.239 +68.183.198.247 +68.183.198.36 68.183.199.248 +68.183.2.123 68.183.203.184 +68.183.207.73 +68.183.33.144 +68.183.35.171 +68.183.36.244 +68.183.37.10 +68.183.44.143 +68.183.44.164 68.183.45.190 68.79.17.59 +71.19.144.106 +76.217.50.225 +77.37.134.80 77.40.42.110 +77.81.139.66 +78.170.143.11 78.186.0.172 +78.186.252.44 79.172.212.132 +79.175.64.171 +8.36.139.135 80.71.158.12 +80.82.117.52 +81.17.18.59 +81.17.18.60 +81.17.18.62 81.30.157.43 +81.6.43.167 82.118.18.201 -82.118.18.201 +82.146.55.139 +82.157.161.212 +85.93.218.204 86.109.208.194 +86.57.246.76 +89.163.143.8 89.163.144.156 +89.163.243.88 +89.163.249.192 +89.22.180.140 89.249.63.3 +91.203.145.116 +91.250.242.12 92.242.40.21 -92.242.40.21 -92.242.40.21 -92.242.40.21 -93.189.42.8 \ No newline at end of file +92.63.197.53 +93.189.42.8 +94.140.115.76 +94.142.241.194 +94.189.196.120 +94.46.179.80 +95.12.114.134 +95.12.114.60 +95.217.37.227 \ No newline at end of file diff --git a/Solutions/Apache Log4j Vulnerability Detection/Data/Solution_Log4j.json b/Solutions/Apache Log4j Vulnerability Detection/Data/Solution_Log4j.json new file mode 100644 index 0000000000..ba0fba73f4 --- /dev/null +++ b/Solutions/Apache Log4j Vulnerability Detection/Data/Solution_Log4j.json @@ -0,0 +1,24 @@ +{ + "Name": "Apache Log4j Vulnerability Detection", + "Author": "Eli Forbes - v-eliforbes@microsoft.com", + "Logo": "", + "Description": "Microsoft's security research teams have been tracking threats taking advantage of [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228), a remote code execution (RCE) vulnerability in [Apache Log4j 2](https://logging.apache.org/log4j/2.x/) referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the [Microsoft Security Response Center blog](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/). This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.", + "Analytic Rules": [ + "Detections/SecurityNestedRecommendation/Log4jVulnerableMachines.yaml", + "Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml", + "Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml", + "Detections/MultipleDataSources/UserAgentSearch_log4j.yaml" + ], + "Hunting Queries": [ + "Hunting Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml", + "Hunting Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml", + "Hunting Queries/Syslog/Firewall_Disable_Activity.yaml", + "Hunting Queries/Syslog/Apache_log4j_Vulnerability.yaml", + "Hunting Queries/Syslog/Process_Termination_Activity.yaml", + "Hunting Queries/Syslog/Suspicious_ShellScript_Activity.yaml", + "Hunting Queries/Syslog/Base64_Download_Activity.yaml" + ], + "BasePath": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/", + "Metadata": "Solutions/Apache Log4j Vulnerability Detection/SolutionMetadata.json", + "Version": "1.0.0" +} diff --git a/Solutions/Apache Log4j Vulnerability Detection/Package/1.0.0.zip b/Solutions/Apache Log4j Vulnerability Detection/Package/1.0.0.zip new file mode 100644 index 0000000000..01df7945b4 Binary files /dev/null and b/Solutions/Apache Log4j Vulnerability Detection/Package/1.0.0.zip differ diff --git a/Solutions/Apache Log4j Vulnerability Detection/Package/createUiDefinition.json b/Solutions/Apache Log4j Vulnerability Detection/Package/createUiDefinition.json new file mode 100644 index 0000000000..b8d97e3b87 --- /dev/null +++ b/Solutions/Apache Log4j Vulnerability Detection/Package/createUiDefinition.json @@ -0,0 +1,255 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nMicrosoft's security research teams have been tracking threats taking advantage of [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228), a remote code execution (RCE) vulnerability in [Apache Log4j 2](https://logging.apache.org/log4j/2.x/) referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the [Microsoft Security Response Center blog](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/). This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Analytic Rules:** 4, **Hunting Queries:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Microsoft Sentinel Solution installs analytic rules for Apache Log4j Vulnerability Detection that you can enable for custom alert generation in Microsoft Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Microsoft Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Vulnerable Machines related to log4j CVE-2021-44228", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271" + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Azure WAF matching for Log4j vuln(CVE-2021-44228)", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/" + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Log4j vulnerability exploit aka Log4Shell IP IOC", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228" + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "User agent search for log4j exploitation attempt", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/" + } + } + ] + } + ] + }, + { + "name": "huntingqueries", + "label": "Hunting Queries", + "bladeTitle": "Hunting Queries", + "elements": [ + { + "name": "huntingqueries-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Microsoft Sentinel Solution installs hunting queries for Apache Log4j Vulnerability Detection that you can run in Microsoft Sentinel. These hunting queries will be deployed in the Hunting gallery of your Microsoft Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/hunting" + } + } + }, + { + "name": "huntingquery1", + "type": "Microsoft.Common.Section", + "label": "Azure WAF Log4j CVE-2021-44228 hunting", + "elements": [ + { + "name": "huntingquery1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This hunting query looks in Azure Web Application Firewall data to find possible exploitation attempts for CVE-2021-44228 involving log4j vulnerability.\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/ It depends on the WAF data connector and AzureDiagnostics data type and WAF parser." + } + } + ] + }, + { + "name": "huntingquery2", + "type": "Microsoft.Common.Section", + "label": "Malicious Connection to LDAP port for CVE-2021-44228 vulnerability", + "elements": [ + { + "name": "huntingquery2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This hunting query looks for connection to LDAP port to find possible exploitation attempts for CVE-2021-44228 involving log4j vulnerability. \n Log4j is an open-source Apache logging library that is used in many Java-based applications. Awarness of normal baseline traffic of an enviornment for java.exe\n while using this query will help detrmine normal from anaomalous.\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/ It depends on the MicrosoftThreatProtection AzureMonitor(VMInsights) data connector and DeviceNetworkEvents VMConnection data type and MicrosoftThreatProtection AzureMonitor(VMInsights) parser." + } + } + ] + }, + { + "name": "huntingquery3", + "type": "Microsoft.Common.Section", + "label": "Suspicious manipulation of firewall detected via Syslog data", + "elements": [ + { + "name": "huntingquery3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query uses syslog data to alert on any suspicious manipulation of firewall to evade defenses.\nAttackers often perform such operation as seen recently to exploit the remote code execution vulnerability in Log4j component of Apache for C2 communications or exfiltration.\nFor more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description\nFind more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431 It depends on the Syslog data connector and Syslog data type and Syslog parser." + } + } + ] + }, + { + "name": "huntingquery4", + "type": "Microsoft.Common.Section", + "label": "Possible exploitation of Apache log4j component detected", + "elements": [ + { + "name": "huntingquery4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache. \nAttackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component.\nFor more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description\nFind more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431 It depends on the Syslog data connector and Syslog data type and Syslog parser." + } + } + ] + }, + { + "name": "huntingquery5", + "type": "Microsoft.Common.Section", + "label": "Linux security related process termination activity detected", + "elements": [ + { + "name": "huntingquery5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query will alert on any attempts to terminate processes related to security monitoring on the host. \nAttackers will often try to terminate such processes post-compromise as seen recently to exploit the remote code execution vulnerability in Log4j component of Apache.\nFor more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description\nFind more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431 It depends on the Syslog data connector and Syslog data type and Syslog parser." + } + } + ] + }, + { + "name": "huntingquery6", + "type": "Microsoft.Common.Section", + "label": "Suspicious Shell script detected", + "elements": [ + { + "name": "huntingquery6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This hunting query will help detect post compromise suspicious shell scripts that attackers use for downloading and executing malicious files.\nThis technique is often used by attackers and was recently used to exploit a remote code execution vulnerability in the Log4j component of Apache in order to evade detection and stay persistent or for more exploitation in the network.\nFor more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description\nFind more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431 It depends on the Syslog data connector and Syslog data type and Syslog parser." + } + } + ] + }, + { + "name": "huntingquery7", + "type": "Microsoft.Common.Section", + "label": "Suspicious Base64 download activity detected", + "elements": [ + { + "name": "huntingquery7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This hunting query will help detect suspicious encoded Base64 obfuscated scripts that attackers use to encode payloads for downloading and executing malicious files.\nThis technique is often used by attackers and was recently used to exploit a remote code execution vulnerability in the Log4j component of Apache in order to evade detection and stay persistent in the network.\nFor more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description\nFind more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431 It depends on the Syslog data connector and Syslog data type and Syslog parser." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(filter.id, toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json b/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json new file mode 100644 index 0000000000..8125dc1ae5 --- /dev/null +++ b/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json @@ -0,0 +1,542 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Eli Forbes - v-eliforbes@microsoft.com", + "comments": "Solution template for Apache Log4j Vulnerability Detection" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup" + } + }, + "analytic1-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic2-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic3-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic4-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + } + }, + "variables": { + "sourceId": "azuresentinel.azure-sentinel-solution-apachelog4jvulnerability", + "_sourceId": "[variables('sourceId')]", + "Log4jVulnerableMachines_AnalyticalRules": "Log4jVulnerableMachines_AnalyticalRules", + "_Log4jVulnerableMachines_AnalyticalRules": "[variables('Log4jVulnerableMachines_AnalyticalRules')]", + "AzureWAFmatching_log4j_vuln_AnalyticalRules": "AzureWAFmatching_log4j_vuln_AnalyticalRules", + "_AzureWAFmatching_log4j_vuln_AnalyticalRules": "[variables('AzureWAFmatching_log4j_vuln_AnalyticalRules')]", + "Log4J_IPIOC_Dec112021_AnalyticalRules": "Log4J_IPIOC_Dec112021_AnalyticalRules", + "_Log4J_IPIOC_Dec112021_AnalyticalRules": "[variables('Log4J_IPIOC_Dec112021_AnalyticalRules')]", + "UserAgentSearch_log4j_AnalyticalRules": "UserAgentSearch_log4j_AnalyticalRules", + "_UserAgentSearch_log4j_AnalyticalRules": "[variables('UserAgentSearch_log4j_AnalyticalRules')]", + "WAF_log4j_vulnerability_HuntingQueries": "WAF_log4j_vulnerability_HuntingQueries", + "_WAF_log4j_vulnerability_HuntingQueries": "[variables('WAF_log4j_vulnerability_HuntingQueries')]", + "workspace-dependency": "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspace'))]", + "NetworkConnectionldap_log4j_HuntingQueries": "NetworkConnectionldap_log4j_HuntingQueries", + "_NetworkConnectionldap_log4j_HuntingQueries": "[variables('NetworkConnectionldap_log4j_HuntingQueries')]", + "Firewall_Disable_Activity_HuntingQueries": "Firewall_Disable_Activity_HuntingQueries", + "_Firewall_Disable_Activity_HuntingQueries": "[variables('Firewall_Disable_Activity_HuntingQueries')]", + "Apache_log4j_Vulnerability_HuntingQueries": "Apache_log4j_Vulnerability_HuntingQueries", + "_Apache_log4j_Vulnerability_HuntingQueries": "[variables('Apache_log4j_Vulnerability_HuntingQueries')]", + "Process_Termination_Activity_HuntingQueries": "Process_Termination_Activity_HuntingQueries", + "_Process_Termination_Activity_HuntingQueries": "[variables('Process_Termination_Activity_HuntingQueries')]", + "Suspicious_ShellScript_Activity_HuntingQueries": "Suspicious_ShellScript_Activity_HuntingQueries", + "_Suspicious_ShellScript_Activity_HuntingQueries": "[variables('Suspicious_ShellScript_Activity_HuntingQueries')]", + "Base64_Download_Activity_HuntingQueries": "Base64_Download_Activity_HuntingQueries", + "_Base64_Download_Activity_HuntingQueries": "[variables('Base64_Download_Activity_HuntingQueries')]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic1-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271", + "displayName": "Vulnerable Machines related to log4j CVE-2021-44228", + "enabled": false, + "query": "SecurityNestedRecommendation\n| where RemediationDescription has 'CVE-2021-44228'\n| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '\"' *\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess", + "Execution" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "HostCustomEntity" + } + ], + "entityType": "Host" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic2-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/", + "displayName": "Azure WAF matching for Log4j vuln(CVE-2021-44228)", + "enabled": false, + "query": "AzureDiagnostics\n| where details_data_s has \"jndi:\"\n| parse details_data_s with * '${' MaliciousCommand '}' *\n| extend EncodeCmd = iff(MaliciousCommand has 'Base64/', split(split(MaliciousCommand, \"Base64/\",1)[0], \"}\", 0)[0], \"\")\n| extend EncodeCmd1 = iff(MaliciousCommand has 'base64/', split(split(MaliciousCommand, \"base64/\",1)[0], \"}\", 0)[0], \"\")\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \"Unable to decode\")\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\n", + "queryFrequency": "PT6H", + "queryPeriod": "PT6H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic3-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228", + "displayName": "Log4j vulnerability exploit aka Log4Shell IP IOC", + "enabled": false, + "query": "\nlet IPList = externaldata(IPAddress:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", \"No Match\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, MessageIP, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \n| extend timestamp = StartTime, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"No Match\")\n),\n(OfficeActivity \n| extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\n),\n(DnsEvents\n| where IPAddresses has_any (IPList)\n| extend DestinationIPAddress = IPAddresses, Host = Computer\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(imDns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList)\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(WireData\n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\n),\n(SigninLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n),\n(AADNonInteractiveUserSignInLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n),\n(W3CIISLog\n| where isnotempty(cIP)\n| where cIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(AzureActivity\n| where isnotempty(CallerIpAddress)\n| where CallerIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\n),\n(\nAWSCloudTrail\n| where isnotempty(SourceIpAddress)\n| where SourceIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\n), \n( \nDeviceNetworkEvents\n| where isnotempty(RemoteIP)\n| where RemoteIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList)\n| extend DestinationIP = DestinationHost\n| extend IPCustomEntity = SourceHost\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList)\n| extend DestinationIP = DestinationHost\n| extend IPCustomEntity = SourceHost\n)\n)\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "CommandAndControl" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "AccountCustomEntity" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "HostCustomEntity" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic4-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/", + "displayName": "User agent search for log4j exploitation attempt", + "enabled": false, + "query": "let UserAgentString = dynamic ([\"${jndi:ldap:/\", \"${jndi:rmi:/\", \"${jndi:ldaps:/\", \"${jndi:dns:/\", \"${jndi:iiop:/\",\"${jndi:\",\"${jndi:nds:/\",\"${jndi:corba/\"]);\nlet UARegex = @'\\\\$\\\\{j\\\\$\\\\{::-\\\\}n\\\\$\\\\{::-\\\\}d\\\\$\\\\{::-\\\\}[a-zA-Z]';\n(union isfuzzy=true\n(OfficeActivity\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(AzureDiagnostics\n| where Category in (\"FrontdoorWebApplicationFirewallLog\", \"FrontdoorAccessLog\", \"ApplicationGatewayFirewallLog\", \"ApplicationGatewayAccessLog\")\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\n),\n(\nW3CIISLog\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\n),\n(\nAWSCloudTrail\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(SigninLogs\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(AADNonInteractiveUserSignInLogs \n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(imWebSessions\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, URL, Type\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = URL\n),\n(imNetworkSession\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Type, Url\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\n)\n)\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "UrlCustomEntity" + } + ], + "entityType": "URL" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountCustomEntity" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2020-08-01", + "name": "[parameters('workspace')]", + "location": "[parameters('workspace-location')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "Apache Log4j Vulnerability Detection Hunting Query 1", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Azure WAF Log4j CVE-2021-44228 hunting", + "category": "Hunting Queries", + "query": "let log4jcmdstring = dynamic([\"${jndi:ldap\",\"${jndi:dns\",\"${jndi:rmi\",\"${jndi:corba\",\"${jndi:iiop\",\"${jndi:nis\",\"${jndi:nds\"]);\nAzureDiagnostics\n| where Category in (\"FrontdoorWebApplicationFirewallLog\", \"FrontdoorAccessLog\", \"ApplicationGatewayFirewallLog\", \"ApplicationGatewayAccessLog\")\n//The regex and the string matching look for the most common attacks. This is not supposed to be comprehensive.\n| where originalRequestUriWithArgs_s has_any (log4jcmdstring) or originalRequestUriWithArgs_s matches regex '\\\\$\\\\{j\\\\$\\\\{::-\\\\}n\\\\$\\\\{::-\\\\}d\\\\$\\\\{::-\\\\}[a-zA-Z]' or userAgent_s has_any (log4jcmdstring) or userAgent_s matches regex '\\\\$\\\\{j\\\\$\\\\{::-\\\\}n\\\\$\\\\{::-\\\\}d\\\\$\\\\{::-\\\\}[a-zA-Z]'\n| extend CmdLine = iff(originalRequestUriWithArgs_s has 'Base64/', split(split(originalRequestUriWithArgs_s, \"Base64/\",1)[0], \"}\", 0)[0], split(split(userAgent_s, \"Base64/\",1)[0], \"}\", 0)[0])\n| extend CmdLine = base64_decode_tostring(tostring(CmdLine))\n| where CmdLine has_any (\"wget\",\"curl\")\n| summarize Total = count() by originalRequestUriWithArgs_s, userAgent_s, clientIP_s,clientPort_d, TimeGenerated, host_s, requestUri_s, httpStatus_d,listenerName_s, CmdLine, httpMethod_s, Category\n| extend IPCustomEntity = clientIP_s, timestamp = TimeGenerated\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This hunting query looks in Azure Web Application Firewall data to find possible exploitation attempts for CVE-2021-44228 involving log4j vulnerability." + }, + { + "name": "tactics", + "value": "InitialAccess" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "Apache Log4j Vulnerability Detection Hunting Query 2", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Malicious Connection to LDAP port for CVE-2021-44228 vulnerability", + "category": "Hunting Queries", + "query": "let PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.';\nlet Port = dynamic(['389', '1389']); \n(union isfuzzy=true\n(DeviceNetworkEvents\n| where InitiatingProcessFileName has_any (\"javaw.exe\",\"java.exe\")\n| where ActionType has \"ConnectionSuccess\"\n| where RemotePort in ('389', '1389')\n| where InitiatingProcessCommandLine has_any ('curl', 'wget')\n| where RemoteIPType =~ 'Public'\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by ActionType, DestinationIP = RemoteIP, RemoteUrl, DestinationPort = RemotePort, SourceIP = LocalIP, Type, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessParentFileName, ProcessName = InitiatingProcessFileName, Computer = DeviceName\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP, HostCustomEntity = Computer\n),\n(VMConnection\n| where ProcessName has_any (\"javaw\",\"java\")\n| where DestinationPort in ('389', '1389')\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by TimeGenerated, SourceIP = SourceIp , DestinationIP = DestinationIp, DestinationPort, BytesReceived, BytesSent, ProcessName, Computer\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP, HostCustomEntity = Computer\n)\n)\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This hunting query looks for connection to LDAP port to find possible exploitation attempts for CVE-2021-44228 involving log4j vulnerability." + }, + { + "name": "tactics", + "value": "CommandAndControl" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "Apache Log4j Vulnerability Detection Hunting Query 3", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Suspicious manipulation of firewall detected via Syslog data", + "category": "Hunting Queries", + "query": "Syslog\n| where Facility == 'user'\n| where SyslogMessage has \"AUOMS_EXECVE\"\n| parse SyslogMessage with \"type=\" EventType \" audit(\" * \"): \" EventData\n| where EventType =~ \"AUOMS_EXECVE\"\n| parse EventData with * \"syscall=\" syscall \" syscall_r=\" * \" success=\" success \" exit=\" exit \" a0\" * \" ppid=\" ppid \" pid=\" pid \" audit_user=\" audit_user \" auid=\" auid \" user=\" user \" uid=\" uid \" group=\" group \" gid=\" gid \"effective_user=\" effective_user \" euid=\" euid \" set_user=\" set_user \" suid=\" suid \" filesystem_user=\" filesystem_user \" fsuid=\" fsuid \" effective_group=\" effective_group \" egid=\" egid \" set_group=\" set_group \" sgid=\" sgid \" filesystem_group=\" filesystem_group \" fsgid=\" fsgid \" tty=\" tty \" ses=\" ses \" comm=\\\"\" comm \"\\\" exe=\\\"\" exe \"\\\"\" * \"cwd=\\\"\" cwd \"\\\"\" * \"name=\\\"\" name \"\\\"\" * \"cmdline=\\\"\" cmdline \"\\\" containerid=\" containerid\n| where cmdline has_any (\"SuSEfirewall2 stop\",\"reSuSEfirewall2 stop\",\"ufw stop\",\"ufw disable\")\n| project TimeGenerated, Computer, audit_user, user, cmdline\n| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated\n| sort by TimeGenerated desc\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This query uses syslog data to alert on any suspicious manipulation of firewall to evade defenses.\nAttackers perform such operation as seen recently to exploit the remote code execution vulnerability in Log4j component of Apache." + }, + { + "name": "tactics", + "value": "DefenseEvasion" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "Apache Log4j Vulnerability Detection Hunting Query 4", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Possible exploitation of Apache log4j component detected", + "category": "Hunting Queries", + "query": "Syslog\n| where Facility == 'user'\n| where SyslogMessage has \"AUOMS_EXECVE\"\n| where SyslogMessage has 'jndi' and SyslogMessage has_any ('ldap', 'dns', 'rmi', 'corba', 'iiop', 'nis', 'nds')\n| parse SyslogMessage with \"type=\" EventType \" audit(\" * \"): \" EventData\n| where EventType =~ \"AUOMS_EXECVE\"\n| project TimeGenerated, EventType, Computer, EventData\n| parse EventData with * \"syscall=\" syscall \" syscall_r=\" * \" success=\" success \" exit=\" exit \" a0\" * \" ppid=\" ppid \" pid=\" pid \" audit_user=\" audit_user \" auid=\" auid \" user=\" user \" uid=\" uid \" group=\" group \" gid=\" gid \"effective_user=\" effective_user \" euid=\" euid \" set_user=\" set_user \" suid=\" suid \" filesystem_user=\" filesystem_user \" fsuid=\" fsuid \" effective_group=\" effective_group \" egid=\" egid \" set_group=\" set_group \" sgid=\" sgid \" filesystem_group=\" filesystem_group \" fsgid=\" fsgid \" tty=\" tty \" ses=\" ses \" comm=\\\"\" comm \"\\\" exe=\\\"\" exe \"\\\"\" * \"cwd=\\\"\" cwd \"\\\"\" * \"name=\\\"\" name \"\\\"\" * \"cmdline=\\\"\" cmdline \"\\\" containerid=\" containerid\n| where comm has_any (\"wget\",\"curl\")\n| where cmdline has_any (\"${jndi:ldap\",\"${jndi:dns\",\"${jndi:rmi\",\"${jndi:corba\",\"${jndi:iiop\",\"${jndi:nis\", \"${jndi:nds\")\n| project TimeGenerated, Computer, audit_user, user, cmdline\n| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated\n| sort by TimeGenerated desc\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache. \nAttackers may attempt to launch code by passing specific commands to a server, which are then logged and executed by Log4j." + }, + { + "name": "tactics", + "value": "Persistence,Execution" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "Apache Log4j Vulnerability Detection Hunting Query 5", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Linux security related process termination activity detected", + "category": "Hunting Queries", + "query": "Syslog\n| where Facility == 'user'\n| where SyslogMessage has \"AUOMS_EXECVE\"\n| parse SyslogMessage with \"type=\" EventType \" audit(\" * \"): \" EventData\n| where EventType =~ \"AUOMS_EXECVE\"\n| parse EventData with * \"syscall=\" syscall \" syscall_r=\" * \" success=\" success \" exit=\" exit \" a0\" * \" ppid=\" ppid \" pid=\" pid \" audit_user=\" audit_user \" auid=\" auid \" user=\" user \" uid=\" uid \" group=\" group \" gid=\" gid \"effective_user=\" effective_user \" euid=\" euid \" set_user=\" set_user \" suid=\" suid \" filesystem_user=\" filesystem_user \" fsuid=\" fsuid \" effective_group=\" effective_group \" egid=\" egid \" set_group=\" set_group \" sgid=\" sgid \" filesystem_group=\" filesystem_group \" fsgid=\" fsgid \" tty=\" tty \" ses=\" ses \" comm=\\\"\" comm \"\\\" exe=\\\"\" exe \"\\\"\" * \"cwd=\\\"\" cwd \"\\\"\" * \"name=\\\"\" name \"\\\"\" * \"cmdline=\\\"\" cmdline \"\\\" containerid=\" containerid\n| where cmdline has_any (\"service apparmor stop\",\"service aliyun.service stop\",\"systemctl disable apparmor\",\"systemctl disable aliyun.service\")\nor (exe has \"pkill\" and cmdline has_any (\"omsagent\",\"auoms\",\"omiagent\",\"waagent\") and cmdline !has \"/omsagent/plugin/pi\"and cmdline !has \"/omsconfig/modules\")\n| project TimeGenerated, Computer, audit_user, user, cmdline\n| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated\n| sort by TimeGenerated desc\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This query will alert on any attempts to terminate processes related to security monitoring on the host. \nAttackers will often try to terminate such processes post-compromise as seen recently to exploit the remote code execution vulnerability in Log4j." + }, + { + "name": "tactics", + "value": "DefenseEvasion" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "Apache Log4j Vulnerability Detection Hunting Query 6", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Suspicious Shell script detected", + "category": "Hunting Queries", + "query": "Syslog\n| where Facility == 'user'\n| where SyslogMessage has \"AUOMS_EXECVE\"\n| parse SyslogMessage with \"type=\" EventType \" audit(\" * \"): \" EventData\n| where EventType =~ \"AUOMS_EXECVE\"\n| project TimeGenerated, EventType, Computer, EventData\n| parse EventData with * \"syscall=\" syscall \" syscall_r=\" * \" success=\" success \" exit=\" exit \" a0\" * \" ppid=\" ppid \" pid=\" pid \" audit_user=\" audit_user \" auid=\" auid \" user=\" user \" uid=\" uid \" group=\" group \" gid=\" gid \"effective_user=\" effective_user \" euid=\" euid \" set_user=\" set_user \" suid=\" suid \" filesystem_user=\" filesystem_user \" fsuid=\" fsuid \" effective_group=\" effective_group \" egid=\" egid \" set_group=\" set_group \" sgid=\" sgid \" filesystem_group=\" filesystem_group \" fsgid=\" fsgid \" tty=\" tty \" ses=\" ses \" comm=\\\"\" comm \"\\\" exe=\\\"\" exe \"\\\"\" * \"cwd=\\\"\" cwd \"\\\"\" * \"name=\\\"\" name \"\\\"\" * \"cmdline=\\\"\" cmdline \"\\\" containerid=\" containerid\n| where exe has_any (\"bash\",\"dash\")\n| where cmdline matches regex \"[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\"\n| where cmdline has \"curl\" and cmdline has \"wget\"\n| project TimeGenerated, Computer, audit_user, user, cmdline\n| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated\n| sort by TimeGenerated desc\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This hunting query will help detect post compromise suspicious shell scripts that attackers use for downloading and executing malicious files." + }, + { + "name": "tactics", + "value": "Persistence,Execution" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "Apache Log4j Vulnerability Detection Hunting Query 7", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Suspicious Base64 download activity detected", + "category": "Hunting Queries", + "query": "Syslog\n| where Facility == 'user'\n| where SyslogMessage has \"AUOMS_EXECVE\"\n| parse SyslogMessage with \"type=\" EventType \" audit(\" * \"): \" EventData\n| project TimeGenerated, EventType, Computer, EventData\n| where EventType =~ \"AUOMS_EXECVE\"\n| parse EventData with * \"syscall=\" syscall \" syscall_r=\" * \" success=\" success \" exit=\" exit \" a0\" * \" ppid=\" ppid \" pid=\" pid \" audit_user=\" audit_user \" auid=\" auid \" user=\" user \" uid=\" uid \" group=\" group \" gid=\" gid \"effective_user=\" effective_user \" euid=\" euid \" set_user=\" set_user \" suid=\" suid \" filesystem_user=\" filesystem_user \" fsuid=\" fsuid \" effective_group=\" effective_group \" egid=\" egid \" set_group=\" set_group \" sgid=\" sgid \" filesystem_group=\" filesystem_group \" fsgid=\" fsgid \" tty=\" tty \" ses=\" ses \" comm=\\\"\" comm \"\\\" exe=\\\"\" exe \"\\\"\" * \"cwd=\\\"\" cwd \"\\\"\" * \"name=\\\"\" name \"\\\"\" * \"cmdline=\\\"\" cmdline \"\\\" containerid=\" containerid\n| where cmdline has \"/Basic/Command/Base64/\"\n| where exe has_any (\"curl\", \"wget\")\n| parse cmdline with * \"Base64/\" OriginalEncodedCommand:string\n| extend EncodedCommand = extract(\"((?:[A-Za-z0-9+/-]{4})*(?:[A-Za-z0-9+/-]{2}==|[A-Za-z0-9+/-]{3}=|[A-Za-z0-9+/-]{4}))\", 1, OriginalEncodedCommand) \n| extend DecodedCommand = base64_decode_tostring(EncodedCommand) \n| project TimeGenerated, Computer, audit_user, user, cmdline, DecodedCommand, EncodedCommand\n| extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated\n| sort by TimeGenerated desc\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This hunting query will help detect suspicious encoded Base64 obfuscated scripts that attackers use to encode payloads for downloading and executing malicious files." + }, + { + "name": "tactics", + "value": "Persistence,Execution" + } + ] + } + } + ] + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2021-03-01-preview", + "properties": { + "version": "1.0.0", + "kind": "Solution", + "contentId": "[variables('_sourceId')]", + "parentId": "[variables('_sourceId')]", + "source": { + "kind": "Solution", + "name": "Apache Log4j Vulnerability Detection", + "sourceId": "[variables('_sourceId')]" + }, + "author": { + "name": "Eli Forbes", + "email": "v-eliforbes@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "email": "support@microsoft.com", + "name": "Microsoft Sentinel, Microsoft Corporation", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "AnalyticsRule", + "contentId": "[variables('_Log4jVulnerableMachines_AnalyticalRules')]", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_AzureWAFmatching_log4j_vuln_AnalyticalRules')]", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_Log4J_IPIOC_Dec112021_AnalyticalRules')]", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_UserAgentSearch_log4j_AnalyticalRules')]", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_WAF_log4j_vulnerability_HuntingQueries')]", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_NetworkConnectionldap_log4j_HuntingQueries')]", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_Firewall_Disable_Activity_HuntingQueries')]", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_Apache_log4j_Vulnerability_HuntingQueries')]", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_Process_Termination_Activity_HuntingQueries')]", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_Suspicious_ShellScript_Activity_HuntingQueries')]", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_Base64_Download_Activity_HuntingQueries')]", + "version": "1.0.0" + } + ] + }, + "providers": [ + "Microsoft" + ], + "categories": { + "domains" : ["Application", "Security - Threat Protection", "Security - Vulnerability Management"] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Apache Log4j Vulnerability Detection/SolutionMetadata.json b/Solutions/Apache Log4j Vulnerability Detection/SolutionMetadata.json new file mode 100644 index 0000000000..bec15dfbc6 --- /dev/null +++ b/Solutions/Apache Log4j Vulnerability Detection/SolutionMetadata.json @@ -0,0 +1,15 @@ +{ + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-apachelog4jvulnerability", + "firstPublishDate": "2021-12-15", + "providers": ["Microsoft"], + "categories": { + "domains" : ["Application", "Security - Threat Protection", "Security - Vulnerability Management"] + }, + "support": { + "tier": "Microsoft", + "email": "support@microsoft.com", + "name": "Microsoft Sentinel, Microsoft Corporation", + "link": "https://support.microsoft.com/" + } +} \ No newline at end of file diff --git a/Solutions/Azure Purview/Analytic Rules/AzurePurviewClassificationAdded.yaml b/Solutions/Azure Purview/Analytic Rules/AzurePurviewClassificationAdded.yaml deleted file mode 100644 index a84d65c4df..0000000000 --- a/Solutions/Azure Purview/Analytic Rules/AzurePurviewClassificationAdded.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: 8001949e-8039-4e75-b9d2-7d591bcc7026 -name: Social Security Numbers Discovered in the Last 24 Hours -description: | - 'Identifies social security numbers that have been detected on assets - during a scan by Azure Purview. This can indicate an asset that should - be prioritized for protection. (An example is discovering when Social - Security Numbers are found, but the specific classification detected - can be adjusted to best fit the needs of the organization).' -severity: Low -requiredDataConnectors: - - connectorId: MicrosoftAzurePurview - dataTypes: - - PurviewDataSensitivityLogs -queryFrequency: 1d -queryPeriod: 1d -triggerOperator: gt -triggerThreshold: 0 -tactics: - - Discovery -relevantTechniques: - - T1087 -query: | - PurviewDataSensitivityLogs - | where Classification has "Social Security Number" - | where TimeGenerated > ago(24h) -entityMappings: - - entityType: AzureResource - fieldMappings: - - identifier: ResourceId - columnName: SourcePath -customDetails: - AssetName: AssetName - ClassificationCount: ClassificationCount - Classification: Classification -version: 1.0.0 -kind: scheduled \ No newline at end of file diff --git a/Solutions/Azure Purview/Analytic Rules/AzurePurviewConfidentialLabelAdded.yaml b/Solutions/Azure Purview/Analytic Rules/AzurePurviewConfidentialLabelAdded.yaml deleted file mode 100644 index 283a39a699..0000000000 --- a/Solutions/Azure Purview/Analytic Rules/AzurePurviewConfidentialLabelAdded.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: 3c1178c8-d3d2-459b-9c6e-96d48c29eaaa -name: Assets with a Confidential Label Discovered in the Last 24 Hours -description: | - 'Identifies assets that have a specific label, like Confidential, that - have been discovered during a scan by Azure Purview.' -severity: Low -requiredDataConnectors: - - connectorId: MicrosoftAzurePurview - dataTypes: - - PurviewDataSensitivityLogs -queryFrequency: 1d -queryPeriod: 1d -triggerOperator: gt -triggerThreshold: 0 -tactics: - - Discovery -relevantTechniques: - - T1087 -query: | - PurviewDataSensitivityLogs - | where SensitivityLabelName contains "confidential" - | where TimeGenerated > ago(24h) -entityMappings: - - entityType: AzureResource - fieldMappings: - - identifier: ResourceId - columnName: SourcePath -customDetails: - AssetName: AssetName - ClassificationCount: ClassificationCount - Classification: Classification -version: 1.0.0 -kind: scheduled \ No newline at end of file diff --git a/Solutions/Azure Purview/Analytic Rules/AzurePurviewDataSourceAssetAdded.yaml b/Solutions/Azure Purview/Analytic Rules/AzurePurviewDataSourceAssetAdded.yaml deleted file mode 100644 index db8bbcc207..0000000000 --- a/Solutions/Azure Purview/Analytic Rules/AzurePurviewDataSourceAssetAdded.yaml +++ /dev/null @@ -1,37 +0,0 @@ -id: c60ceb62-942f-4a7c-9eae-c643d5dd2900 -name: Assets with Sensitive Data discovered in Test Data Sources in the Last 24 Hours -description: | - 'Identifies assets with classifications that have been discovered to exist - within a specific data source during a scan by Azure Purview in the last - 24 hours. (An example is discovering assets with source paths that - contain "test", but the source can be adjusted to best fit the needs - of the organization). ' -severity: Low -requiredDataConnectors: - - connectorId: MicrosoftAzurePurview - dataTypes: - - PurviewDataSensitivityLogs -queryFrequency: 1d -queryPeriod: 1d -triggerOperator: gt -triggerThreshold: 0 -tactics: - - Discovery -relevantTechniques: - - T1087 -query: | - PurviewDataSensitivityLogs - | where ClassificationCount != 0 - | where SourcePath contains "test" - | where TimeGenerated > ago(24h) -entityMappings: - - entityType: AzureResource - fieldMappings: - - identifier: ResourceId - columnName: SourcePath -customDetails: - AssetName: AssetName - ClassificationCount: ClassificationCount - Classification: Classification -version: 1.0.0 -kind: scheduled \ No newline at end of file diff --git a/Solutions/Azure Purview/Analytic Rules/AzurePurviewRegionClassificationAdded.yaml b/Solutions/Azure Purview/Analytic Rules/AzurePurviewRegionClassificationAdded.yaml deleted file mode 100644 index a02085eb43..0000000000 --- a/Solutions/Azure Purview/Analytic Rules/AzurePurviewRegionClassificationAdded.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: 8e5ad39a-ebe0-4503-86fa-e8b2a85ac2e3 -name: Assets with Sensitive Data Discovered in the East US in the Last 24 Hours -description: | - 'Identifies assets containing classifications that have been discovered - to exist in a specific region during a scan by Azure Purview in the last - 24 hours. (An example is discovering assets from the East US, but the - region can be adjusted to best fit the needs of the organization).' -severity: Low -requiredDataConnectors: - - connectorId: MicrosoftAzurePurview - dataTypes: - - PurviewDataSensitivityLogs -queryFrequency: 1d -queryPeriod: 1d -triggerOperator: gt -triggerThreshold: 0 -tactics: - - Discovery -relevantTechniques: - - T1087 -query: | - PurviewDataSensitivityLogs - | where ClassificationCount != 0 - | where SourceRegion == "eastus" - | where TimeGenerated > ago(24h) -entityMappings: - - entityType: AzureResource - fieldMappings: - - identifier: ResourceId - columnName: SourcePath -customDetails: - AssetName: AssetName - ClassificationCount: ClassificationCount - Classification: Classification -version: 1.0.0 -kind: scheduled \ No newline at end of file diff --git a/Solutions/Azure Purview/Analytic Rules/AzurePurviewSensitiveDataDiscovered.yaml b/Solutions/Azure Purview/Analytic Rules/AzurePurviewSensitiveDataDiscovered.yaml new file mode 100644 index 0000000000..6aa58b6ba8 --- /dev/null +++ b/Solutions/Azure Purview/Analytic Rules/AzurePurviewSensitiveDataDiscovered.yaml @@ -0,0 +1,38 @@ +id: 7ae7e8b0-07e9-43cb-b783-b04082f09060 +name: Sensitive Data Discovered in the Last 24 Hours +description: | + 'Identifies all classifications that have been detected on assets during a scan by Azure Purview within the last 24 hours.' +severity: Informational +requiredDataConnectors: + - connectorId: MicrosoftAzurePurview + dataTypes: + - PurviewDataSensitivityLogs +queryFrequency: 1d +queryPeriod: 1d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Discovery +relevantTechniques: + - T1087 +query: | + PurviewDataSensitivityLogs + | where Classification != "" + | where TimeGenerated > ago(24h) +entityMappings: + - entityType: AzureResource + fieldMappings: + - identifier: ResourceId + columnName: SourcePath +customDetails: + AssetName: AssetName + Classification: Classification + AssetPath: AssetPath + SourceRegion: SourceRegion + PurviewAccount: PurviewAccount + LastScanTime: AssetLastScanTime +alertDetailsOverride: + alertDisplayNameFormat: 'Classifications discovered in {AssetName} by Azure Purview' + alertDescriptionFormat: 'Within the last 24 hours, Azure Purview ({PurviewAccountName}) scanned an asset that contained classifications within {SourceRegion}. The asset name is {AssetName} and the classifications discovered were {Classification}. The asset path is {AssetPath}' +version: 1.0.0 +kind: scheduled \ No newline at end of file diff --git a/Solutions/Azure Purview/Analytic Rules/AzurePurviewSensitiveDataDiscoveredCustom.yaml b/Solutions/Azure Purview/Analytic Rules/AzurePurviewSensitiveDataDiscoveredCustom.yaml new file mode 100644 index 0000000000..1aed4a0648 --- /dev/null +++ b/Solutions/Azure Purview/Analytic Rules/AzurePurviewSensitiveDataDiscoveredCustom.yaml @@ -0,0 +1,40 @@ +id: 79f296d9-e6e4-45dc-9ca7-1770955435fa +name: Sensitive Data Discovered in the Last 24 Hours - Customized +description: | + 'Customized query used to identify specific classifications and parameters that have been discovered on assets in the last 24 hours by Azure Purview. By default, the query identifies Social Security Numbers detected, but the specific classification monitored along with other data fields can be adjusted. A list of supported Azure Purview classifications can be found here: https://docs.microsoft.com/azure/purview/supported-classifications' +severity: Informational +requiredDataConnectors: + - connectorId: MicrosoftAzurePurview + dataTypes: + - PurviewDataSensitivityLogs +queryFrequency: 1d +queryPeriod: 1d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Discovery +relevantTechniques: + - T1087 +query: | + PurviewDataSensitivityLogs + | where Classification contains "Social Security Number" + //| where SourceRegion == "westeurope" + //| where SourceType contains "Amazon" + | where TimeGenerated > ago(24h) +entityMappings: + - entityType: AzureResource + fieldMappings: + - identifier: ResourceId + columnName: SourcePath +customDetails: + AssetName: AssetName + Classification: Classification + AssetPath: AssetPath + SourceRegion: SourceRegion + PurviewAccount: PurviewAccount + LastScanTime: AssetLastScanTime +alertDetailsOverride: + alertDisplayNameFormat: 'Classifications discovered in {AssetName} by Azure Purview' + alertDescriptionFormat: 'Within the last 24 hours, Azure Purview ({PurviewAccountName}) scanned an asset that contained classifications within {SourceRegion}. The asset name is {AssetName} and the classifications discovered were {Classification}. The asset path is {AssetPath}' +version: 1.0.0 +kind: scheduled \ No newline at end of file diff --git a/Solutions/Azure Purview/Analytic Rules/AzurePurviewSourceTypeAdded.yaml b/Solutions/Azure Purview/Analytic Rules/AzurePurviewSourceTypeAdded.yaml deleted file mode 100644 index 35c3cde273..0000000000 --- a/Solutions/Azure Purview/Analytic Rules/AzurePurviewSourceTypeAdded.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: f7f30247-04b7-4ef7-afa7-d8d9f36c6a3b -name: Assets from Amazon with Sensitive Data Discovered in the Last 24 Hours -description: | - 'Identifies assets with classifications that have been discovered to exist - in a specific source type during a scan by Azure Purview in the last 24 - hours. (An example is discovering assets from Amazon, but the source type - can be adjusted to best fit the needs of the organization). ' -severity: Low -requiredDataConnectors: - - connectorId: MicrosoftAzurePurview - dataTypes: - - PurviewDataSensitivityLogs -queryFrequency: 24h -queryPeriod: 1d -triggerOperator: gt -triggerThreshold: 0 -tactics: - - Discovery -relevantTechniques: - - T1087 -query: | - PurviewDataSensitivityLogs - | where ClassificationCount != 0 - | where SourceType contains "Amazon" - | where TimeGenerated > ago(24h) -customDetails: - AssetName: AssetName - ClassificationCount: ClassificationCount - Classification: Classification -version: 1.0.0 -kind: scheduled \ No newline at end of file diff --git a/Solutions/Azure Purview/Data Connectors/AzurePurview.json b/Solutions/Azure Purview/Data Connectors/AzurePurview.json index a7b3b43afb..506187f832 100644 --- a/Solutions/Azure Purview/Data Connectors/AzurePurview.json +++ b/Solutions/Azure Purview/Data Connectors/AzurePurview.json @@ -2,7 +2,7 @@ "id": "MicrosoftAzurePurview", "title": "Azure Purview", "publisher": "Microsoft", - "descriptionMarkdown": "Connect to Azure Purview. Azure Purview is a unified data governance service that helps you manage and govern your on-premises, multicloud, and software-as-a-service (SaaS) data. It creates a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage that empowers you to find valuable and trustworthy data.", + "descriptionMarkdown": "Connect to Azure Purview to enable data sensitivity enrichment of Microsoft Sentinel. Data classification and sensitivity label logs from Azure Purview scans can be ingested and visualized through workbooks, analytical rules, and more.", "graphQueries": [ { "metricName": "Total data received", @@ -38,7 +38,7 @@ "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", + "permissionsDisplayText": "Azure Purview account Owner or Contributor role to set up Diagnostic Settings. Microsoft Contributor role with write permissions to enable data connector, view workbook, and create analytic rules.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { diff --git a/Solutions/Azure Purview/Data/Solution_AzurePurview.json b/Solutions/Azure Purview/Data/Solution_AzurePurview.json index 1bc50dc0c3..63fc1e9d9f 100644 --- a/Solutions/Azure Purview/Data/Solution_AzurePurview.json +++ b/Solutions/Azure Purview/Data/Solution_AzurePurview.json @@ -1,8 +1,8 @@ { - "Name": "Azure Purview", + "Name": "Azure Purview Solution", "Author": "Nikhil Tripathi - v-ntripathi@microsoft.com", "Logo": "", - "Description": "Azure Purview is a unified data governance service that helps you manage and govern your on-premises, multicloud, and software-as-a-service (SaaS) data. It creates a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage that empowers you to find valuable and trustworthy data.", + "Description": "The Azure Purview Solution enables data sensitivity enrichment of Microsoft Sentinel. Data classification and sensitivity label logs from Azure Purview scans are ingested and visualized through workbooks, analytical rules, and more.", "Data Connectors": [ "Data Connectors/AzurePurview.json" ], @@ -10,13 +10,10 @@ "Workbooks/AzurePurview.json" ], "Analytic Rules": [ - "Analytic Rules/AzurePurviewClassificationAdded.yaml", - "Analytic Rules/AzurePurviewConfidentialLabelAdded.yaml", - "Analytic Rules/AzurePurviewDataSourceAssetAdded.yaml", - "Analytic Rules/AzurePurviewRegionClassificationAdded.yaml", - "Analytic Rules/AzurePurviewSourceTypeAdded.yaml" + "Analytic Rules/AzurePurviewSensitiveDataDiscovered.yaml", + "Analytic Rules/AzurePurviewSensitiveDataDiscoveredCustom.yaml" ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\azure\\Solutions\\Azure Purview", - "Version": "1.0.0" + "Version": "1.0.2" } \ No newline at end of file diff --git a/Solutions/Azure Purview/Package/1.0.2.zip b/Solutions/Azure Purview/Package/1.0.2.zip new file mode 100644 index 0000000000..c38f591a5a Binary files /dev/null and b/Solutions/Azure Purview/Package/1.0.2.zip differ diff --git a/Solutions/Azure Purview/Package/createUiDefinition.json b/Solutions/Azure Purview/Package/createUiDefinition.json index 92c6a33bd1..3236441e3a 100644 --- a/Solutions/Azure Purview/Package/createUiDefinition.json +++ b/Solutions/Azure Purview/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nAzure Purview is a unified data governance service that helps you manage and govern your on-premises, multicloud, and software-as-a-service (SaaS) data. It creates a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage that empowers you to find valuable and trustworthy data.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 5\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Azure Purview Solution enables data sensitivity enrichment of Microsoft Sentinel. Data classification and sensitivity label logs from Azure Purview scans are ingested and visualized through workbooks, analytical rules, and more.\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Solution installs the data connector for Azure Purview. You can get Azure Purview custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) AzureDiagnostics (PurviewDataSensitivityLogs) in your Azure Sentinel / Azure Log Analytics workspace." + "text": "This Solution installs the data connector for Azure Purview Solution. You can get Azure Purview Solution custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) AzureDiagnostics (PurviewDataSensitivityLogs) in your Azure Sentinel / Azure Log Analytics workspace." } }, { @@ -108,7 +108,7 @@ { "name": "workbook1", "type": "Microsoft.Common.Section", - "label": "Azure Purview", + "label": "Azure Purview Solution", "elements": [ { "name": "workbook1-text", @@ -118,7 +118,7 @@ "name": "workbook1-name", "type": "Microsoft.Common.TextBox", "label": "Display Name", - "defaultValue": "Azure Purview", + "defaultValue": "Azure Purview Solution", "toolTip": "Display name for the workbook.", "constraints": { "required": true, @@ -143,7 +143,7 @@ "name": "analytics-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Azure Sentinel Solution installs analytic rules for Azure Purview that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.", + "text": "This Azure Sentinel Solution installs analytic rules for Azure Purview Solution that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.", "link": { "label": "Learn more", "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" @@ -153,13 +153,13 @@ { "name": "analytic1", "type": "Microsoft.Common.Section", - "label": "Social Security Numbers Discovered in the Last 24 Hours", + "label": "Sensitive Data Discovered in the Last 24 Hours", "elements": [ { "name": "analytic1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies social security numbers that have been detected on assets \nduring a scan by Azure Purview. This can indicate an asset that should \nbe prioritized for protection. (An example is discovering when Social \nSecurity Numbers are found, but the specific classification detected \ncan be adjusted to best fit the needs of the organization)." + "text": "Identifies all classifications that have been detected on assets during a scan by Azure Purview within the last 24 hours." } } ] @@ -167,55 +167,13 @@ { "name": "analytic2", "type": "Microsoft.Common.Section", - "label": "Assets with a Confidential Label Discovered in the Last 24 Hours", + "label": "Sensitive Data Discovered in the Last 24 Hours - Customized", "elements": [ { "name": "analytic2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies assets that have a specific label, like Confidential, that \nhave been discovered during a scan by Azure Purview." - } - } - ] - }, - { - "name": "analytic3", - "type": "Microsoft.Common.Section", - "label": "Assets with Sensitive Data discovered in Test Data Sources in the Last 24 Hours", - "elements": [ - { - "name": "analytic3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies assets with classifications that have been discovered to exist \nwithin a specific data source during a scan by Azure Purview in the last \n24 hours. (An example is discovering assets with source paths that \ncontain \"test\", but the source can be adjusted to best fit the needs\nof the organization). " - } - } - ] - }, - { - "name": "analytic4", - "type": "Microsoft.Common.Section", - "label": "Assets with Sensitive Data Discovered in the East US in the Last 24 Hours", - "elements": [ - { - "name": "analytic4-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies assets containing classifications that have been discovered\nto exist in a specific region during a scan by Azure Purview in the last\n24 hours. (An example is discovering assets from the East US, but the \nregion can be adjusted to best fit the needs of the organization)." - } - } - ] - }, - { - "name": "analytic5", - "type": "Microsoft.Common.Section", - "label": "Assets from Amazon with Sensitive Data Discovered in the Last 24 Hours", - "elements": [ - { - "name": "analytic5-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies assets with classifications that have been discovered to exist\nin a specific source type during a scan by Azure Purview in the last 24 \nhours. (An example is discovering assets from Amazon, but the source type \ncan be adjusted to best fit the needs of the organization). " + "text": "Customized query used to identify specific classifications and parameters that have been discovered on assets in the last 24 hours by Azure Purview. By default, the query identifies Social Security Numbers detected, but the specific classification monitored along with other data fields can be adjusted. A list of supported Azure Purview classifications can be found here: https://docs.microsoft.com/azure/purview/supported-classifications" } } ] @@ -224,7 +182,7 @@ } ], "outputs": { - "workspace-location": "[resourceGroup().location]", + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(filter.id, toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", "location": "[location()]", "workspace": "[basics('workspace')]", "workbook1-name": "[steps('workbooks').workbook1.workbook1-name]" diff --git a/Solutions/Azure Purview/Package/mainTemplate.json b/Solutions/Azure Purview/Package/mainTemplate.json index 7cba7be48b..afb11438e9 100644 --- a/Solutions/Azure Purview/Package/mainTemplate.json +++ b/Solutions/Azure Purview/Package/mainTemplate.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "metadata": { "author": "Nikhil Tripathi - v-ntripathi@microsoft.com", - "comments": "Solution template for Azure Purview" + "comments": "Solution template for Azure Purview Solution" }, "parameters": { "location": { @@ -16,10 +16,9 @@ }, "workspace-location": { "type": "string", - "minLength": 1, - "defaultValue": "[parameters('location')]", + "defaultValue": "", "metadata": { - "description": "Region to deploy solution resources" + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" } }, "workspace": { @@ -31,7 +30,7 @@ }, "connector1-name": { "type": "string", - "defaultValue": "5d0e74e2-7dee-45d6-9812-8a24087ee095" + "defaultValue": "cb84590c-fc3f-4999-acf4-068a1feca3f6" }, "formattedTimeNow": { "type": "string", @@ -50,7 +49,7 @@ }, "workbook1-name": { "type": "string", - "defaultValue": "Azure Purview", + "defaultValue": "Azure Purview Solution", "minLength": 1, "metadata": { "description": "Name for the workbook" @@ -71,30 +70,6 @@ "metadata": { "description": "Unique id for the scheduled alert rule" } - }, - "analytic3-id": { - "type": "string", - "defaultValue": "[newGuid()]", - "minLength": 1, - "metadata": { - "description": "Unique id for the scheduled alert rule" - } - }, - "analytic4-id": { - "type": "string", - "defaultValue": "[newGuid()]", - "minLength": 1, - "metadata": { - "description": "Unique id for the scheduled alert rule" - } - }, - "analytic5-id": { - "type": "string", - "defaultValue": "[newGuid()]", - "minLength": 1, - "metadata": { - "description": "Unique id for the scheduled alert rule" - } } }, "variables": { @@ -106,16 +81,10 @@ "_AzurePurview_workbook": "[variables('AzurePurview_workbook')]", "workbook-source": "[concat(resourceGroup().id, '/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'))]", "_workbook-source": "[variables('workbook-source')]", - "AzurePurviewClassificationAdded_AnalyticalRules": "AzurePurviewClassificationAdded_AnalyticalRules", - "_AzurePurviewClassificationAdded_AnalyticalRules": "[variables('AzurePurviewClassificationAdded_AnalyticalRules')]", - "AzurePurviewConfidentialLabelAdded_AnalyticalRules": "AzurePurviewConfidentialLabelAdded_AnalyticalRules", - "_AzurePurviewConfidentialLabelAdded_AnalyticalRules": "[variables('AzurePurviewConfidentialLabelAdded_AnalyticalRules')]", - "AzurePurviewDataSourceAssetAdded_AnalyticalRules": "AzurePurviewDataSourceAssetAdded_AnalyticalRules", - "_AzurePurviewDataSourceAssetAdded_AnalyticalRules": "[variables('AzurePurviewDataSourceAssetAdded_AnalyticalRules')]", - "AzurePurviewRegionClassificationAdded_AnalyticalRules": "AzurePurviewRegionClassificationAdded_AnalyticalRules", - "_AzurePurviewRegionClassificationAdded_AnalyticalRules": "[variables('AzurePurviewRegionClassificationAdded_AnalyticalRules')]", - "AzurePurviewSourceTypeAdded_AnalyticalRules": "AzurePurviewSourceTypeAdded_AnalyticalRules", - "_AzurePurviewSourceTypeAdded_AnalyticalRules": "[variables('AzurePurviewSourceTypeAdded_AnalyticalRules')]", + "AzurePurviewSensitiveDataDiscovered_AnalyticalRules": "AzurePurviewSensitiveDataDiscovered_AnalyticalRules", + "_AzurePurviewSensitiveDataDiscovered_AnalyticalRules": "[variables('AzurePurviewSensitiveDataDiscovered_AnalyticalRules')]", + "AzurePurviewSensitiveDataDiscoveredCustom_AnalyticalRules": "AzurePurviewSensitiveDataDiscoveredCustom_AnalyticalRules", + "_AzurePurviewSensitiveDataDiscoveredCustom_AnalyticalRules": "[variables('AzurePurviewSensitiveDataDiscoveredCustom_AnalyticalRules')]", "sourceId": "azuresentinel.azure-sentinel-solution-azurepurview", "_sourceId": "[variables('sourceId')]" }, @@ -131,7 +100,7 @@ "connectorUiConfig": { "title": "Azure Purview", "publisher": "Microsoft", - "descriptionMarkdown": "Connect to Azure Purview. Azure Purview is a unified data governance service that helps you manage and govern your on-premises, multicloud, and software-as-a-service (SaaS) data. It creates a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage that empowers you to find valuable and trustworthy data.", + "descriptionMarkdown": "Connect to Azure Purview to enable data sensitivity enrichment of Microsoft Sentinel. Data classification and sensitivity label logs from Azure Purview scans can be ingested and visualized through workbooks, analytical rules, and more.", "graphQueries": [ { "metricName": "Total data received", @@ -167,7 +136,7 @@ "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", + "permissionsDisplayText": "Azure Purview account Owner or Contributor role to set up Diagnostic Settings. Microsoft Contributor role with write permissions to enable data connector, view workbook, and create analytic rules.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { @@ -195,7 +164,7 @@ "apiVersion": "2020-02-12", "properties": { "displayName": "[concat(parameters('workbook1-name'), ' - ', parameters('formattedTimeNow'))]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"96f40e28-0b8a-4121-8dda-d32d8a37feb8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000}]},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"a5b9cb0c-6219-4782-a10d-1370a8a6edb4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PurviewAccount\",\"label\":\"Purview Account\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n|distinct PurviewAccountName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"ea62a59c-3799-400d-a7af-f0ad14cc46c7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Collection\",\"label\":\"Source Collection\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n| distinct SourceCollectionName \\r\\n| extend Collection = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\", SourceCollectionName)\\r\\n| project Collection\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"817265c3-f308-44e0-a24c-33dac7ee2c91\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DataSource\",\"label\":\"Resource Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n| distinct SourceType \",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"## Azure Purview\"},\"name\":\"text - 16\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"07aa10e3-7f8e-47d4-8193-4f09f0f2e51d\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"Resources\",\"style\":\"link\",\"linkIsContextBlade\":true},{\"id\":\"4161ebed-a013-48be-a6f9-662d5214ad42\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Classifications\",\"subTarget\":\"Classification\",\"preText\":\"Classifications\",\"style\":\"link\"},{\"id\":\"011fdcda-16fd-4e8f-9547-63b13486a8c3\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Sensitivity Labels\",\"subTarget\":\"Labels\",\"style\":\"link\"}]},\"name\":\"links - 9\"},{\"type\":1,\"content\":{\"json\":\"__Azure Purview__\\r\\n\\r\\nAzure Purview is a unified data governance service that helps you manage and govern your on-prem, multicloud, and software-as-a-service (SaaS) data. It creates a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage that empowers you to find valuable and trustworthy data. Learn More \\r\\n\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Resources\"},\"name\":\"text - 10 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let NumberofSourcesByRegion = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| distinct SourcePath, SourceRegion\\r\\n| summarize AssetCount = count() by SourceRegion;\\r\\n\\r\\nNumberofSourcesByRegion\",\"size\":0,\"title\":\"Number of Sources by Region\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"AzureLoc\",\"locInfoColumn\":\"SourceRegion\",\"sizeSettings\":\"AssetCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"AssetCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"AssetCount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Resources\"},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let allAssets = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| distinct AssetPath, SourcePath, SourceType\\r\\n| summarize AssetCount = count() by SourceType;\\r\\n\\r\\nlet classifiedAssets = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| mv-expand Classification\\r\\n| where Classification != \\\"\\\"\\r\\n| distinct AssetPath, SourcePath, SourceType\\r\\n| summarize AssetClassifiedCount = count() by SourceType;\\r\\n\\r\\nlet ClassifiedAssetsByResourceType = allAssets\\r\\n| join kind= leftouter classifiedAssets on SourceType\\r\\n| extend ClassifiedPercentage = strcat(round((100.0 * AssetClassifiedCount / AssetCount),2), \\\"%\\\")\\r\\n| extend AssetCount = strcat(AssetCount, \\\" assets found in total\\\")\\r\\n| project SourceType, AssetCount, AssetClassifiedCount, ClassifiedPercentage;\\r\\n\\r\\nClassifiedAssetsByResourceType\",\"size\":0,\"title\":\"Number of Classified Assets Found Based on Resource Type\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourceType\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"AssetClassifiedCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"0\"}},\"secondaryContent\":{\"columnMatch\":\"AssetCount\"},\"showBorder\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"AssetClassifiedCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"AssetClassifiedCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"AssetClassifiedCount\",\"heatmapPalette\":\"greenRed\"}}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Resources\"},\"customWidth\":\"50\",\"name\":\"query - 25\"},{\"type\":1,\"content\":{\"json\":\"To use the Asset Drilldown view, select the row of the data source in the Sources table below to get a list of all assets scanned by Purview in that data source. To view the data source within the Azure portal, click on the data source hyperlink in the Sources table. Within the Assets Drilldown, click on the Asset Path hyperlink to view the Details pane.\",\"style\":\"warning\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Resources\"},\"name\":\"text - 22\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let allAssets = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| distinct AssetPath, SourcePath\\r\\n| summarize AssetCount = count() by DataSource = SourcePath;\\r\\n\\r\\nlet classifiedAssets = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| mv-expand Classification\\r\\n| where Classification != \\\"\\\"\\r\\n| distinct AssetPath, SourcePath, SourceType\\r\\n| summarize AssetClassifiedCount = count() by DataSource = SourcePath;\\r\\n\\r\\nlet AssetsDrilldown = allAssets\\r\\n| join kind= leftouter classifiedAssets on DataSource\\r\\n| extend ClassifiedPercentage = round((100.0 * AssetClassifiedCount / AssetCount),1)\\r\\n| project DataSource, AssetCount, AssetClassifiedCount, ClassifiedPercentage;\\r\\n\\r\\nAssetsDrilldown\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sources\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"showRefreshButton\":true,\"exportFieldName\":\"DataSource\",\"exportParameterName\":\"UserSelectedDataSource\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSource\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40ch\"}},{\"columnMatch\":\"AssetCount\",\"formatter\":2,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"AssetClassifiedCount\",\"formatter\":2,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"0\"}},{\"columnMatch\":\"ClassifiedPercentage\",\"formatter\":2,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"DataSource\",\"label\":\"Data Source\"},{\"columnId\":\"AssetCount\",\"label\":\"Total Assets\"},{\"columnId\":\"AssetClassifiedCount\",\"label\":\"Classified Assets\"},{\"columnId\":\"ClassifiedPercentage\",\"label\":\"Classified %\"}]}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Resources\"},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet classifiedAssets = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| where (split(\\\"{UserSelectedDataSource:value}\\\", \\\", \\\")) contains SourcePath\\r\\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationActivityTrigger = ActivityTrigger, Classification, ClassificationCount, UserId, SensitivityLabelGuid, SensitivityLabelName) by AssetPath \\r\\n| project TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabelName, UserId;\\r\\n\\r\\nlet labeledAssets = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Labeling\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n| where SensitivityLabelName != int(null)\\r\\n| extend SensitivityLabel = iif(isempty(SensitivityLabelName), \\\"No Label\\\", SensitivityLabelName)\\r\\n| summarize arg_max(SensitivityLabel, SourceType, ActivityTrigger) by AssetPath\\r\\n| project AssetPath, SensitivityLabel, SensitivityLabelActivityTrigger = ActivityTrigger;\\r\\n\\r\\nlet table = classifiedAssets\\r\\n| join kind= leftouter labeledAssets on AssetPath\\r\\n| project TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationActivityTrigger, SensitivityLabelActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabel, UserId\\r\\n| sort by ClassificationCount;\\r\\n\\r\\ntable\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets Drilldown\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":5},{\"columnMatch\":\"PurviewTenantId\",\"formatter\":5},{\"columnMatch\":\"PurviewSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"PurviewAccountName\",\"formatter\":5},{\"columnMatch\":\"PurviewRegion\",\"formatter\":5},{\"columnMatch\":\"SourceName\",\"formatter\":5},{\"columnMatch\":\"SourceType\",\"formatter\":5},{\"columnMatch\":\"SourcePath\",\"formatter\":5},{\"columnMatch\":\"SourceSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceRegion\",\"formatter\":5},{\"columnMatch\":\"SourceCollectionName\",\"formatter\":5},{\"columnMatch\":\"SourceOwner\",\"formatter\":5},{\"columnMatch\":\"AssetName\",\"formatter\":5},{\"columnMatch\":\"AssetPath\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"AssetType\",\"formatter\":5},{\"columnMatch\":\"AssetCreationTime\",\"formatter\":5},{\"columnMatch\":\"AssetModifiedTime\",\"formatter\":5},{\"columnMatch\":\"AssetOwner\",\"formatter\":5},{\"columnMatch\":\"AssetLastScanTime\",\"formatter\":5},{\"columnMatch\":\"FileExtension\",\"formatter\":5},{\"columnMatch\":\"FileSize\",\"formatter\":5},{\"columnMatch\":\"ClassificationActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"Classification\",\"formatter\":5},{\"columnMatch\":\"ClassificationCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"SensitivityLabelGuid\",\"formatter\":5},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"ActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\"},{\"columnId\":\"PurviewTenantId\"},{\"columnId\":\"PurviewSubscriptionId\"},{\"columnId\":\"PurviewAccountName\"},{\"columnId\":\"PurviewRegion\"},{\"columnId\":\"SourceName\"},{\"columnId\":\"SourceType\"},{\"columnId\":\"SourcePath\"},{\"columnId\":\"SourceSubscriptionId\"},{\"columnId\":\"SourceRegion\"},{\"columnId\":\"SourceCollectionName\"},{\"columnId\":\"AssetName\"},{\"columnId\":\"AssetPath\",\"label\":\"Asset Path\"},{\"columnId\":\"AssetType\"},{\"columnId\":\"AssetModifiedTime\"},{\"columnId\":\"AssetLastScanTime\"},{\"columnId\":\"FileExtension\"},{\"columnId\":\"FileSize\"},{\"columnId\":\"ActivityType\"},{\"columnId\":\"Classification\"},{\"columnId\":\"ClassificationCount\",\"label\":\"Classification Count\"}]}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Resources\"},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"__Classifications__\\r\\n\\r\\nClassifications within Azure Purview display which sensitive information resides within your organization. A list of supported classifications can be found at Sensitive Information Type Entity Definitions. \\r\\n\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Classification\"},\"name\":\"text - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let TopClassifications = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| summarize arg_max(TimeGenerated, Classification, FileSize, AssetType) by AssetPath \\r\\n| extend classifications = split(Classification, ',')\\r\\n| mv-expand classifications\\r\\n| extend Classification = trim(@\\\"[^\\\\w]+\\\", tostring(classifications))\\r\\n| where Classification != \\\"\\\"\\r\\n| distinct AssetPath, Classification\\r\\n| summarize AssetCount = count() by Classification \\r\\n| top 5 by AssetCount;\\r\\n\\r\\nTopClassifications\\r\\n\",\"size\":0,\"title\":\"Top Classifications\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SourceType_s\",\"formatter\":1},{\"columnMatch\":\"AssetCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"AssetCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"AssetCount\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"AssetCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"yAxis\":[\"AssetCount\"],\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"AssetCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"AssetCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"AssetCount\",\"heatmapPalette\":\"greenRed\"}}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Classification\"},\"customWidth\":\"50\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let TopClassifiedAssets = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| summarize arg_max(TimeGenerated, Classification, ClassificationCount, AssetName, AssetType, AssetPath, FileExtension, FileSize, SourceType, SourcePath) by AssetPath \\r\\n| project AssetPath, SourcePath, ClassificationCount\\r\\n| top 4 by ClassificationCount;\\r\\n\\r\\nTopClassifiedAssets\",\"size\":0,\"title\":\"Top Assets with Classifications\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourcePath\",\"formatter\":13,\"formatOptions\":{\"showIcon\":true}},\"subtitleContent\":{\"columnMatch\":\"AssetPath\"},\"leftContent\":{\"columnMatch\":\"ClassificationCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"full\"}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Classification\"},\"customWidth\":\"50\",\"name\":\"query - 19\"},{\"type\":1,\"content\":{\"json\":\"To use the Classifications Drilldown view, select a Classification in the Classifications table below to get a list all assets scanned by Purview with that classification. Within the Classifications Drilldown, click on the Asset Path hyperlink to view the Details pane.\",\"style\":\"warning\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Classification\"},\"name\":\"text - 22 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Classifications = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\"\\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| summarize arg_max(TimeGenerated, Classification, FileSize, AssetType) by AssetPath \\r\\n| extend classifications = split(Classification, ',')\\r\\n| mv-expand classifications\\r\\n| extend Classification = trim(@\\\"[^\\\\w]+\\\", tostring(classifications))\\r\\n| where Classification != \\\"\\\"\\r\\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by Classification\\r\\n| project Classification, FileSize, AssetCount;\\r\\n\\r\\nClassifications\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Classifications\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Time\",\"showRefreshButton\":true,\"exportFieldName\":\"Classification\",\"exportParameterName\":\"UserSelectedClassification\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Classification\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50ch\"}},{\"columnMatch\":\"FileSize\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"AssetCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_AssetCount_2\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Classification\"},{\"columnId\":\"FileSize\",\"label\":\"Total Size of Files (MB)\"},{\"columnId\":\"AssetCount\",\"label\":\"Classified Asset Count\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_AssetCount_2\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Size\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Classification\"},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ClassificationsDrilldown = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| extend classifications = split(Classification, ',')\\r\\n| mv-expand classifications\\r\\n| extend Classification = trim(@\\\"[^\\\\w]+\\\", tostring(classifications))\\r\\n| where Classification != \\\"\\\"\\r\\n| where (split(\\\"{UserSelectedClassification:label}\\\", \\\", \\\")) contains Classification\\r\\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabelName, UserId) by AssetPath \\r\\n| project TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabelName, UserId;\\r\\n\\r\\nClassificationsDrilldown\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Classifications Drilldown- Asset Level\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":5},{\"columnMatch\":\"PurviewTenantId\",\"formatter\":5},{\"columnMatch\":\"PurviewSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"PurviewAccountName\",\"formatter\":5},{\"columnMatch\":\"PurviewRegion\",\"formatter\":5},{\"columnMatch\":\"SourceName\",\"formatter\":5},{\"columnMatch\":\"SourceType\",\"formatter\":5},{\"columnMatch\":\"SourcePath\",\"formatter\":5},{\"columnMatch\":\"SourceSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceRegion\",\"formatter\":5},{\"columnMatch\":\"SourceCollectionName\",\"formatter\":5},{\"columnMatch\":\"SourceOwner\",\"formatter\":5},{\"columnMatch\":\"AssetName\",\"formatter\":5},{\"columnMatch\":\"AssetPath\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"AssetType\",\"formatter\":5},{\"columnMatch\":\"AssetCreationTime\",\"formatter\":5},{\"columnMatch\":\"AssetModifiedTime\",\"formatter\":5},{\"columnMatch\":\"AssetOwner\",\"formatter\":5},{\"columnMatch\":\"AssetLastScanTime\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30ch\"}},{\"columnMatch\":\"FileExtension\",\"formatter\":5},{\"columnMatch\":\"FileSize\",\"formatter\":5},{\"columnMatch\":\"ActivityType\",\"formatter\":5},{\"columnMatch\":\"ActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"Classification\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelGuid\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":5},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Classification\"},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"__Sensitivity Labels__\\r\\n\\r\\nSensitivity Labels let you classify your organization's data in order to highlight which resources contain sensitive information. Labels can be set up through Security and Compliance Center and applied in Azure Purview. Learn More \",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Labels\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SensitivityLabelsCount = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Labeling\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| where SensitivityLabelName != \\\"\\\"\\r\\n| summarize arg_max(SensitivityLabelName, SourceType) by AssetPath \\r\\n| summarize LabelCount = count() by SensitivityLabelName, SourceType;\\r\\n\\r\\nSensitivityLabelsCount\",\"size\":0,\"title\":\"Sensitivity Labels Count\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"exportFieldName\":\"SensitivityLabelName\",\"exportParameterName\":\"UserSelectedLabel\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"LabelCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Labels\"},\"customWidth\":\"50\",\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LabelPercentage = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Labeling\\\"\\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| summarize arg_max(AssetName, SensitivityLabelName, SourceType) by AssetPath \\r\\n| summarize LabelCount = count() by SensitivityLabelName, SourceType;\\r\\n\\r\\nLabelPercentage;\\r\\n\",\"size\":3,\"title\":\"Percentage of Labels Applied\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SensitivityLabelName_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"LabelCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"SensitivityLabelName_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"LabelCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"yAxis\":[\"LabelCount\"],\"seriesLabelSettings\":[{\"seriesName\":\"\",\"label\":\"No Label\",\"color\":\"gray\"},{\"seriesName\":\"General\",\"color\":\"blue\"}],\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"LabelCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"LabelCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"LabelCount\",\"heatmapPalette\":\"greenRed\"}}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Labels\"},\"customWidth\":\"50\",\"name\":\"query - 11\",\"styleSettings\":{\"padding\":\"20\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"To use the Sensitivity Labels Drilldown view, select a Sensitivity Label in the table below to get a list all assets scanned by Purview with that label. Within the Asset Level Drilldown, click on the Asset Path hyperlink to view the Details pane.\",\"style\":\"warning\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Labels\"},\"name\":\"text - 22 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SensitivityLabels = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Labeling\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| extend newSensitivityLabelName = iff(SensitivityLabelName == \\\"\\\", \\\"No Label\\\", SensitivityLabelName)\\r\\n| summarize arg_max(newSensitivityLabelName, SourceType, FileSize) by AssetPath \\r\\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by newSensitivityLabelName\\r\\n| sort by AssetCount;\\r\\n\\r\\nSensitivityLabels\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitivity Labels\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"showRefreshButton\":true,\"exportFieldName\":\"newSensitivityLabelName\",\"exportParameterName\":\"UserSelectedLabel\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"FileSize\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"20ch\"}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"newSensitivityLabelName\",\"label\":\"Label\"},{\"columnId\":\"FileSize\",\"label\":\"Total Size of Files (MB)\"},{\"columnId\":\"AssetCount\",\"label\":\"Asset Count\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"LabelCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Labels\"},\"customWidth\":\"50\",\"name\":\"query - 14 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let labelDrilldown = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Labeling\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| extend SensitivityLabel = iif(isempty(SensitivityLabelName), \\\"No Label\\\", SensitivityLabelName)\\r\\n| where (split(\\\"{UserSelectedLabel:label}\\\", \\\", \\\")) contains SensitivityLabel\\r\\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabel, UserId) by AssetPath \\r\\n| project TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabel, UserId;\\r\\n\\r\\nlabelDrilldown\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitivity Labels Drilldown- Asset Level\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":5},{\"columnMatch\":\"PurviewTenantId\",\"formatter\":5},{\"columnMatch\":\"PurviewSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"PurviewAccountName\",\"formatter\":5},{\"columnMatch\":\"PurviewRegion\",\"formatter\":5},{\"columnMatch\":\"SourceName\",\"formatter\":5},{\"columnMatch\":\"SourceType\",\"formatter\":5},{\"columnMatch\":\"SourcePath\",\"formatter\":5},{\"columnMatch\":\"SourceSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceRegion\",\"formatter\":5},{\"columnMatch\":\"SourceCollectionName\",\"formatter\":5},{\"columnMatch\":\"SourceOwner\",\"formatter\":5},{\"columnMatch\":\"AssetName\",\"formatter\":5},{\"columnMatch\":\"AssetPath\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"AssetType\",\"formatter\":5},{\"columnMatch\":\"AssetCreationTime\",\"formatter\":5},{\"columnMatch\":\"AssetModifiedTime\",\"formatter\":5},{\"columnMatch\":\"AssetOwner\",\"formatter\":5},{\"columnMatch\":\"FileExtension\",\"formatter\":5},{\"columnMatch\":\"FileSize\",\"formatter\":5},{\"columnMatch\":\"ActivityType\",\"formatter\":5},{\"columnMatch\":\"ActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"Classification\",\"formatter\":5},{\"columnMatch\":\"ClassificationCount\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelGuid\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabel\",\"formatter\":5},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Labels\"},\"customWidth\":\"50\",\"name\":\"query - 13\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-AzurePurview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"96f40e28-0b8a-4121-8dda-d32d8a37feb8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000}]},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"a5b9cb0c-6219-4782-a10d-1370a8a6edb4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PurviewAccount\",\"label\":\"Purview Account\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n|distinct PurviewAccountName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"ea62a59c-3799-400d-a7af-f0ad14cc46c7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Collection\",\"label\":\"Source Collection\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\"\\r\\n| distinct SourceCollectionName \\r\\n| extend Collection = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\", SourceCollectionName)\\r\\n| project Collection\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"817265c3-f308-44e0-a24c-33dac7ee2c91\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DataSource\",\"label\":\"Resource Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"\",\"delimiter\":\",\",\"query\":\"PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\"\\r\\n| distinct SourceType \",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":2592000000},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"## Azure Purview\"},\"name\":\"text - 16\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"07aa10e3-7f8e-47d4-8193-4f09f0f2e51d\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"Resources\",\"style\":\"link\",\"linkIsContextBlade\":true},{\"id\":\"4161ebed-a013-48be-a6f9-662d5214ad42\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Classifications\",\"subTarget\":\"Classification\",\"preText\":\"Classifications\",\"style\":\"link\"},{\"id\":\"011fdcda-16fd-4e8f-9547-63b13486a8c3\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Sensitivity Labels\",\"subTarget\":\"Labels\",\"style\":\"link\"}]},\"name\":\"links - 9\"},{\"type\":1,\"content\":{\"json\":\"__Azure Purview__\\r\\n\\r\\nAzure Purview is a unified data governance service that helps you manage and govern your on-prem, multicloud, and software-as-a-service (SaaS) data. It creates a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage that empowers you to find valuable and trustworthy data. Learn More \\r\\n\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Resources\"},\"name\":\"text - 10 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let NumberofSourcesByRegion = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| distinct SourcePath, SourceRegion\\r\\n| summarize AssetCount = count() by SourceRegion;\\r\\n\\r\\nNumberofSourcesByRegion\",\"size\":0,\"title\":\"Number of Sources by Region\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"AzureLoc\",\"locInfoColumn\":\"SourceRegion\",\"sizeSettings\":\"AssetCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"AssetCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"AssetCount\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Resources\"},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let allAssets = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| distinct AssetPath, SourcePath, SourceType\\r\\n| summarize AssetCount = count() by SourceType;\\r\\n\\r\\nlet classifiedAssets = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| mv-expand Classification\\r\\n| where Classification != \\\"\\\"\\r\\n| distinct AssetPath, SourcePath, SourceType\\r\\n| summarize AssetClassifiedCount = count() by SourceType;\\r\\n\\r\\nlet ClassifiedAssetsByResourceType = allAssets\\r\\n| join kind= leftouter classifiedAssets on SourceType\\r\\n| extend ClassifiedPercentage = strcat(round((100.0 * AssetClassifiedCount / AssetCount),2), \\\"%\\\")\\r\\n| extend AssetCount = strcat(AssetCount, \\\" assets found in total\\\")\\r\\n| project SourceType, AssetCount, AssetClassifiedCount, ClassifiedPercentage;\\r\\n\\r\\nClassifiedAssetsByResourceType\",\"size\":0,\"title\":\"Number of Classified Assets Found Based on Resource Type\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourceType\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"AssetClassifiedCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"0\"}},\"secondaryContent\":{\"columnMatch\":\"AssetCount\"},\"showBorder\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"AssetClassifiedCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"AssetClassifiedCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"AssetClassifiedCount\",\"heatmapPalette\":\"greenRed\"}}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Resources\"},\"customWidth\":\"50\",\"name\":\"query - 25\"},{\"type\":1,\"content\":{\"json\":\"To use the Asset Drilldown view, select the row of the data source in the Sources table below to get a list of all assets scanned by Purview in that data source. Within the Assets Drilldown, click on the Asset Path hyperlink to view the Details pane. To view the data source within the Azure portal, click on the data source hyperlink in the Assets Drilldown table. \",\"style\":\"warning\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Resources\"},\"name\":\"text - 22\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let allAssets = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| distinct AssetPath, SourcePath\\r\\n| summarize AssetCount = count() by DataSource = SourcePath;\\r\\n\\r\\nlet classifiedAssets = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| mv-expand Classification\\r\\n| where Classification != \\\"\\\"\\r\\n| distinct AssetPath, SourcePath, SourceType\\r\\n| summarize AssetClassifiedCount = count() by DataSource = SourcePath;\\r\\n\\r\\nlet AssetsDrilldown = allAssets\\r\\n| join kind= leftouter classifiedAssets on DataSource\\r\\n| extend ClassifiedPercentage = round((100.0 * AssetClassifiedCount / AssetCount),1)\\r\\n| project DataSource, AssetCount, AssetClassifiedCount, ClassifiedPercentage;\\r\\n\\r\\nAssetsDrilldown\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sources\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"showRefreshButton\":true,\"exportFieldName\":\"DataSource\",\"exportParameterName\":\"UserSelectedDataSource\",\"exportDefaultValue\":\"All\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DataSource\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40ch\"}},{\"columnMatch\":\"AssetCount\",\"formatter\":2,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"AssetClassifiedCount\",\"formatter\":2,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"0\"}},{\"columnMatch\":\"ClassifiedPercentage\",\"formatter\":2,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"DataSource\",\"label\":\"Data Source\"},{\"columnId\":\"AssetCount\",\"label\":\"Total Assets\"},{\"columnId\":\"AssetClassifiedCount\",\"label\":\"Classified Assets\"},{\"columnId\":\"ClassifiedPercentage\",\"label\":\"Classified %\"}]}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Resources\"},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ClassificationCountAdded = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| mv-expand ClassificationDetails\\r\\n| summarize ClassificationCount= sum(toint(ClassificationDetails[\\\"UniqueCount\\\"])) by AssetPath;\\r\\n\\r\\nlet classifiedAssets = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| where \\\"{UserSelectedDataSource:value}\\\" == \\\"All\\\" or (split(\\\"{UserSelectedDataSource:value}\\\", \\\", \\\")) contains SourcePath;\\r\\n\\r\\nlet classifiedAssetsWithCounts = classifiedAssets \\r\\n| join ClassificationCountAdded on AssetPath\\r\\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, Classification, ClassificationCount, ClassificationTrigger, ClassificationDetails, SourceScanId) by AssetPath \\r\\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, Classification, ClassificationCount, ClassificationTrigger, ClassificationDetails, SourceScanId;\\r\\n\\r\\nlet labeledAssets = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Labeling\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where SourceType in~ (split(\\\"{DataSource}\\\", \\\",\\\"))\\r\\n| mv-expand SensitivityLabel to typeof(string)\\r\\n| where SensitivityLabel != int(null)\\r\\n//| extend SensitivityLabel = iif(isempty(SensitivityLabel), \\\"No Label\\\", SensitivityLabel)\\r\\n| mv-expand SensitivityLabelDetails\\r\\n| summarize arg_max(SensitivityLabel, SourceType, SensitivityLabelTrigger, SensitivityLabelDetails) by AssetPath\\r\\n| project AssetPath, SensitivityLabel, SensitivityLabelTrigger, SensitivityLabelDetails;\\r\\n\\r\\nlet table = classifiedAssetsWithCounts\\r\\n| join kind= leftouter labeledAssets on AssetPath\\r\\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationCount, ClassificationDetails, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId\\r\\n| sort by ClassificationCount;\\r\\n\\r\\ntable\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets Drilldown\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":5},{\"columnMatch\":\"PurviewTenantId\",\"formatter\":5},{\"columnMatch\":\"PurviewAccountName\",\"formatter\":5},{\"columnMatch\":\"PurviewRegion\",\"formatter\":5},{\"columnMatch\":\"AssetName\",\"formatter\":5},{\"columnMatch\":\"AssetPath\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"AssetType\",\"formatter\":5},{\"columnMatch\":\"AssetCreationTime\",\"formatter\":5},{\"columnMatch\":\"AssetModifiedTime\",\"formatter\":5},{\"columnMatch\":\"AssetLastScanTime\",\"formatter\":5},{\"columnMatch\":\"FileExtension\",\"formatter\":5},{\"columnMatch\":\"FileSize\",\"formatter\":5},{\"columnMatch\":\"ActivityType\",\"formatter\":5},{\"columnMatch\":\"Classification\",\"formatter\":5},{\"columnMatch\":\"ClassificationCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"ClassificationDetails\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabel\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"SensitivityLabelTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelDetails\",\"formatter\":5},{\"columnMatch\":\"SourceName\",\"formatter\":5},{\"columnMatch\":\"SourceType\",\"formatter\":5},{\"columnMatch\":\"SourcePath\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"SourceSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceRegion\",\"formatter\":5},{\"columnMatch\":\"SourceCollectionName\",\"formatter\":5},{\"columnMatch\":\"SourceScanId\",\"formatter\":5},{\"columnMatch\":\"PurviewSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceOwner\",\"formatter\":5},{\"columnMatch\":\"AssetOwner\",\"formatter\":5},{\"columnMatch\":\"ClassificationActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelGuid\",\"formatter\":5},{\"columnMatch\":\"UserId\",\"formatter\":5},{\"columnMatch\":\"ActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"rowLimit\":1000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"AssetPath\",\"label\":\"Asset Path\"},{\"columnId\":\"ClassificationCount\",\"label\":\"Classification Count\"},{\"columnId\":\"SensitivityLabel\",\"label\":\"Sensitivity Label\"},{\"columnId\":\"SourcePath\",\"label\":\"Data Source\"}]}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Resources\"},\"customWidth\":\"50\",\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"__Classifications__\\r\\n\\r\\nClassifications within Azure Purview display which sensitive information resides within your organization. A list of supported classifications can be found at Sensitive Information Type Entity Definitions. \\r\\n\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Classification\"},\"name\":\"text - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\"\\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| where Classification != \\\"\\\"\\r\\n| summarize ClassifiedAssetCount = count() by DateClassified = bin(TimeGenerated, 1d), SourceType\",\"size\":0,\"title\":\"Classification Events\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Classification\"},\"customWidth\":\"50\",\"name\":\"query - 21\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ClassificationCountAdded = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| mvexpand ClassificationDetails\\r\\n| summarize ClassificationCount= sum(toint(ClassificationDetails[\\\"UniqueCount\\\"])) by AssetPath;\\r\\nlet TopClassifiedAssets = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"));\\r\\n\\r\\nTopClassifiedAssets | join ClassificationCountAdded on AssetPath \\r\\n| summarize arg_max(TimeGenerated, Classification, ClassificationCount, AssetName, AssetType, AssetPath, FileExtension, FileSize, SourceType, SourcePath) by AssetPath \\r\\n| project AssetPath, SourcePath, ClassificationCount\\r\\n| top 4 by ClassificationCount;\",\"size\":0,\"title\":\"Top Assets with Classifications\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourcePath\",\"formatter\":13,\"formatOptions\":{\"showIcon\":true}},\"subtitleContent\":{\"columnMatch\":\"AssetPath\"},\"leftContent\":{\"columnMatch\":\"ClassificationCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"full\"}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Classification\"},\"customWidth\":\"50\",\"name\":\"query - 19\"},{\"type\":1,\"content\":{\"json\":\"To use the Classifications Drilldown view, select a Classification in the Classifications table below to get a list all assets scanned by Purview with that classification. Within the Asset Level Drilldown, click on the Asset Path hyperlink to view the Details pane. To view the data source within the Azure portal, click on the data source hyperlink in the Asset Level Drilldown table.\",\"style\":\"warning\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Classification\"},\"name\":\"text - 22 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Classifications = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\"\\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| summarize arg_max(TimeGenerated, Classification, FileSize, AssetType) by AssetPath \\r\\n| extend classifications = split(Classification, ',')\\r\\n| mv-expand classifications\\r\\n| extend Classification = trim(@\\\"[^\\\\w]+\\\", tostring(classifications))\\r\\n| where Classification != \\\"\\\"\\r\\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by Classification\\r\\n| project Classification, AssetCount, FileSize;\\r\\n\\r\\nClassifications\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Classifications\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"showRefreshButton\":true,\"exportFieldName\":\"Classification\",\"exportParameterName\":\"UserSelectedClassification\",\"exportDefaultValue\":\"All\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Classification\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50ch\"}},{\"columnMatch\":\"FileSize\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"AssetCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_AssetCount_1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"AssetCount\",\"label\":\"Classified Asset Count\"},{\"columnId\":\"FileSize\",\"label\":\"Total Size of Files (MB)\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_AssetCount_1\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Classification\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Size\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Classification\"},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ClassificationCountColumn = PurviewDataSensitivityLogs\\r\\n| mv-expand ClassificationDetails\\r\\n| summarize ClassificationCount = sum(toint(ClassificationDetails[\\\"UniqueCount\\\"])) by AssetPath;\\r\\nlet ClassificationsDrilldown = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Classification\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| extend classifications = split(Classification, ',')\\r\\n| mv-expand classifications\\r\\n| extend Classification = trim(@\\\"[^\\\\w]+\\\", tostring(classifications))\\r\\n| where Classification != \\\"\\\"\\r\\n| where \\\"{UserSelectedClassification:label}\\\" == \\\"All\\\" or (split(\\\"{UserSelectedClassification:label}\\\", \\\", \\\")) contains Classification;\\r\\n\\r\\nClassificationsDrilldown | join ClassificationCountColumn on AssetPath\\r\\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationCount, ClassificationDetails, SourceScanId) by AssetPath \\r\\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationCount, ClassificationDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId;\\r\\n\\r\\nClassificationsDrilldown\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Classifications Drilldown- Asset Level\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":5},{\"columnMatch\":\"PurviewTenantId\",\"formatter\":5},{\"columnMatch\":\"PurviewAccountName\",\"formatter\":5},{\"columnMatch\":\"PurviewRegion\",\"formatter\":5},{\"columnMatch\":\"AssetName\",\"formatter\":5},{\"columnMatch\":\"AssetPath\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"AssetType\",\"formatter\":5},{\"columnMatch\":\"AssetCreationTime\",\"formatter\":5},{\"columnMatch\":\"AssetModifiedTime\",\"formatter\":5},{\"columnMatch\":\"AssetLastScanTime\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30ch\"}},{\"columnMatch\":\"FileExtension\",\"formatter\":5},{\"columnMatch\":\"FileSize\",\"formatter\":5},{\"columnMatch\":\"ActivityType\",\"formatter\":5},{\"columnMatch\":\"Classification\",\"formatter\":5},{\"columnMatch\":\"SourceName\",\"formatter\":5},{\"columnMatch\":\"SourceType\",\"formatter\":5},{\"columnMatch\":\"SourcePath\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"SourceSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceRegion\",\"formatter\":5},{\"columnMatch\":\"SourceCollectionName\",\"formatter\":5},{\"columnMatch\":\"SourceScanId\",\"formatter\":5},{\"columnMatch\":\"PurviewSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceOwner\",\"formatter\":5},{\"columnMatch\":\"AssetOwner\",\"formatter\":5},{\"columnMatch\":\"ActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelGuid\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":5},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"AssetPath\",\"label\":\"Asset Path\"},{\"columnId\":\"AssetLastScanTime\",\"label\":\"Asset Last Scan Time\"},{\"columnId\":\"SourcePath\",\"label\":\"Data Source\"}]}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Classification\"},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"__Sensitivity Labels__\\r\\n\\r\\nSensitivity Labels let you classify your organization's data in order to highlight which resources contain sensitive information. Labels can be set up through Security and Compliance Center and applied in Azure Purview. Learn More \",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Labels\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Labeling\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| where SensitivityLabel != \\\"\\\"\\r\\n| summarize LabeledAssetCount = count() by DateClassified = bin(TimeGenerated, 1d), SourceType\",\"size\":0,\"title\":\"Sensitivity Labeling Events\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Labels\"},\"customWidth\":\"50\",\"name\":\"query - 21\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let LabelPercentage = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Labeling\\\"\\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| mv-expand SensitivityLabel\\r\\n| summarize arg_max(AssetName, tostring(SensitivityLabel), SourceType) by AssetPath \\r\\n| summarize LabelCount = count() by SensitivityLabel, SourceType;\\r\\n\\r\\nLabelPercentage;\\r\\n\",\"size\":3,\"title\":\"Percentage of Labels Applied\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SensitivityLabelName_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"LabelCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"SensitivityLabelName_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"LabelCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"yAxis\":[\"LabelCount\"],\"seriesLabelSettings\":[{\"seriesName\":\"\",\"label\":\"No Label\",\"color\":\"gray\"},{\"seriesName\":\"General\",\"color\":\"blue\"}],\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"LabelCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"LabelCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"LabelCount\",\"heatmapPalette\":\"greenRed\"}}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Labels\"},\"customWidth\":\"50\",\"name\":\"query - 11\",\"styleSettings\":{\"padding\":\"20\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"To use the Sensitivity Labels Drilldown view, select a Sensitivity Label in the table below to get a list all assets scanned by Purview with that label. Within the Asset Level Drilldown, click on the Asset Path hyperlink to view the Details pane.\",\"style\":\"warning\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Labels\"},\"name\":\"text - 22 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SensitivityLabels = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Labeling\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| mv-expand SensitivityLabel\\r\\n| extend newSensitivityLabel = tostring(SensitivityLabel) //iff(SensitivityLabel== \\\"\\\", \\\"No Label\\\", SensitivityLabel)\\r\\n| summarize arg_max(newSensitivityLabel, SourceType, FileSize) by AssetPath \\r\\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by newSensitivityLabel\\r\\n| sort by AssetCount;\\r\\n\\r\\nSensitivityLabels\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitivity Labels\",\"timeContext\":{\"durationMs\":2592000000},\"showRefreshButton\":true,\"exportFieldName\":\"newSensitivityLabel\",\"exportParameterName\":\"UserSelectedLabel\",\"exportDefaultValue\":\"All\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"newSensitivityLabel\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"FileSize\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"newSensitivityLabel\",\"label\":\"Sensitivity Label\"},{\"columnId\":\"FileSize\",\"label\":\"Total Size of Files (MB)\"},{\"columnId\":\"AssetCount\",\"label\":\"Asset Count\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"LabelCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Labels\"},\"customWidth\":\"50\",\"name\":\"query - 14 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let labelDrilldown = PurviewDataSensitivityLogs\\r\\n| where ActivityType == \\\"Labeling\\\" \\r\\n| where \\\"{PurviewAccount:label}\\\" == \\\"All\\\" or PurviewAccountName in~ (split(\\\"{PurviewAccount:label}\\\", \\\", \\\"))\\r\\n| where \\\"{DataSource:label}\\\" == \\\"All\\\" or SourceType in~ (split(\\\"{DataSource:label}\\\", \\\", \\\"))\\r\\n| extend CollectionName = iff(SourceCollectionName == \\\"\\\",\\\"No Collection\\\",SourceCollectionName)\\r\\n| where \\\"{Collection:label}\\\" == \\\"All\\\" or CollectionName in~ (split(\\\"{Collection:label}\\\", \\\", \\\"))\\r\\n| mv-expand SensitivityLabel to typeof(string)\\r\\n| mv-expand SensitivityLabelDetails to typeof(string)\\r\\n| where \\\"{UserSelectedLabel:label}\\\" == \\\"All\\\" or \\\"{UserSelectedLabel:label}\\\" == SensitivityLabel\\r\\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceScanId) by AssetPath \\r\\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId;\\r\\n\\r\\nlabelDrilldown\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensitivity Labels Drilldown- Asset Level\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"Time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":5},{\"columnMatch\":\"PurviewTenantId\",\"formatter\":5},{\"columnMatch\":\"PurviewAccountName\",\"formatter\":5},{\"columnMatch\":\"PurviewRegion\",\"formatter\":5},{\"columnMatch\":\"AssetName\",\"formatter\":5},{\"columnMatch\":\"AssetPath\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true,\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"AssetType\",\"formatter\":5},{\"columnMatch\":\"AssetCreationTime\",\"formatter\":5},{\"columnMatch\":\"AssetModifiedTime\",\"formatter\":5},{\"columnMatch\":\"FileExtension\",\"formatter\":5},{\"columnMatch\":\"FileSize\",\"formatter\":5},{\"columnMatch\":\"ActivityType\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelTrigger\",\"formatter\":5,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"SensitivityLabel\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"SensitivityLabelDetails\",\"formatter\":5,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"SourceName\",\"formatter\":5},{\"columnMatch\":\"SourceType\",\"formatter\":5},{\"columnMatch\":\"SourcePath\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"SourceSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceRegion\",\"formatter\":5},{\"columnMatch\":\"SourceCollectionName\",\"formatter\":5},{\"columnMatch\":\"SourceScanId\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelName\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"},\"emptyValCustomText\":\"No Label\"}},{\"columnMatch\":\"PurviewSubscriptionId\",\"formatter\":5},{\"columnMatch\":\"SourceOwner\",\"formatter\":5},{\"columnMatch\":\"AssetOwner\",\"formatter\":5},{\"columnMatch\":\"ActivityTrigger\",\"formatter\":5},{\"columnMatch\":\"Classification\",\"formatter\":5},{\"columnMatch\":\"ClassificationCount\",\"formatter\":5},{\"columnMatch\":\"SensitivityLabelGuid\",\"formatter\":5},{\"columnMatch\":\"UserId\",\"formatter\":5}],\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"Labels\"},\"customWidth\":\"50\",\"name\":\"query - 13\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-AzurePurview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('_workbook-source')]", "category": "sentinel" @@ -208,13 +177,13 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies social security numbers that have been detected on assets \nduring a scan by Azure Purview. This can indicate an asset that should \nbe prioritized for protection. (An example is discovering when Social \nSecurity Numbers are found, but the specific classification detected \ncan be adjusted to best fit the needs of the organization).", - "displayName": "Social Security Numbers Discovered in the Last 24 Hours", + "description": "Identifies all classifications that have been detected on assets during a scan by Azure Purview within the last 24 hours.", + "displayName": "Sensitive Data Discovered in the Last 24 Hours", "enabled": false, - "query": "PurviewDataSensitivityLogs\n| where Classification has \"Social Security Number\" \n| where TimeGenerated > ago(24h)\n", + "query": "PurviewDataSensitivityLogs\n| where Classification != \"\" \n| where TimeGenerated > ago(24h)\n", "queryFrequency": "P1D", "queryPeriod": "P1D", - "severity": "Low", + "severity": "Informational", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -224,19 +193,26 @@ ], "entityMappings": [ { - "entityType": "AzureResource", "fieldMappings": [ { "columnName": "SourcePath", "identifier": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ], "customDetails": { - "ClassificationCount": "ClassificationCount", "Classification": "Classification", - "AssetName": "AssetName" + "AssetName": "AssetName", + "LastScanTime": "AssetLastScanTime", + "SourceRegion": "SourceRegion", + "AssetPath": "AssetPath", + "PurviewAccount": "PurviewAccount" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Within the last 24 hours, Azure Purview ({PurviewAccountName}) scanned an asset that contained classifications within {SourceRegion}. The asset name is {AssetName} and the classifications discovered were {Classification}. The asset path is {AssetPath}", + "alertDisplayNameFormat": "Classifications discovered in {AssetName} by Azure Purview" } } }, @@ -247,13 +223,13 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies assets that have a specific label, like Confidential, that \nhave been discovered during a scan by Azure Purview.", - "displayName": "Assets with a Confidential Label Discovered in the Last 24 Hours", + "description": "Customized query used to identify specific classifications and parameters that have been discovered on assets in the last 24 hours by Azure Purview. By default, the query identifies Social Security Numbers detected, but the specific classification monitored along with other data fields can be adjusted. A list of supported Azure Purview classifications can be found here: https://docs.microsoft.com/azure/purview/supported-classifications", + "displayName": "Sensitive Data Discovered in the Last 24 Hours - Customized", "enabled": false, - "query": "PurviewDataSensitivityLogs\n| where SensitivityLabelName contains \"confidential\" \n| where TimeGenerated > ago(24h) \n", + "query": "PurviewDataSensitivityLogs\n| where Classification contains \"Social Security Number\"\n//| where SourceRegion == \"westeurope\"\n//| where SourceType contains \"Amazon\"\n| where TimeGenerated > ago(24h)\n", "queryFrequency": "P1D", "queryPeriod": "P1D", - "severity": "Low", + "severity": "Informational", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -263,125 +239,26 @@ ], "entityMappings": [ { - "entityType": "AzureResource", "fieldMappings": [ { "columnName": "SourcePath", "identifier": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ], "customDetails": { - "ClassificationCount": "ClassificationCount", "Classification": "Classification", - "AssetName": "AssetName" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic3-id'))]", - "apiVersion": "2021-03-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies assets with classifications that have been discovered to exist \nwithin a specific data source during a scan by Azure Purview in the last \n24 hours. (An example is discovering assets with source paths that \ncontain \"test\", but the source can be adjusted to best fit the needs\nof the organization). ", - "displayName": "Assets with Sensitive Data discovered in Test Data Sources in the Last 24 Hours", - "enabled": false, - "query": "PurviewDataSensitivityLogs\n| where ClassificationCount != 0 \n| where SourcePath contains \"test\" \n| where TimeGenerated > ago(24h)\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "tactics": [ - "Discovery" - ], - "entityMappings": [ - { - "entityType": "AzureResource", - "fieldMappings": [ - { - "columnName": "SourcePath", - "identifier": "ResourceId" - } - ] - } - ], - "customDetails": { - "ClassificationCount": "ClassificationCount", - "Classification": "Classification", - "AssetName": "AssetName" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic4-id'))]", - "apiVersion": "2021-03-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies assets containing classifications that have been discovered\nto exist in a specific region during a scan by Azure Purview in the last\n24 hours. (An example is discovering assets from the East US, but the \nregion can be adjusted to best fit the needs of the organization).", - "displayName": "Assets with Sensitive Data Discovered in the East US in the Last 24 Hours", - "enabled": false, - "query": "PurviewDataSensitivityLogs\n| where ClassificationCount != 0 \n| where SourceRegion == \"eastus\"\n| where TimeGenerated > ago(24h)\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "tactics": [ - "Discovery" - ], - "entityMappings": [ - { - "entityType": "AzureResource", - "fieldMappings": [ - { - "columnName": "SourcePath", - "identifier": "ResourceId" - } - ] - } - ], - "customDetails": { - "ClassificationCount": "ClassificationCount", - "Classification": "Classification", - "AssetName": "AssetName" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic5-id'))]", - "apiVersion": "2021-03-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies assets with classifications that have been discovered to exist\nin a specific source type during a scan by Azure Purview in the last 24 \nhours. (An example is discovering assets from Amazon, but the source type \ncan be adjusted to best fit the needs of the organization). ", - "displayName": "Assets from Amazon with Sensitive Data Discovered in the Last 24 Hours", - "enabled": false, - "query": "PurviewDataSensitivityLogs\n| where ClassificationCount != 0\n| where SourceType contains \"Amazon\"\n| where TimeGenerated > ago(24h)\n", - "queryFrequency": "PT24H", - "queryPeriod": "P1D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "tactics": [ - "Discovery" - ], - "customDetails": { - "ClassificationCount": "ClassificationCount", - "Classification": "Classification", - "AssetName": "AssetName" + "AssetName": "AssetName", + "LastScanTime": "AssetLastScanTime", + "SourceRegion": "SourceRegion", + "AssetPath": "AssetPath", + "PurviewAccount": "PurviewAccount" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Within the last 24 hours, Azure Purview ({PurviewAccountName}) scanned an asset that contained classifications within {SourceRegion}. The asset name is {AssetName} and the classifications discovered were {Classification}. The asset path is {AssetPath}", + "alertDisplayNameFormat": "Classifications discovered in {AssetName} by Azure Purview" } } }, @@ -389,13 +266,13 @@ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2021-03-01-preview", "properties": { - "version": "1.0.0", + "version": "1.0.2", "kind": "Solution", "contentId": "[variables('_sourceId')]", "parentId": "[variables('_sourceId')]", "source": { "kind": "Solution", - "name": "Azure Purview", + "name": "Azure Purview Solution", "sourceId": "[variables('_sourceId')]" }, "author": { @@ -414,37 +291,22 @@ { "kind": "DataConnector", "contentId": "[variables('_MicrosoftAzurePurviewConnector')]", - "version": "1.0.0" + "version": "1.0.2" }, { "kind": "Workbook", "contentId": "[variables('_AzurePurview_workbook')]", - "version": "1.0.0" + "version": "1.0.2" }, { "kind": "AnalyticsRule", - "contentId": "[variables('_AzurePurviewClassificationAdded_AnalyticalRules')]", - "version": "1.0.0" + "contentId": "[variables('_AzurePurviewSensitiveDataDiscovered_AnalyticalRules')]", + "version": "1.0.2" }, { "kind": "AnalyticsRule", - "contentId": "[variables('_AzurePurviewConfidentialLabelAdded_AnalyticalRules')]", - "version": "1.0.0" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('_AzurePurviewDataSourceAssetAdded_AnalyticalRules')]", - "version": "1.0.0" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('_AzurePurviewRegionClassificationAdded_AnalyticalRules')]", - "version": "1.0.0" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('_AzurePurviewSourceTypeAdded_AnalyticalRules')]", - "version": "1.0.0" + "contentId": "[variables('_AzurePurviewSensitiveDataDiscoveredCustom_AnalyticalRules')]", + "version": "1.0.2" } ] }, diff --git a/Solutions/Azure Purview/Workbooks/AzurePurview.json b/Solutions/Azure Purview/Workbooks/AzurePurview.json index a7d0c8c8d2..2b6b2c9a7e 100644 --- a/Solutions/Azure Purview/Workbooks/AzurePurview.json +++ b/Solutions/Azure Purview/Workbooks/AzurePurview.json @@ -55,7 +55,10 @@ }, "defaultValue": "value::all", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] }, { "id": "ea62a59c-3799-400d-a7af-f0ad14cc46c7", @@ -68,7 +71,10 @@ "multiSelect": true, "quote": "'", "delimiter": ",", - "query": "PurviewDataSensitivityLogs\r\n| distinct SourceCollectionName \r\n| extend Collection = iff(SourceCollectionName == \"\",\"No Collection\", SourceCollectionName)\r\n| project Collection", + "query": "PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\"\r\n| distinct SourceCollectionName \r\n| extend Collection = iff(SourceCollectionName == \"\",\"No Collection\", SourceCollectionName)\r\n| project Collection", + "value": [ + "value::all" + ], "typeSettings": { "additionalResourceOptions": [ "value::all" @@ -89,7 +95,7 @@ "multiSelect": true, "quote": "", "delimiter": ",", - "query": "PurviewDataSensitivityLogs\r\n| distinct SourceType ", + "query": "PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\"\r\n| distinct SourceType ", "value": [ "value::all" ], @@ -177,7 +183,7 @@ "size": 0, "title": "Number of Sources by Region", "timeContext": { - "durationMs": 0 + "durationMs": 2592000000 }, "timeContextFromParameter": "Time", "queryType": 0, @@ -214,7 +220,7 @@ "size": 0, "title": "Number of Classified Assets Found Based on Resource Type", "timeContext": { - "durationMs": 0 + "durationMs": 2592000000 }, "timeContextFromParameter": "Time", "queryType": 0, @@ -274,7 +280,7 @@ { "type": 1, "content": { - "json": "To use the Asset Drilldown view, select the row of the data source in the Sources table below to get a list of all assets scanned by Purview in that data source. To view the data source within the Azure portal, click on the data source hyperlink in the Sources table. Within the Assets Drilldown, click on the Asset Path hyperlink to view the Details pane.", + "json": "To use the Asset Drilldown view, select the row of the data source in the Sources table below to get a list of all assets scanned by Purview in that data source. Within the Assets Drilldown, click on the Asset Path hyperlink to view the Details pane. To view the data source within the Azure portal, click on the data source hyperlink in the Assets Drilldown table. ", "style": "warning" }, "conditionalVisibility": { @@ -299,6 +305,7 @@ "showRefreshButton": true, "exportFieldName": "DataSource", "exportParameterName": "UserSelectedDataSource", + "exportDefaultValue": "All", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -377,12 +384,12 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "\r\nlet classifiedAssets = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| where (split(\"{UserSelectedDataSource:value}\", \", \")) contains SourcePath\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationActivityTrigger = ActivityTrigger, Classification, ClassificationCount, UserId, SensitivityLabelGuid, SensitivityLabelName) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabelName, UserId;\r\n\r\nlet labeledAssets = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n| where SensitivityLabelName != int(null)\r\n| extend SensitivityLabel = iif(isempty(SensitivityLabelName), \"No Label\", SensitivityLabelName)\r\n| summarize arg_max(SensitivityLabel, SourceType, ActivityTrigger) by AssetPath\r\n| project AssetPath, SensitivityLabel, SensitivityLabelActivityTrigger = ActivityTrigger;\r\n\r\nlet table = classifiedAssets\r\n| join kind= leftouter labeledAssets on AssetPath\r\n| project TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationActivityTrigger, SensitivityLabelActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabel, UserId\r\n| sort by ClassificationCount;\r\n\r\ntable\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", + "query": "let ClassificationCountAdded = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| mv-expand ClassificationDetails\r\n| summarize ClassificationCount= sum(toint(ClassificationDetails[\"UniqueCount\"])) by AssetPath;\r\n\r\nlet classifiedAssets = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| where \"{UserSelectedDataSource:value}\" == \"All\" or (split(\"{UserSelectedDataSource:value}\", \", \")) contains SourcePath;\r\n\r\nlet classifiedAssetsWithCounts = classifiedAssets \r\n| join ClassificationCountAdded on AssetPath\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, Classification, ClassificationCount, ClassificationTrigger, ClassificationDetails, SourceScanId) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, Classification, ClassificationCount, ClassificationTrigger, ClassificationDetails, SourceScanId;\r\n\r\nlet labeledAssets = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n| mv-expand SensitivityLabel to typeof(string)\r\n| where SensitivityLabel != int(null)\r\n//| extend SensitivityLabel = iif(isempty(SensitivityLabel), \"No Label\", SensitivityLabel)\r\n| mv-expand SensitivityLabelDetails\r\n| summarize arg_max(SensitivityLabel, SourceType, SensitivityLabelTrigger, SensitivityLabelDetails) by AssetPath\r\n| project AssetPath, SensitivityLabel, SensitivityLabelTrigger, SensitivityLabelDetails;\r\n\r\nlet table = classifiedAssetsWithCounts\r\n| join kind= leftouter labeledAssets on AssetPath\r\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationCount, ClassificationDetails, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId\r\n| sort by ClassificationCount;\r\n\r\ntable\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", "size": 0, "showAnalytics": true, "title": "Assets Drilldown", "timeContext": { - "durationMs": 0 + "durationMs": 2592000000 }, "timeContextFromParameter": "Time", "showRefreshButton": true, @@ -400,10 +407,6 @@ "columnMatch": "PurviewTenantId", "formatter": 5 }, - { - "columnMatch": "PurviewSubscriptionId", - "formatter": 5 - }, { "columnMatch": "PurviewAccountName", "formatter": 5 @@ -412,34 +415,6 @@ "columnMatch": "PurviewRegion", "formatter": 5 }, - { - "columnMatch": "SourceName", - "formatter": 5 - }, - { - "columnMatch": "SourceType", - "formatter": 5 - }, - { - "columnMatch": "SourcePath", - "formatter": 5 - }, - { - "columnMatch": "SourceSubscriptionId", - "formatter": 5 - }, - { - "columnMatch": "SourceRegion", - "formatter": 5 - }, - { - "columnMatch": "SourceCollectionName", - "formatter": 5 - }, - { - "columnMatch": "SourceOwner", - "formatter": 5 - }, { "columnMatch": "AssetName", "formatter": 5 @@ -465,10 +440,6 @@ "columnMatch": "AssetModifiedTime", "formatter": 5 }, - { - "columnMatch": "AssetOwner", - "formatter": 5 - }, { "columnMatch": "AssetLastScanTime", "formatter": 5 @@ -482,11 +453,7 @@ "formatter": 5 }, { - "columnMatch": "ClassificationActivityTrigger", - "formatter": 5 - }, - { - "columnMatch": "SensitivityLabelActivityTrigger", + "columnMatch": "ActivityType", "formatter": 5 }, { @@ -500,6 +467,81 @@ "palette": "blue" } }, + { + "columnMatch": "ClassificationDetails", + "formatter": 5 + }, + { + "columnMatch": "SensitivityLabel", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "No Label" + } + }, + { + "columnMatch": "SensitivityLabelTrigger", + "formatter": 5 + }, + { + "columnMatch": "SensitivityLabelDetails", + "formatter": 5 + }, + { + "columnMatch": "SourceName", + "formatter": 5 + }, + { + "columnMatch": "SourceType", + "formatter": 5 + }, + { + "columnMatch": "SourcePath", + "formatter": 13, + "formatOptions": { + "linkTarget": "Resource", + "showIcon": true + } + }, + { + "columnMatch": "SourceSubscriptionId", + "formatter": 5 + }, + { + "columnMatch": "SourceRegion", + "formatter": 5 + }, + { + "columnMatch": "SourceCollectionName", + "formatter": 5 + }, + { + "columnMatch": "SourceScanId", + "formatter": 5 + }, + { + "columnMatch": "PurviewSubscriptionId", + "formatter": 5 + }, + { + "columnMatch": "SourceOwner", + "formatter": 5 + }, + { + "columnMatch": "AssetOwner", + "formatter": 5 + }, + { + "columnMatch": "ClassificationActivityTrigger", + "formatter": 5 + }, + { + "columnMatch": "SensitivityLabelActivityTrigger", + "formatter": 5 + }, { "columnMatch": "SensitivityLabelGuid", "formatter": 5 @@ -520,72 +562,24 @@ } } ], + "rowLimit": 1000, "filter": true, "labelSettings": [ - { - "columnId": "TimeGenerated" - }, - { - "columnId": "PurviewTenantId" - }, - { - "columnId": "PurviewSubscriptionId" - }, - { - "columnId": "PurviewAccountName" - }, - { - "columnId": "PurviewRegion" - }, - { - "columnId": "SourceName" - }, - { - "columnId": "SourceType" - }, - { - "columnId": "SourcePath" - }, - { - "columnId": "SourceSubscriptionId" - }, - { - "columnId": "SourceRegion" - }, - { - "columnId": "SourceCollectionName" - }, - { - "columnId": "AssetName" - }, { "columnId": "AssetPath", "label": "Asset Path" }, - { - "columnId": "AssetType" - }, - { - "columnId": "AssetModifiedTime" - }, - { - "columnId": "AssetLastScanTime" - }, - { - "columnId": "FileExtension" - }, - { - "columnId": "FileSize" - }, - { - "columnId": "ActivityType" - }, - { - "columnId": "Classification" - }, { "columnId": "ClassificationCount", "label": "Classification Count" + }, + { + "columnId": "SensitivityLabel", + "label": "Sensitivity Label" + }, + { + "columnId": "SourcePath", + "label": "Data Source" } ] } @@ -618,92 +612,16 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let TopClassifications = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| summarize arg_max(TimeGenerated, Classification, FileSize, AssetType) by AssetPath \r\n| extend classifications = split(Classification, ',')\r\n| mv-expand classifications\r\n| extend Classification = trim(@\"[^\\w]+\", tostring(classifications))\r\n| where Classification != \"\"\r\n| distinct AssetPath, Classification\r\n| summarize AssetCount = count() by Classification \r\n| top 5 by AssetCount;\r\n\r\nTopClassifications\r\n", + "query": "PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\"\r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| where Classification != \"\"\r\n| summarize ClassifiedAssetCount = count() by DateClassified = bin(TimeGenerated, 1d), SourceType", "size": 0, - "title": "Top Classifications", + "title": "Classification Events", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "Time", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "barchart", - "gridSettings": { - "formatters": [ - { - "columnMatch": "SourceType_s", - "formatter": 1 - }, - { - "columnMatch": "AssetCount", - "formatter": 4, - "formatOptions": { - "palette": "blue" - } - } - ] - }, - "tileSettings": { - "titleContent": { - "columnMatch": "Classification", - "formatter": 1 - }, - "leftContent": { - "columnMatch": "AssetCount", - "formatter": 12, - "formatOptions": { - "palette": "auto" - }, - "numberFormat": { - "unit": 17, - "options": { - "maximumSignificantDigits": 3, - "maximumFractionDigits": 2 - } - } - }, - "showBorder": false, - "sortCriteriaField": "AssetCount", - "sortOrderField": 2, - "size": "auto" - }, - "graphSettings": { - "type": 0, - "topContent": { - "columnMatch": "Classification", - "formatter": 1 - }, - "centerContent": { - "columnMatch": "AssetCount", - "formatter": 1, - "numberFormat": { - "unit": 17, - "options": { - "maximumSignificantDigits": 3, - "maximumFractionDigits": 2 - } - } - } - }, - "chartSettings": { - "yAxis": [ - "AssetCount" - ], - "showLegend": true - }, - "mapSettings": { - "locInfo": "LatLong", - "sizeSettings": "AssetCount", - "sizeAggregation": "Sum", - "legendMetric": "AssetCount", - "legendAggregation": "Sum", - "itemColorSettings": { - "type": "heatmap", - "colorAggregation": "Sum", - "nodeColorField": "AssetCount", - "heatmapPalette": "greenRed" - } - } + "visualization": "barchart" }, "conditionalVisibility": { "parameterName": "Tab", @@ -711,7 +629,7 @@ "value": "Classification" }, "customWidth": "50", - "name": "query - 7 - Copy", + "name": "query - 21", "styleSettings": { "showBorder": true } @@ -720,7 +638,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let TopClassifiedAssets = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| summarize arg_max(TimeGenerated, Classification, ClassificationCount, AssetName, AssetType, AssetPath, FileExtension, FileSize, SourceType, SourcePath) by AssetPath \r\n| project AssetPath, SourcePath, ClassificationCount\r\n| top 4 by ClassificationCount;\r\n\r\nTopClassifiedAssets", + "query": "let ClassificationCountAdded = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| mvexpand ClassificationDetails\r\n| summarize ClassificationCount= sum(toint(ClassificationDetails[\"UniqueCount\"])) by AssetPath;\r\nlet TopClassifiedAssets = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"));\r\n\r\nTopClassifiedAssets | join ClassificationCountAdded on AssetPath \r\n| summarize arg_max(TimeGenerated, Classification, ClassificationCount, AssetName, AssetType, AssetPath, FileExtension, FileSize, SourceType, SourcePath) by AssetPath \r\n| project AssetPath, SourcePath, ClassificationCount\r\n| top 4 by ClassificationCount;", "size": 0, "title": "Top Assets with Classifications", "timeContext": { @@ -773,7 +691,7 @@ { "type": 1, "content": { - "json": "To use the Classifications Drilldown view, select a Classification in the Classifications table below to get a list all assets scanned by Purview with that classification. Within the Classifications Drilldown, click on the Asset Path hyperlink to view the Details pane.", + "json": "To use the Classifications Drilldown view, select a Classification in the Classifications table below to get a list all assets scanned by Purview with that classification. Within the Asset Level Drilldown, click on the Asset Path hyperlink to view the Details pane. To view the data source within the Azure portal, click on the data source hyperlink in the Asset Level Drilldown table.", "style": "warning" }, "conditionalVisibility": { @@ -787,17 +705,18 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let Classifications = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\"\r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| summarize arg_max(TimeGenerated, Classification, FileSize, AssetType) by AssetPath \r\n| extend classifications = split(Classification, ',')\r\n| mv-expand classifications\r\n| extend Classification = trim(@\"[^\\w]+\", tostring(classifications))\r\n| where Classification != \"\"\r\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by Classification\r\n| project Classification, FileSize, AssetCount;\r\n\r\nClassifications\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", + "query": "let Classifications = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\"\r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| summarize arg_max(TimeGenerated, Classification, FileSize, AssetType) by AssetPath \r\n| extend classifications = split(Classification, ',')\r\n| mv-expand classifications\r\n| extend Classification = trim(@\"[^\\w]+\", tostring(classifications))\r\n| where Classification != \"\"\r\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by Classification\r\n| project Classification, AssetCount, FileSize;\r\n\r\nClassifications\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", "size": 0, "showAnalytics": true, "title": "Classifications", "timeContext": { - "durationMs": 0 + "durationMs": 2592000000 }, "timeContextFromParameter": "Time", "showRefreshButton": true, "exportFieldName": "Classification", "exportParameterName": "UserSelectedClassification", + "exportDefaultValue": "All", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -831,27 +750,24 @@ "filter": true, "sortBy": [ { - "itemKey": "$gen_bar_AssetCount_2", + "itemKey": "$gen_bar_AssetCount_1", "sortOrder": 2 } ], "labelSettings": [ { - "columnId": "Classification" + "columnId": "AssetCount", + "label": "Classified Asset Count" }, { "columnId": "FileSize", "label": "Total Size of Files (MB)" - }, - { - "columnId": "AssetCount", - "label": "Classified Asset Count" } ] }, "sortBy": [ { - "itemKey": "$gen_bar_AssetCount_2", + "itemKey": "$gen_bar_AssetCount_1", "sortOrder": 2 } ], @@ -892,7 +808,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let ClassificationsDrilldown = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| extend classifications = split(Classification, ',')\r\n| mv-expand classifications\r\n| extend Classification = trim(@\"[^\\w]+\", tostring(classifications))\r\n| where Classification != \"\"\r\n| where (split(\"{UserSelectedClassification:label}\", \", \")) contains Classification\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabelName, UserId) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabelName, UserId;\r\n\r\nClassificationsDrilldown\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", + "query": "let ClassificationCountColumn = PurviewDataSensitivityLogs\r\n| mv-expand ClassificationDetails\r\n| summarize ClassificationCount = sum(toint(ClassificationDetails[\"UniqueCount\"])) by AssetPath;\r\nlet ClassificationsDrilldown = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| extend classifications = split(Classification, ',')\r\n| mv-expand classifications\r\n| extend Classification = trim(@\"[^\\w]+\", tostring(classifications))\r\n| where Classification != \"\"\r\n| where \"{UserSelectedClassification:label}\" == \"All\" or (split(\"{UserSelectedClassification:label}\", \", \")) contains Classification;\r\n\r\nClassificationsDrilldown | join ClassificationCountColumn on AssetPath\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationCount, ClassificationDetails, SourceScanId) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationCount, ClassificationDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId;\r\n\r\nClassificationsDrilldown\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", "size": 0, "showAnalytics": true, "title": "Classifications Drilldown- Asset Level", @@ -914,10 +830,6 @@ "columnMatch": "PurviewTenantId", "formatter": 5 }, - { - "columnMatch": "PurviewSubscriptionId", - "formatter": 5 - }, { "columnMatch": "PurviewAccountName", "formatter": 5 @@ -926,34 +838,6 @@ "columnMatch": "PurviewRegion", "formatter": 5 }, - { - "columnMatch": "SourceName", - "formatter": 5 - }, - { - "columnMatch": "SourceType", - "formatter": 5 - }, - { - "columnMatch": "SourcePath", - "formatter": 5 - }, - { - "columnMatch": "SourceSubscriptionId", - "formatter": 5 - }, - { - "columnMatch": "SourceRegion", - "formatter": 5 - }, - { - "columnMatch": "SourceCollectionName", - "formatter": 5 - }, - { - "columnMatch": "SourceOwner", - "formatter": 5 - }, { "columnMatch": "AssetName", "formatter": 5 @@ -979,10 +863,6 @@ "columnMatch": "AssetModifiedTime", "formatter": 5 }, - { - "columnMatch": "AssetOwner", - "formatter": 5 - }, { "columnMatch": "AssetLastScanTime", "formatter": 0, @@ -1003,11 +883,55 @@ "formatter": 5 }, { - "columnMatch": "ActivityTrigger", + "columnMatch": "Classification", "formatter": 5 }, { - "columnMatch": "Classification", + "columnMatch": "SourceName", + "formatter": 5 + }, + { + "columnMatch": "SourceType", + "formatter": 5 + }, + { + "columnMatch": "SourcePath", + "formatter": 13, + "formatOptions": { + "linkTarget": "Resource", + "showIcon": true + } + }, + { + "columnMatch": "SourceSubscriptionId", + "formatter": 5 + }, + { + "columnMatch": "SourceRegion", + "formatter": 5 + }, + { + "columnMatch": "SourceCollectionName", + "formatter": 5 + }, + { + "columnMatch": "SourceScanId", + "formatter": 5 + }, + { + "columnMatch": "PurviewSubscriptionId", + "formatter": 5 + }, + { + "columnMatch": "SourceOwner", + "formatter": 5 + }, + { + "columnMatch": "AssetOwner", + "formatter": 5 + }, + { + "columnMatch": "ActivityTrigger", "formatter": 5 }, { @@ -1023,7 +947,21 @@ "formatter": 5 } ], - "filter": true + "filter": true, + "labelSettings": [ + { + "columnId": "AssetPath", + "label": "Asset Path" + }, + { + "columnId": "AssetLastScanTime", + "label": "Asset Last Scan Time" + }, + { + "columnId": "SourcePath", + "label": "Data Source" + } + ] }, "sortBy": [] }, @@ -1055,39 +993,16 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let SensitivityLabelsCount = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| where SensitivityLabelName != \"\"\r\n| summarize arg_max(SensitivityLabelName, SourceType) by AssetPath \r\n| summarize LabelCount = count() by SensitivityLabelName, SourceType;\r\n\r\nSensitivityLabelsCount", + "query": "PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| where SensitivityLabel != \"\"\r\n| summarize LabeledAssetCount = count() by DateClassified = bin(TimeGenerated, 1d), SourceType", "size": 0, - "title": "Sensitivity Labels Count", + "title": "Sensitivity Labeling Events", "timeContext": { "durationMs": 2592000000 }, "timeContextFromParameter": "Time", - "exportFieldName": "SensitivityLabelName", - "exportParameterName": "UserSelectedLabel", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "barchart", - "tileSettings": { - "showBorder": false, - "titleContent": { - "columnMatch": "SensitivityLabelName", - "formatter": 1 - }, - "leftContent": { - "columnMatch": "LabelCount", - "formatter": 12, - "formatOptions": { - "palette": "auto" - }, - "numberFormat": { - "unit": 17, - "options": { - "maximumSignificantDigits": 3, - "maximumFractionDigits": 2 - } - } - } - } + "visualization": "barchart" }, "conditionalVisibility": { "parameterName": "Tab", @@ -1095,7 +1010,7 @@ "value": "Labels" }, "customWidth": "50", - "name": "query - 14", + "name": "query - 21", "styleSettings": { "showBorder": true } @@ -1104,7 +1019,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let LabelPercentage = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\"\r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| summarize arg_max(AssetName, SensitivityLabelName, SourceType) by AssetPath \r\n| summarize LabelCount = count() by SensitivityLabelName, SourceType;\r\n\r\nLabelPercentage;\r\n", + "query": "let LabelPercentage = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\"\r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| mv-expand SensitivityLabel\r\n| summarize arg_max(AssetName, tostring(SensitivityLabel), SourceType) by AssetPath \r\n| summarize LabelCount = count() by SensitivityLabel, SourceType;\r\n\r\nLabelPercentage;\r\n", "size": 3, "title": "Percentage of Labels Applied", "timeContext": { @@ -1221,17 +1136,17 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let SensitivityLabels = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| extend newSensitivityLabelName = iff(SensitivityLabelName == \"\", \"No Label\", SensitivityLabelName)\r\n| summarize arg_max(newSensitivityLabelName, SourceType, FileSize) by AssetPath \r\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by newSensitivityLabelName\r\n| sort by AssetCount;\r\n\r\nSensitivityLabels", + "query": "let SensitivityLabels = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| mv-expand SensitivityLabel\r\n| extend newSensitivityLabel = tostring(SensitivityLabel) //iff(SensitivityLabel== \"\", \"No Label\", SensitivityLabel)\r\n| summarize arg_max(newSensitivityLabel, SourceType, FileSize) by AssetPath \r\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by newSensitivityLabel\r\n| sort by AssetCount;\r\n\r\nSensitivityLabels", "size": 0, "showAnalytics": true, "title": "Sensitivity Labels", "timeContext": { "durationMs": 2592000000 }, - "timeContextFromParameter": "Time", "showRefreshButton": true, - "exportFieldName": "newSensitivityLabelName", + "exportFieldName": "newSensitivityLabel", "exportParameterName": "UserSelectedLabel", + "exportDefaultValue": "All", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -1239,10 +1154,14 @@ "gridSettings": { "formatters": [ { - "columnMatch": "SensitivityLabelName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "60ch" + "columnMatch": "newSensitivityLabel", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "No Label" } }, { @@ -1260,13 +1179,26 @@ "palette": "blue", "customColumnWidthSetting": "20ch" } + }, + { + "columnMatch": "SensitivityLabelName", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "60ch" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } } ], "filter": true, "labelSettings": [ { - "columnId": "newSensitivityLabelName", - "label": "Label" + "columnId": "newSensitivityLabel", + "label": "Sensitivity Label" }, { "columnId": "FileSize", @@ -1278,6 +1210,7 @@ } ] }, + "sortBy": [], "tileSettings": { "showBorder": false, "titleContent": { @@ -1315,7 +1248,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let labelDrilldown = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| extend SensitivityLabel = iif(isempty(SensitivityLabelName), \"No Label\", SensitivityLabelName)\r\n| where (split(\"{UserSelectedLabel:label}\", \", \")) contains SensitivityLabel\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabel, UserId) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabel, UserId;\r\n\r\nlabelDrilldown", + "query": "let labelDrilldown = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| mv-expand SensitivityLabel to typeof(string)\r\n| mv-expand SensitivityLabelDetails to typeof(string)\r\n| where \"{UserSelectedLabel:label}\" == \"All\" or \"{UserSelectedLabel:label}\" == SensitivityLabel\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceScanId) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId;\r\n\r\nlabelDrilldown", "size": 0, "showAnalytics": true, "title": "Sensitivity Labels Drilldown- Asset Level", @@ -1337,10 +1270,6 @@ "columnMatch": "PurviewTenantId", "formatter": 5 }, - { - "columnMatch": "PurviewSubscriptionId", - "formatter": 5 - }, { "columnMatch": "PurviewAccountName", "formatter": 5 @@ -1349,34 +1278,6 @@ "columnMatch": "PurviewRegion", "formatter": 5 }, - { - "columnMatch": "SourceName", - "formatter": 5 - }, - { - "columnMatch": "SourceType", - "formatter": 5 - }, - { - "columnMatch": "SourcePath", - "formatter": 5 - }, - { - "columnMatch": "SourceSubscriptionId", - "formatter": 5 - }, - { - "columnMatch": "SourceRegion", - "formatter": 5 - }, - { - "columnMatch": "SourceCollectionName", - "formatter": 5 - }, - { - "columnMatch": "SourceOwner", - "formatter": 5 - }, { "columnMatch": "AssetName", "formatter": 5 @@ -1402,10 +1303,6 @@ "columnMatch": "AssetModifiedTime", "formatter": 5 }, - { - "columnMatch": "AssetOwner", - "formatter": 5 - }, { "columnMatch": "FileExtension", "formatter": 5 @@ -1418,6 +1315,94 @@ "columnMatch": "ActivityType", "formatter": 5 }, + { + "columnMatch": "SensitivityLabelTrigger", + "formatter": 5, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "No Label" + } + }, + { + "columnMatch": "SensitivityLabel", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "No Label" + } + }, + { + "columnMatch": "SensitivityLabelDetails", + "formatter": 5, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "No Label" + } + }, + { + "columnMatch": "SourceName", + "formatter": 5 + }, + { + "columnMatch": "SourceType", + "formatter": 5 + }, + { + "columnMatch": "SourcePath", + "formatter": 13, + "formatOptions": { + "linkTarget": "Resource", + "showIcon": true + } + }, + { + "columnMatch": "SourceSubscriptionId", + "formatter": 5 + }, + { + "columnMatch": "SourceRegion", + "formatter": 5 + }, + { + "columnMatch": "SourceCollectionName", + "formatter": 5 + }, + { + "columnMatch": "SourceScanId", + "formatter": 5 + }, + { + "columnMatch": "SensitivityLabelName", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "No Label" + } + }, + { + "columnMatch": "PurviewSubscriptionId", + "formatter": 5 + }, + { + "columnMatch": "SourceOwner", + "formatter": 5 + }, + { + "columnMatch": "AssetOwner", + "formatter": 5 + }, { "columnMatch": "ActivityTrigger", "formatter": 5 @@ -1434,10 +1419,6 @@ "columnMatch": "SensitivityLabelGuid", "formatter": 5 }, - { - "columnMatch": "SensitivityLabel", - "formatter": 5 - }, { "columnMatch": "UserId", "formatter": 5 diff --git a/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoADSyncFailed.yaml b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoADSyncFailed.yaml new file mode 100755 index 0000000000..bf03ba5c86 --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoADSyncFailed.yaml @@ -0,0 +1,28 @@ +id: 398dd1cd-3251-49d8-b927-5b93bae4a094 +name: Cisco Duo - AD sync failed +description: | + 'Detects when AD syncronization failed.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1489 +query: | + CiscoDuo + | where DvcAction =~ "ad_sync_failed" + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminDeleted.yaml b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminDeleted.yaml new file mode 100755 index 0000000000..3ea0436ac3 --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminDeleted.yaml @@ -0,0 +1,28 @@ +id: 6424c623-31a5-4892-be33-452586fd4075 +name: Cisco Duo - Admin user deleted +description: | + 'Detects when admin user is deleted.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1531 +query: | + CiscoDuo + | where DvcAction =~ "admin_delete" + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminMFAFailures.yaml b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminMFAFailures.yaml new file mode 100755 index 0000000000..d4b4f220df --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminMFAFailures.yaml @@ -0,0 +1,31 @@ +id: e46c5588-e643-4a60-a008-5ba9a4c84328 +name: Cisco Duo - Multiple admin 2FA failures +description: | + 'Detects when multiple admin 2FA failures occurs.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1078 +query: | + let threshold = 10; + CiscoDuo + | where DvcAction =~ "admin_2fa_error" + | summarize count() by DstUserName, bin(TimeGenerated, 10m) + | where count_ > threshold + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminPasswordReset.yaml b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminPasswordReset.yaml new file mode 100755 index 0000000000..b5fe72406b --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminPasswordReset.yaml @@ -0,0 +1,28 @@ +id: 413e49a5-b107-4698-8428-46b89308bd22 +name: Cisco Duo - Admin password reset +description: | + 'Detects when admin's password was reset.' +severity: High +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Persistence +relevantTechniques: + - T1078 +query: | + CiscoDuo + | where DvcAction =~ "admin_reset_password" + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoMultipleUserLoginFailures.yaml b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoMultipleUserLoginFailures.yaml new file mode 100755 index 0000000000..688c86080b --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoMultipleUserLoginFailures.yaml @@ -0,0 +1,32 @@ +id: 034f62b6-df51-49f3-831f-1e4cfd3c40d2 +name: Cisco Duo - Multiple user login failures +description: | + 'Detects when multiple user login failures occurs.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1078 +query: | + let threshold = 10; + CiscoDuo + | where EventType =~ 'authentication' + | where EventResult in~ ('denied', 'failure') + | summarize count() by DstUserName, bin(TimeGenerated, 10m) + | where count_ > threshold + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoMultipleUsersDeleted.yaml b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoMultipleUsersDeleted.yaml new file mode 100755 index 0000000000..0d5a95b5d6 --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoMultipleUsersDeleted.yaml @@ -0,0 +1,30 @@ +id: 6e4f9031-91d3-4fa1-8baf-624935f04ad8 +name: Cisco Duo - Multiple users deleted +description: | + 'Detects when multiple users were deleted.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1531 +query: | + CiscoDuo + | where DvcAction =~ "user_delete" + | summarize count() by DstUserName, bin(TimeGenerated, 10m) + | where count_ > 1 + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoNewAccessDevice.yaml b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoNewAccessDevice.yaml new file mode 100755 index 0000000000..5b860399bc --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoNewAccessDevice.yaml @@ -0,0 +1,39 @@ +id: f05271b6-26a5-49cf-ad73-4a202fba6eb6 +name: Cisco Duo - New access device +description: | + 'Detects new access device.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1078 +query: | + CiscoDuo + | where EventType =~ 'authentication' + | where EventResult =~ 'success' + | where isnotempty(AccessDvcIpAddr) + | summarize dvc_ip = makeset(AccessDvcIpAddr) by DstUserName + | join (CiscoDuo + | where EventType =~ 'authentication' + | where EventResult =~ 'success') on DstUserName + | where dvc_ip !has AccessDvcIpAddr + | extend IPCustomEntity = AccessDvcIpAddr, AccountCustomEntity = DstUserName +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoNewAdmin.yaml b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoNewAdmin.yaml new file mode 100755 index 0000000000..c1c85e3b7e --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoNewAdmin.yaml @@ -0,0 +1,29 @@ +id: 0724cb01-4866-483d-a149-eb400fe1daa8 +name: Cisco Duo - Admin user created +description: | + 'Detects when new admin user is created.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Persistence + - PrivilegeEscalation +relevantTechniques: + - T1078 +query: | + CiscoDuo + | where DvcAction =~ "admin_create" + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoNewAuthDeviceLocation.yaml b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoNewAuthDeviceLocation.yaml new file mode 100755 index 0000000000..3b48a12b42 --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoNewAuthDeviceLocation.yaml @@ -0,0 +1,39 @@ +id: 01df3abe-3dc7-40e2-8aa7-f00b402df6f0 +name: Cisco Duo - Authentication device new location +description: | + 'Detects new location of authentication device.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1078 +query: | + CiscoDuo + | where EventType =~ 'authentication' + | where EventResult =~ 'success' + | where isnotempty(AuthDeviceCountry) + | summarize src_c = makeset(AuthDeviceCountry) by SrcIpAddr + | join (CiscoDuo + | where EventType =~ 'authentication' + | where EventResult =~ 'success') on SrcIpAddr + | where src_c !has AuthDeviceCountry + | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoUnexpectedAuthFactor.yaml b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoUnexpectedAuthFactor.yaml new file mode 100755 index 0000000000..f1c963cfa2 --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoUnexpectedAuthFactor.yaml @@ -0,0 +1,35 @@ +id: 16c91a2c-17ad-4985-a9ad-4a4f1cb11830 +name: Cisco Duo - Unexpected authentication factor +description: | + 'Detects when unexpected authentication factor used.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1078 +query: | + let allowed_auth_f = dynamic(['duo_push', 'duo_mobile_passcode']); + CiscoDuo + | where EventType =~ 'authentication' + | where EventResult =~ 'success' + | where AuthFactor !in~ (allowed_auth_f) + | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAdmin2FAFailure.yaml b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAdmin2FAFailure.yaml new file mode 100755 index 0000000000..23424aa942 --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAdmin2FAFailure.yaml @@ -0,0 +1,28 @@ +id: 421bbeed-ad5b-4acd-9f0b-6b609da33914 +name: Cisco Duo - Admin failure authentications +description: | + 'Query searches for administrator issue completing secondary authentication.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +tactics: + - InitialAccess +relevantTechniques: + - T1078 +query: | + CiscoDuo + | where TimeGenerated > ago(24h) + | where DvcAction =~ "admin_2fa_error" + | project TimeGenerated, SrcIpAddr, DstUserName + | extend AccountCustomEntity = DstUserName, IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAdminDeleteActions.yaml b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAdminDeleteActions.yaml new file mode 100755 index 0000000000..9a5ebac362 --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAdminDeleteActions.yaml @@ -0,0 +1,28 @@ +id: c6386cad-2dd2-436c-a938-bc66dda6c01a +name: Cisco Duo - Delete actions +description: | + 'Query searches for delete actions performed by admin users.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +tactics: + - Impact +relevantTechniques: + - T1531 +query: | + CiscoDuo + | where TimeGenerated > ago(24h) + | where DvcAction in~ ('activation_delete_link', 'admin_activation_delete', 'admin_delete', 'azure_directory_delete', 'bypass_delete', 'delete_child_customer', 'directory_delete', 'feature_delete', 'group_delete', 'hardtoken_delete', 'integration_delete', 'phone_delete', 'policy_delete', 'u2ftoken_delete', 'user_delete') + | project TimeGenerated, SrcIpAddr, DstUserName + | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAdminFailure.yaml b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAdminFailure.yaml new file mode 100755 index 0000000000..6505767a32 --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAdminFailure.yaml @@ -0,0 +1,28 @@ +id: 385b0938-3922-48ab-a57a-cb8650ab71a3 +name: Cisco Duo - Admin failure authentications +description: | + 'Query searches admin failure authentication events.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +tactics: + - InitialAccess +relevantTechniques: + - T1078 +query: | + CiscoDuo + | where TimeGenerated > ago(24h) + | where DvcAction =~ "admin_login_error" + | project TimeGenerated, SrcIpAddr, DstUserName + | extend AccountCustomEntity = DstUserName, IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAuthenticationErrorEvents.yaml b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAuthenticationErrorEvents.yaml new file mode 100755 index 0000000000..ab4798c4fb --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAuthenticationErrorEvents.yaml @@ -0,0 +1,29 @@ +id: b8c43652-1b79-4b18-a348-a719bafad6d3 +name: Cisco Duo - Authentication errors +description: | + 'Query searches for authentication errors.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +tactics: + - InitialAccess +relevantTechniques: + - T1078 +query: | + CiscoDuo + | where TimeGenerated > ago(24h) + | where EventType =~ 'authentication' + | where EventResult =~ 'error' + | project TimeGenerated, DstUserName, SrcIpAddr, EventResultDetails + | extend AccountCustomEntity = DstUserName, IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAuthenticationErrorReasons.yaml b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAuthenticationErrorReasons.yaml new file mode 100755 index 0000000000..d75ac67da6 --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoAuthenticationErrorReasons.yaml @@ -0,0 +1,25 @@ +id: 5653900e-4b21-408d-84da-e4db3da891bb +name: Cisco Duo - Authentication error reasons +description: | + 'Query searches for authentication error reasons.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +tactics: + - InitialAccess +relevantTechniques: + - T1078 +query: | + CiscoDuo + | where TimeGenerated > ago(24h) + | where EventType =~ 'authentication' + | where EventResult in~ ('denied', 'failure') + | summarize count() by EventResultDetails, DstUserName + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoDeletedUsers.yaml b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoDeletedUsers.yaml new file mode 100755 index 0000000000..2b35b2bf19 --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoDeletedUsers.yaml @@ -0,0 +1,28 @@ +id: 5d0b00fd-1dc0-4e1b-ae09-5cec3b4fadf6 +name: Cisco Duo - Deleted users +description: | + 'Query searches for deleted users.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +tactics: + - Impact +relevantTechniques: + - T1531 +query: | + CiscoDuo + | where TimeGenerated > ago(24h) + | where DvcAction =~ "user_delete" + | project TimeGenerated, SrcIpAddr, SrcUserName, DstUserName + | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoFraudAuthentication.yaml b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoFraudAuthentication.yaml new file mode 100755 index 0000000000..8aebcc9097 --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoFraudAuthentication.yaml @@ -0,0 +1,29 @@ +id: b8f46142-cebc-435d-9943-2ed74e1eaba7 +name: Cisco Duo - Fraud authentications +description: | + 'Query searches for fraud authentication events.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +tactics: + - InitialAccess +relevantTechniques: + - T1078 +query: | + CiscoDuo + | where TimeGenerated > ago(24h) + | where EventType =~ 'authentication' + | where EventResult =~ 'fraud' + | project TimeGenerated, DstUserName, SrcIpAddr + | extend AccountCustomEntity = DstUserName, IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoNewUsers.yaml b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoNewUsers.yaml new file mode 100755 index 0000000000..9fae674f1d --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoNewUsers.yaml @@ -0,0 +1,29 @@ +id: 72c81132-bc09-4a2f-9c32-02e2e9ee7978 +name: Cisco Duo - New users +description: | + 'Query searches for new users created.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +tactics: + - InitialAccess + - Persistence +relevantTechniques: + - T1078 +query: | + CiscoDuo + | where TimeGenerated > ago(24h) + | where DvcAction "user_create" + | project TimeGenerated, SrcIpAddr, SrcUserName, DstUserName + | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoUnpachedAccessDevices.yaml b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoUnpachedAccessDevices.yaml new file mode 100755 index 0000000000..298393f836 --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoUnpachedAccessDevices.yaml @@ -0,0 +1,30 @@ +id: 9de62fee-f601-43c9-8757-2098e59fedeb +name: Cisco Duo - Devices with vulnerable OS +description: | + 'Query searches for devices with vulnerable OS.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +tactics: + - InitialAccess +relevantTechniques: + - T1078 +query: | + let os_latest = 'x.x.xxx'; //put the latest version of OS here before running the query + CiscoDuo + | where TimeGenerated > ago(24h) + | where EventType =~ 'authentication' + | where AccessDvcOsVersion != os_latest + | project TimeGenerated, SrcIpAddr, DstUserName + | extend AccountCustomEntity = DstUserName, IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoUnsecuredDevices.yaml b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoUnsecuredDevices.yaml new file mode 100755 index 0000000000..c0627a3184 --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Hunting Queries/CiscoDuoUnsecuredDevices.yaml @@ -0,0 +1,29 @@ +id: c308e737-e620-4c89-ab1e-a186e901b087 +name: Cisco Duo - Devices with unsecure settings +description: | + 'Query searches for devices with unsecure settings.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoDuoSecurity + dataTypes: + - CiscoDuo +tactics: + - InitialAccess +relevantTechniques: + - T1078 +query: | + CiscoDuo + | where TimeGenerated > ago(24h) + | where EventType =~ 'authentication' + | where AccessDvcEncryptionEnabled == False or AccessDvcFirewallEnabled == False or AccessDvcPasswordSet == False + | project TimeGenerated, SrcIpAddr, DstUserName + | extend AccountCustomEntity = DstUserName, IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/CiscoDuoSecurity/Workbooks/CiscoDuo.json b/Solutions/CiscoDuoSecurity/Workbooks/CiscoDuo.json new file mode 100644 index 0000000000..cfdd26a4b9 --- /dev/null +++ b/Solutions/CiscoDuoSecurity/Workbooks/CiscoDuo.json @@ -0,0 +1,333 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "**NOTE**: This data connector depends on a parser based on Kusto Function **CiscoDuo** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-ciscoduo-parser)" + }, + "name": "text - 8" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "cd8447d9-b096-4673-92d8-2a1e8291a125", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "description": "Sets the time name for analysis", + "value": { + "durationMs": 7776000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 900000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoDuo\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};", + "size": 0, + "title": "Events Over Time", + "color": "greenDark", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "graphSettings": { + "type": 0 + } + }, + "customWidth": "40", + "name": "query - 12", + "styleSettings": { + "maxWidth": "55" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoDuo\n| summarize count() by SrcGeoCountry", + "size": 0, + "title": "Countries summary", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "30", + "name": "query - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let tot_dvc = CiscoDuo\r\n| summarize e_count=dcount(SrcHostname)\r\n| extend Title='Authentication Devices';\r\nlet tot_usr = CiscoDuo\r\n| where EventType =~ 'authentication'\r\n| where EventResult =~ 'success'\r\n| summarize e_count=dcount(DstUserName)\r\n| extend Title='Total Users';\r\nlet tot_adm = CiscoDuo\r\n| where EventType =~ 'admin_login'\r\n| summarize e_count=dcount(DstUserName)\r\n| extend Title='Admin users';\r\nunion isfuzzy=true tot_dvc, tot_usr, tot_adm\r\n| order by e_count", + "size": 3, + "title": "Summary", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Title", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "e_count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "purple" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "query - 0", + "styleSettings": { + "maxWidth": "30" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoDuo\r\n| where isnotempty(SrcIpAddr)\r\n| summarize count() by SrcIpAddr", + "size": 3, + "title": "Source Addresses", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "33", + "name": "query - 3", + "styleSettings": { + "margin": "10", + "padding": "10" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoDuo\r\n| where isnotempty(DstUserName)\r\n| summarize count() by DstUserName\r\n| top 10 by count_", + "size": 3, + "title": "Top Users", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "sortBy": [ + { + "itemKey": "TotalEvents", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "TotalEvents", + "sortOrder": 2 + } + ] + }, + "customWidth": "33", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoDuo\n| where EventType =~ 'authentication'\n| where EventResult =~ 'success'\n| summarize e_count = count() by SrcDvcOs\n| project-rename DeviceOS=SrcDvcOs", + "size": 0, + "title": "Device OS Types", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "User", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "TotalMailsReceived", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 10, + "formatOptions": { + "palette": "magenta" + } + }, + "showBorder": false + } + }, + "customWidth": "30", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoDuo\r\n| where EventType in~ ('admin_login', 'admin_login_error')\r\n| project TimeGenerated, DstUserName, Result=strcat(iff(EventType =~ 'admin_login_error', '❌', '✅'))\r\n", + "size": 3, + "title": "Admin login status", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table" + }, + "customWidth": "34", + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoDuo\r\n| where EventType =~ 'authentication'\r\n| project TimeGenerated, DstUserName, Result=strcat(iff(EventResult =~ 'success', '✅', '❌'))", + "size": 0, + "title": "User authentication status", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 50, + "filter": true + } + }, + "customWidth": "40", + "name": "query - 12", + "styleSettings": { + "maxWidth": "33" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoDuo\n| where EventType =~ 'user_create'\n| project SrcUserName", + "size": 0, + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "Title" + }, + "subtitleContent": { + "columnMatch": "SrcIpAddr", + "formatter": 12, + "formatOptions": { + "palette": "purpleDark" + } + }, + "showBorder": false, + "rowLimit": 25 + }, + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "15", + "name": "query - 10" + } + ], + "fromTemplateId": "sentinel-CiscoDuoWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/CiscoDuoSecurity/Workbooks/Images/CiscoDuoBlack.png b/Solutions/CiscoDuoSecurity/Workbooks/Images/CiscoDuoBlack.png new file mode 100644 index 0000000000..71b4d12135 Binary files /dev/null and b/Solutions/CiscoDuoSecurity/Workbooks/Images/CiscoDuoBlack.png differ diff --git a/Solutions/CiscoDuoSecurity/Workbooks/Images/CiscoDuoWhite.png b/Solutions/CiscoDuoSecurity/Workbooks/Images/CiscoDuoWhite.png new file mode 100644 index 0000000000..998fc13604 Binary files /dev/null and b/Solutions/CiscoDuoSecurity/Workbooks/Images/CiscoDuoWhite.png differ diff --git a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml index 31b2baab68..e7f126982c 100644 --- a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml +++ b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml @@ -1,54 +1,53 @@ -id: c9b6d281-b96b-4763-b728-9a04b9fe1246 -name: Cisco Umbrella - Connection to non-corporate private network -description: | - 'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.' -severity: Medium -requiredDataConnectors: - - connectorId: CiscoUmbrellaDataConnector - dataTypes: - - Cisco_Umbrella_proxy_CL -queryFrequency: 10m -queryPeriod: 10m -triggerOperator: gt -triggerThreshold: 0 -tactics: - - CommandandControl - - Exfiltration -query: | - let lbtime = 10m; - Cisco_Umbrella - | where TimeGenerated > ago(lbtime) - | where EventType == 'proxylogs' - | where DvcAction =~ 'Allowed' - | where UrlCategory contains 'Adult Themes' or - UrlCategory contains 'Adware' or - UrlCategory contains 'Alcohol' or - UrlCategory contains 'Illegal Downloads' or - UrlCategory contains 'Drugs' or - UrlCategory contains 'Child Abuse Content' or - UrlCategory contains 'Hate/Discrimination' or - UrlCategory contains 'Nudity' or - UrlCategory contains 'Pornography' or - UrlCategory contains 'Proxy/Anonymizer' or - UrlCategory contains 'Sexuality' or - UrlCategory contains 'Tasteless' or - UrlCategory contains 'Terrorism' or - UrlCategory contains 'Web Spam' or - UrlCategory contains 'German Youth Protection' or - UrlCategory contains 'Illegal Activities' or - UrlCategory contains 'Lingerie/Bikini' or - UrlCategory contains 'Weapons' - | project TimeGenerated, SrcIpAddr, Identities - | extend IPCustomEntity = SrcIpAddr - | extend AccountCustomEntity = Identities -entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity - - entityType: IP - fieldMappings: - - identifier: Address - columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +id: c9b6d281-b96b-4763-b728-9a04b9fe1246 +name: Cisco Umbrella - Connection to non-corporate private network +description: | + 'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoUmbrellaDataConnector + dataTypes: + - Cisco_Umbrella_proxy_CL +queryFrequency: 10m +queryPeriod: 10m +triggerOperator: gt +triggerThreshold: 0 +tactics: + - CommandAndControl + - Exfiltration +query: | + let lbtime = 10m; + Cisco_Umbrella + | where TimeGenerated > ago(lbtime) + | where EventType == 'proxylogs' + | where DvcAction =~ 'Allowed' + | where UrlCategory contains 'Adult Themes' or + UrlCategory contains 'Adware' or + UrlCategory contains 'Alcohol' or + UrlCategory contains 'Illegal Downloads' or + UrlCategory contains 'Drugs' or + UrlCategory contains 'Child Abuse Content' or + UrlCategory contains 'Hate/Discrimination' or + UrlCategory contains 'Nudity' or + UrlCategory contains 'Pornography' or + UrlCategory contains 'Proxy/Anonymizer' or + UrlCategory contains 'Sexuality' or + UrlCategory contains 'Tasteless' or + UrlCategory contains 'Terrorism' or + UrlCategory contains 'Web Spam' or + UrlCategory contains 'German Youth Protection' or + UrlCategory contains 'Illegal Activities' or + UrlCategory contains 'Lingerie/Bikini' or + UrlCategory contains 'Weapons' + | project TimeGenerated, SrcIpAddr, Identities + | extend IPCustomEntity = SrcIpAddr + | extend AccountCustomEntity = Identities +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +kind: Scheduled diff --git a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml index b946db8324..234bea385e 100644 --- a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml +++ b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml @@ -12,7 +12,7 @@ queryPeriod: 14d triggerOperator: gt triggerThreshold: 0 tactics: - - CommandandControl + - CommandAndControl query: | let domain_lookBack= 14d; let timeframe = 1d; @@ -40,5 +40,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.1.0 +kind: Scheduled diff --git a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml index 6431e51110..d277d83347 100644 --- a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml +++ b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml @@ -12,7 +12,7 @@ queryPeriod: 15m triggerOperator: gt triggerThreshold: 0 tactics: - - CommandandControl + - CommandAndControl query: | let timeframe = 15m; Cisco_Umbrella @@ -31,5 +31,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.1.0 +kind: Scheduled diff --git a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaEmptyUserAgentDetected.yaml b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaEmptyUserAgentDetected.yaml index 80fbcc2526..3a37a19eef 100644 --- a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaEmptyUserAgentDetected.yaml +++ b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaEmptyUserAgentDetected.yaml @@ -12,7 +12,7 @@ queryPeriod: 15m triggerOperator: gt triggerThreshold: 0 tactics: - - CommandandControl + - CommandAndControl query: | let timeframe = 15m; Cisco_Umbrella @@ -31,5 +31,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.1.0 +kind: Scheduled diff --git a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaHackToolUserAgentDetected.yaml b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaHackToolUserAgentDetected.yaml index 196b167667..7ff7f539a7 100644 --- a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaHackToolUserAgentDetected.yaml +++ b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaHackToolUserAgentDetected.yaml @@ -12,7 +12,7 @@ queryPeriod: 15m triggerOperator: gt triggerThreshold: 0 tactics: - - CommandandControl + - CommandAndControl query: | let timeframe = 15m; let user_agents=dynamic([ @@ -79,5 +79,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.1.0 +kind: Scheduled diff --git a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaPowershellUserAgentDetected.yaml b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaPowershellUserAgentDetected.yaml index 0d09e7231d..232617190f 100644 --- a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaPowershellUserAgentDetected.yaml +++ b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaPowershellUserAgentDetected.yaml @@ -12,7 +12,7 @@ queryPeriod: 15m triggerOperator: gt triggerThreshold: 0 tactics: - - CommandandControl + - CommandAndControl - DefenseEvasion query: | let timeframe = 15m; @@ -32,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.1.0 +kind: Scheduled diff --git a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRareUserAgentDetected.yaml b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRareUserAgentDetected.yaml index 7727140d62..9b280a8010 100644 --- a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRareUserAgentDetected.yaml +++ b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRareUserAgentDetected.yaml @@ -12,7 +12,7 @@ queryPeriod: 14d triggerOperator: gt triggerThreshold: 0 tactics: - - CommandandControl + - CommandAndControl query: | let lookBack = 14d; let timeframe = 1d; @@ -37,5 +37,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 +version: 1.1.0 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml index f2a90d5604..789faa3de0 100644 --- a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml +++ b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml @@ -1,54 +1,54 @@ -id: d6bf1931-b1eb-448d-90b2-de118559c7ce -name: Cisco Umbrella - Request Allowed to harmful/malicious URI category -description: | - 'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..' -severity: Medium -requiredDataConnectors: - - connectorId: CiscoUmbrellaDataConnector - dataTypes: - - Cisco_Umbrella_proxy_CL -queryFrequency: 10m -queryPeriod: 10m -triggerOperator: gt -triggerThreshold: 0 -tactics: - - CommandandControl - - InitialAccess -query: | - let lbtime = 10m; - Cisco_Umbrella - | where TimeGenerated > ago(lbtime) - | where EventType == 'proxylogs' - | where DvcAction =~ 'Allowed' - | where UrlCategory contains 'Adult Themes' or - UrlCategory contains 'Adware' or - UrlCategory contains 'Alcohol' or - UrlCategory contains 'Illegal Downloads' or - UrlCategory contains 'Drugs' or - UrlCategory contains 'Child Abuse Content' or - UrlCategory contains 'Hate/Discrimination' or - UrlCategory contains 'Nudity' or - UrlCategory contains 'Pornography' or - UrlCategory contains 'Proxy/Anonymizer' or - UrlCategory contains 'Sexuality' or - UrlCategory contains 'Tasteless' or - UrlCategory contains 'Terrorism' or - UrlCategory contains 'Web Spam' or - UrlCategory contains 'German Youth Protection' or - UrlCategory contains 'Illegal Activities' or - UrlCategory contains 'Lingerie/Bikini' or - UrlCategory contains 'Weapons' - | project TimeGenerated, SrcIpAddr, Identities - | extend IPCustomEntity = SrcIpAddr - | extend AccountCustomEntity = Identities -entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity - - entityType: IP - fieldMappings: - - identifier: Address - columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +id: d6bf1931-b1eb-448d-90b2-de118559c7ce +name: Cisco Umbrella - Request Allowed to harmful/malicious URI category +description: | + 'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoUmbrellaDataConnector + dataTypes: + - Cisco_Umbrella_proxy_CL +queryFrequency: 10m +queryPeriod: 10m +triggerOperator: gt +triggerThreshold: 0 +tactics: + - CommandAndControl + - InitialAccess +query: | + let lbtime = 10m; + Cisco_Umbrella + | where TimeGenerated > ago(lbtime) + | where EventType == 'proxylogs' + | where DvcAction =~ 'Allowed' + | where UrlCategory contains 'Adult Themes' or + UrlCategory contains 'Adware' or + UrlCategory contains 'Alcohol' or + UrlCategory contains 'Illegal Downloads' or + UrlCategory contains 'Drugs' or + UrlCategory contains 'Child Abuse Content' or + UrlCategory contains 'Hate/Discrimination' or + UrlCategory contains 'Nudity' or + UrlCategory contains 'Pornography' or + UrlCategory contains 'Proxy/Anonymizer' or + UrlCategory contains 'Sexuality' or + UrlCategory contains 'Tasteless' or + UrlCategory contains 'Terrorism' or + UrlCategory contains 'Web Spam' or + UrlCategory contains 'German Youth Protection' or + UrlCategory contains 'Illegal Activities' or + UrlCategory contains 'Lingerie/Bikini' or + UrlCategory contains 'Weapons' + | project TimeGenerated, SrcIpAddr, Identities + | extend IPCustomEntity = SrcIpAddr + | extend AccountCustomEntity = Identities +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.1.0 +kind: Scheduled diff --git a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaURIContainsIPAddress.yaml b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaURIContainsIPAddress.yaml index 003fa9e6ff..44e4bb589e 100644 --- a/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaURIContainsIPAddress.yaml +++ b/Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaURIContainsIPAddress.yaml @@ -1,36 +1,36 @@ -id: ee1818ec-5f65-4991-b711-bcf2ab7e36c3 -name: Cisco Umbrella - URI contains IP address -description: | - 'Malware can use IP address to communicate with C2.' -severity: Medium -requiredDataConnectors: - - connectorId: CiscoUmbrellaDataConnector - dataTypes: - - Cisco_Umbrella_proxy_CL -queryFrequency: 10m -queryPeriod: 10m -triggerOperator: gt -triggerThreshold: 0 -tactics: - - CommandandControl -query: | - let lbtime = 10m; - Cisco_Umbrella - | where TimeGenerated > ago(lbtime) - | where EventType == 'proxylogs' - | where DvcAction =~ 'Allowed' - | where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*' - | project TimeGenerated, SrcIpAddr, Identities - | extend IPCustomEntity = SrcIpAddr - | extend AccountCustomEntity = Identities -entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity - - entityType: IP - fieldMappings: - - identifier: Address - columnName: IPCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +id: ee1818ec-5f65-4991-b711-bcf2ab7e36c3 +name: Cisco Umbrella - URI contains IP address +description: | + 'Malware can use IP address to communicate with C2.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoUmbrellaDataConnector + dataTypes: + - Cisco_Umbrella_proxy_CL +queryFrequency: 10m +queryPeriod: 10m +triggerOperator: gt +triggerThreshold: 0 +tactics: + - CommandAndControl +query: | + let lbtime = 10m; + Cisco_Umbrella + | where TimeGenerated > ago(lbtime) + | where EventType == 'proxylogs' + | where DvcAction =~ 'Allowed' + | where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*' + | project TimeGenerated, SrcIpAddr, Identities + | extend IPCustomEntity = SrcIpAddr + | extend AccountCustomEntity = Identities +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.1.0 +kind: Scheduled diff --git a/Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaAnomalousFQDNsforDomain.yaml b/Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaAnomalousFQDNsforDomain.yaml index c5abeceff2..76286a5713 100644 --- a/Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaAnomalousFQDNsforDomain.yaml +++ b/Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaAnomalousFQDNsforDomain.yaml @@ -4,7 +4,7 @@ description: | 'Large number of FQDNs for domain may be indicator of suspicious domain.' requiredDataConnectors: [] tactics: - - CommandandControl + - CommandAndControl relevantTechniques: - T1071 query: | @@ -15,4 +15,4 @@ query: | | extend Domain = extract(@'.*\.(.*\.[a-z]+)', 1, replaced) | extend fqdn = extract(@'(.*)\..*\.[a-z]+', 1, replaced) | summarize FQDNs = dcount(fqdn) by Domain - | sort by FQDNs \ No newline at end of file + | sort by FQDNs diff --git a/Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaHighCountsOfTheSameBytesInSize.yaml b/Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaHighCountsOfTheSameBytesInSize.yaml index e246d9ed4d..7772f571d7 100644 --- a/Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaHighCountsOfTheSameBytesInSize.yaml +++ b/Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaHighCountsOfTheSameBytesInSize.yaml @@ -1,10 +1,10 @@ id: 173f8699-6af5-484a-8b06-8c47ba89b380 -name: Cisco Umbrella - Higher values of count of the Same BytesIn size +name: Cisco Umbrella - Higher values of count of the Same BytesIn size description: | 'Calculate the count of BytesIn per Source-Destination pair over 24 hours. Higher values may indicate beaconing.' requiredDataConnectors: [] tactics: - - CommandandControl + - CommandAndControl relevantTechniques: - T1071 query: | @@ -16,4 +16,4 @@ query: | | sort by count_ desc | extend Message = "Possible communication with C2" | project Message, SrcIpAddr, DstIpAddr - | extend IpCustomEntity = SrcIpAddr \ No newline at end of file + | extend IpCustomEntity = SrcIpAddr diff --git a/Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaPossibleConnectionC2.yaml b/Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaPossibleConnectionC2.yaml index 896ff75257..dc7ad131bb 100644 --- a/Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaPossibleConnectionC2.yaml +++ b/Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaPossibleConnectionC2.yaml @@ -4,7 +4,7 @@ description: | 'Calculate the count of BytesIn per Source-Destination pair over 12/24 hours. Higher values may indicate beaconing. C2 servers reply with the same data, making BytesIn value the same.' requiredDataConnectors: [] tactics: - - CommandandControl + - CommandAndControl relevantTechniques: - T1071 query: | @@ -15,4 +15,4 @@ query: | | summarize count() by SrcIpAddr, DstIpAddr, SrcBytes | sort by count_ desc | extend Message = "Possible communication with C2" - | extend IPCustomEntity = SrcIpAddr \ No newline at end of file + | extend IPCustomEntity = SrcIpAddr diff --git a/Solutions/CiscoWSA/Analytic Rules/CiscoWSAAccessToUnwantedSite.yaml b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAAccessToUnwantedSite.yaml new file mode 100755 index 0000000000..b4916723b3 --- /dev/null +++ b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAAccessToUnwantedSite.yaml @@ -0,0 +1,29 @@ +id: 38029e86-030c-46c4-8a91-a2be7c74d74c +name: Cisco WSA - Access to unwanted site +description: | + 'Detects when users attempting to access sites from high risk category.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']); + CiscoWSAEvent + | where UrlCategory in~ (risky_sites) + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/CiscoWSA/Analytic Rules/CiscoWSADataExfiltration.yaml b/Solutions/CiscoWSA/Analytic Rules/CiscoWSADataExfiltration.yaml new file mode 100755 index 0000000000..8d3a2b5777 --- /dev/null +++ b/Solutions/CiscoWSA/Analytic Rules/CiscoWSADataExfiltration.yaml @@ -0,0 +1,32 @@ +id: 32c460ad-2d40-43e9-8ead-5cdd1d7a3163 +name: Cisco WSA - Unexpected uploads +description: | + 'Detects unexpected file uploads.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Exfiltration +relevantTechniques: + - T1567 +query: | + CiscoWSAEvent + | where HttpRequestMethod in~ ('POST', 'PUT') + | where isnotempty(AmpFileName) + | where UrlCategory in~ ('IW_fts', 'IW_osb') + | summarize count() by AmpFileName, SrcUserName, bin(TimeGenerated, 10m) + | where count_ >= 5 + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml new file mode 100755 index 0000000000..2299b77adf --- /dev/null +++ b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml @@ -0,0 +1,39 @@ +id: ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9 +name: Cisco WSA - Multiple errors to resource from risky category +description: | + 'Detects multiple connection errors to resource from risky category.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess + - CommandAndControl +relevantTechniques: + - T1189 + - T1102 +query: | + let threshold = 10; + let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']); + CiscoWSAEvent + | where DvcAction startswith 'BLOCK_' + | where UrlCategory in~ (risky_sites) + | summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m) + | where count_ >= threshold + | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URLCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUrl.yaml b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUrl.yaml new file mode 100755 index 0000000000..4e43031a6a --- /dev/null +++ b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUrl.yaml @@ -0,0 +1,35 @@ +id: 1db49647-435c-41ad-bf8c-7130ba75429d +name: Cisco WSA - Multiple errors to URL +description: | + 'Detects multiple connection errors to URL.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - CommandAndControl +relevantTechniques: + - T1102 +query: | + let threshold = 5; + CiscoWSAEvent + | where DvcAction =~ 'NONE' + | summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m) + | where count_ >= threshold + | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URLCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleInfectedFles.yaml b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleInfectedFles.yaml new file mode 100755 index 0000000000..bbcd4759aa --- /dev/null +++ b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleInfectedFles.yaml @@ -0,0 +1,35 @@ +id: 93186e3d-5dc2-4a00-a993-fa1448db8734 +name: Cisco WSA - Multiple infected files +description: | + 'Detects multiple infected files on same source.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1189 +query: | + CiscoWSAEvent + | where isnotempty(AmpFileName) + | where isnotempty(ThreatName) + | summarize count() by SrcIpAddr, SrcUserName, bin(TimeGenerated, 15m) + | where count_ > 1 + | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml new file mode 100755 index 0000000000..e41327f54f --- /dev/null +++ b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml @@ -0,0 +1,35 @@ +id: 46b6c6fc-2c1a-4270-be10-9d444d83f027 +name: Cisco WSA - Multiple attempts to download unwanted file +description: | + 'Detects when multiple attempts to download unwanted file occur.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1189 +query: | + let threshold = 2; + CiscoWSAEvent + | where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE' + | summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m) + | where array_length(i_src) >= threshold + | extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: URL + fieldMappings: + - identifier: Url + columnName: UrlCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/CiscoWSA/Analytic Rules/CiscoWSAProtocolAbuse.yaml b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAProtocolAbuse.yaml new file mode 100755 index 0000000000..80a92e3f84 --- /dev/null +++ b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAProtocolAbuse.yaml @@ -0,0 +1,33 @@ +id: 6f756792-4888-48a5-97cf-40d9430dc932 +name: Cisco WSA - Suspected protocol abuse +description: | + 'Detects possible protocol abuse.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + CiscoWSAEvent + | where DstPortNumber !in ('80', '443') + | where NetworkApplicationProtocol in~ ('HTTP', 'HTTPs') + | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoWSA/Analytic Rules/CiscoWSAPublicIPSource.yaml b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAPublicIPSource.yaml new file mode 100755 index 0000000000..968b934996 --- /dev/null +++ b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAPublicIPSource.yaml @@ -0,0 +1,29 @@ +id: 4250b050-e1c6-4926-af04-9484bbd7e94f +name: Cisco WSA - Internet access from public IP +description: | + 'Detects internet access from public IP.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1189 +query: | + let ip_except = dynamic(['127.0.0.2']); //Add exceptions to this list + CiscoWSAEvent + | where ipv4_is_private(SrcIpAddr) == false + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/CiscoWSA/Analytic Rules/CiscoWSAUnexpectedFileType.yaml b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAUnexpectedFileType.yaml new file mode 100755 index 0000000000..950e00bfad --- /dev/null +++ b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAUnexpectedFileType.yaml @@ -0,0 +1,35 @@ +id: 8e9d1f70-d529-4598-9d3e-5dd5164d1d02 +name: Cisco WSA - Unexpected file type +description: | + 'Detects unexpected file type.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1189 +query: | + CiscoWSAEvent + | where isnotempty(AmpFileName) + | where isempty(AmpThreatName) + | where ResponseBodyMimeType =~ 'application/octet-stream' + | where AmpFileName !endswith '.exe' + | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoWSA/Analytic Rules/CiscoWSAUnexpectedUrl.yaml b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAUnexpectedUrl.yaml new file mode 100755 index 0000000000..59b29de18b --- /dev/null +++ b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAUnexpectedUrl.yaml @@ -0,0 +1,33 @@ +id: 010644fd-2830-4451-9e0e-606cc192f2e7 +name: Cisco WSA - Unexpected URL +description: | + 'Detects unexpected URL.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - CommandAndControl +relevantTechniques: + - T1102 +query: | + let threshold = 5; + CiscoWSAEvent + | where UrlOriginal matches regex @'\Ahttp(s)?[:][/][/]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' + | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URLCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/CiscoWSA/Analytic Rules/CiscoWSAUnscannableFile.yaml b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAUnscannableFile.yaml new file mode 100755 index 0000000000..2b456e59e8 --- /dev/null +++ b/Solutions/CiscoWSA/Analytic Rules/CiscoWSAUnscannableFile.yaml @@ -0,0 +1,37 @@ +id: 9b61a945-ebcb-4245-b6e4-51f3addb5248 +name: Cisco WSA - Unscannable file or scan error +description: | + 'Detects unscanned downloaded file.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1189 +query: | + CiscoWSAEvent + | where isnotempty(AmpFileName) + | where AmpScanningVerdict in ('2', '3') + | extend IPCustomEntity = SrcIpAddr, FileCustomEntity = AmpFileName, AccountCustomEntity = SrcUserName +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: File + fieldMappings: + - identifier: Name + columnName: FileCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/CiscoWSA/Hunting Queries/CiscoWSABlockedFiles.yaml b/Solutions/CiscoWSA/Hunting Queries/CiscoWSABlockedFiles.yaml new file mode 100755 index 0000000000..736ac01720 --- /dev/null +++ b/Solutions/CiscoWSA/Hunting Queries/CiscoWSABlockedFiles.yaml @@ -0,0 +1,24 @@ +id: ebbd2b87-44c6-481a-8e4f-eaf5aa76e017 +name: Cisco WSA - Blocked files +description: | + 'Query searches for blocked files.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +tactics: + - InitialAccess +relevantTechniques: + - T1189 +query: | + CiscoWSAEvent + | where TimeGenerated > ago(24h) + | where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE' + | summarize count() by UrlOriginal + | extend URLCustomEntity = UrlOriginal +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URLCustomEntity diff --git a/Solutions/CiscoWSA/Hunting Queries/CiscoWSARareApplications.yaml b/Solutions/CiscoWSA/Hunting Queries/CiscoWSARareApplications.yaml new file mode 100755 index 0000000000..20362688e4 --- /dev/null +++ b/Solutions/CiscoWSA/Hunting Queries/CiscoWSARareApplications.yaml @@ -0,0 +1,26 @@ +id: 686ec2d3-fdbb-4fa2-b834-ff1d0f2486fb +name: Cisco WSA - Rare aplications +description: | + 'Query searches for rare applications.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +tactics: + - CommandAndControl + - Exfiltration +relevantTechniques: + - T1048 + - T1567 +query: | + CiscoWSAEvent + | where TimeGenerated > ago(24h) + | summarize count() by AvcApplicationName, SrcUserName + | order by count_ asc + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/CiscoWSA/Hunting Queries/CiscoWSATopApplications.yaml b/Solutions/CiscoWSA/Hunting Queries/CiscoWSATopApplications.yaml new file mode 100755 index 0000000000..7880bec2be --- /dev/null +++ b/Solutions/CiscoWSA/Hunting Queries/CiscoWSATopApplications.yaml @@ -0,0 +1,23 @@ +id: 6d4d7689-5e1d-4687-b1fc-eb0b7340c9a3 +name: Cisco WSA - Top aplications +description: | + 'Query searches for top applications.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +tactics: + - InitialAccess +relevantTechniques: + - T1189 +query: | + CiscoWSAEvent + | where TimeGenerated > ago(24h) + | summarize count() by AvcApplicationName, SrcUserName + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/CiscoWSA/Hunting Queries/CiscoWSATopResources.yaml b/Solutions/CiscoWSA/Hunting Queries/CiscoWSATopResources.yaml new file mode 100755 index 0000000000..4b252f37f2 --- /dev/null +++ b/Solutions/CiscoWSA/Hunting Queries/CiscoWSATopResources.yaml @@ -0,0 +1,27 @@ +id: aaf6ba04-7a00-401e-a650-06e213f3bfbc +name: Cisco WSA - Top URLs +description: | + 'Query searches for top URLs.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +tactics: + - InitialAccess +relevantTechniques: + - T1189 +query: | + CiscoWSAEvent + | where TimeGenerated > ago(24h) + | summarize count() by UrlOriginal, SrcUserName + | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URLCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity \ No newline at end of file diff --git a/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUncategorizedResources.yaml b/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUncategorizedResources.yaml new file mode 100755 index 0000000000..bf05952acc --- /dev/null +++ b/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUncategorizedResources.yaml @@ -0,0 +1,32 @@ +id: deddf5e8-8fee-4ec5-9121-415eb954c34d +name: Cisco WSA - Uncategorized URLs +description: | + 'Query searches for uncategorized URLs.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +tactics: + - InitialAccess +relevantTechniques: + - T1189 +query: | + CiscoWSAEvent + | where TimeGenerated > ago(24h) + | where UrlCategory in~ ('IW_nc', 'IW_nact') + | project UrlOriginal, SrcUserName, SrcIpAddr + | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URLCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity \ No newline at end of file diff --git a/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUploadedFiles.yaml b/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUploadedFiles.yaml new file mode 100755 index 0000000000..44eecfaf9e --- /dev/null +++ b/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUploadedFiles.yaml @@ -0,0 +1,25 @@ +id: 9d08418d-e21e-4fd6-b9bc-d80ce786d2da +name: Cisco WSA - Uploaded files +description: | + 'Query searches for uploaded files.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +tactics: + - InitialAccess +relevantTechniques: + - T1189 +query: | + CiscoWSAEvent + | where TimeGenerated > ago(24h) + | where HttpRequestMethod in~ ('POST', 'PUT') + | where isnotempty(AmpFileName) + | project AmpFileName, SrcUserName + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlRareErrorUrl.yaml b/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlRareErrorUrl.yaml new file mode 100755 index 0000000000..996f0f2411 --- /dev/null +++ b/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlRareErrorUrl.yaml @@ -0,0 +1,27 @@ +id: 88edb5d8-3ad9-4004-aefa-43c289483935 +name: Cisco WSA - Rare URL with error +description: | + 'Query searches for rare URLs with errors.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +tactics: + - InitialAccess + - CommandAndControl +relevantTechniques: + - T1189 + - T1048 +query: | + CiscoWSAEvent + | where TimeGenerated > ago(24h) + | where DvcAction =~ 'OTHER' + | summarize count() by UrlOriginal + | order by count_ asc + | extend URLCustomEntity = UrlOriginal +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URLCustomEntity diff --git a/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlShortenerLinks.yaml b/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlShortenerLinks.yaml new file mode 100755 index 0000000000..9aba759230 --- /dev/null +++ b/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlShortenerLinks.yaml @@ -0,0 +1,32 @@ +id: 04582ef2-42be-4371-9ecf-635337c92ddb +name: Cisco WSA - URL shorteners +description: | + 'Query searches connections to Url shorteners resources.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +tactics: + - InitialAccess +relevantTechniques: + - T1189 +query: | + CiscoWSAEvent + | where TimeGenerated > ago(24h) + | where UrlCategory =~ 'IW_shrt' + | project UrlOriginal, SrcUserName, SrcIpAddr + | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URLCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity \ No newline at end of file diff --git a/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlSuspiciousResources.yaml b/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlSuspiciousResources.yaml new file mode 100755 index 0000000000..78ef1e6386 --- /dev/null +++ b/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlSuspiciousResources.yaml @@ -0,0 +1,32 @@ +id: 8c35faed-a8cf-4d8d-8c67-f14f2ff6e7e9 +name: Cisco WSA - Potentially risky resources +description: | + 'Query searches for potentially risky resources.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +tactics: + - InitialAccess +relevantTechniques: + - T1189 +query: | + CiscoWSAEvent + | where TimeGenerated > ago(24h) + | where DvcAction =~ 'BLOCK_CONTINUE_WEBCAT' + | project UrlOriginal, SrcUserName, SrcIpAddr + | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URLCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity \ No newline at end of file diff --git a/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlUsersWithErrors.yaml b/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlUsersWithErrors.yaml new file mode 100755 index 0000000000..7860b4ecba --- /dev/null +++ b/Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlUsersWithErrors.yaml @@ -0,0 +1,30 @@ +id: 77ec347d-db28-4556-8a5a-dbc2ec7c9461 +name: Cisco WSA - User errors +description: | + 'Query searches for user errors during accessing resource.' +severity: Medium +requiredDataConnectors: + - connectorId: CiscoWSA + dataTypes: + - CiscoWSAEvent +tactics: + - InitialAccess + - CommandAndControl +relevantTechniques: + - T1189 + - T1048 +query: | + CiscoWSAEvent + | where TimeGenerated > ago(24h) + | where DvcAction =~ 'OTHER' + | summarize count() by UrlOriginal, SrcUserName + | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URLCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity \ No newline at end of file diff --git a/Solutions/CiscoWSA/Workbooks/CiscoWSA.json b/Solutions/CiscoWSA/Workbooks/CiscoWSA.json new file mode 100644 index 0000000000..fa17323a00 --- /dev/null +++ b/Solutions/CiscoWSA/Workbooks/CiscoWSA.json @@ -0,0 +1,370 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "**NOTE**: This data connector depends on a parser based on Kusto Function **CiscoWSAEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-ciscowsa-parser)" + }, + "name": "text - 8" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "cd8447d9-b096-4673-92d8-2a1e8291a125", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "description": "Sets the time name for analysis", + "value": { + "durationMs": 2592000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoWSAEvent\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};", + "size": 0, + "title": "Events Over Time", + "color": "blueDark", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "graphSettings": { + "type": 0 + } + }, + "customWidth": "60", + "name": "query - 12", + "styleSettings": { + "maxWidth": "55" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Sources Summary", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoWSAEvent\r\n| where isnotempty(SrcIpAddr)\r\n| summarize dcount(SrcIpAddr)", + "size": 3, + "title": "IP Addresses", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "50", + "name": "query - 3", + "styleSettings": { + "margin": "10", + "padding": "10" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoWSAEvent\n| where isnotempty(SrcUserName)\n| where SrcUserName != '-'\n| summarize dcount(SrcUserName)", + "size": 3, + "title": "Users", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoWSAEvent\n| where isnotempty(DstBytes)\n| summarize tb = sum(tolong(DstBytes))\n| project mb = tb / 1000000", + "size": 3, + "title": "Total Traffic Volume (MB)", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoWSAEvent\n| where DvcAction startswith 'BLOCK_'\n| summarize count()", + "size": 3, + "title": "Threats Blocked", + "noDataMessage": "0", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "50", + "name": "query - 3" + } + ] + }, + "customWidth": "40", + "name": "group - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoWSAEvent\n| summarize count() by UrlCategory\n| project count_, ['URL Category'] = case(UrlCategory =~ 'IW_infr', \"Infrastructure and CDN\", \n UrlCategory =~ 'IW_adv', \"Advertisements\", \n UrlCategory =~ 'IW_art', \"Arts\",\n UrlCategory =~ 'IW_busi', \"Business and Industry\",\n UrlCategory =~ 'IW_csec', \"Computer Security\",\n UrlCategory =~ 'IW_comp', \"Computers and Internet\",\n UrlCategory =~ 'IW_edu', \"Education\",\n UrlCategory =~ 'IW_ent', \"Entertainment\",\n UrlCategory =~ 'IW_fts', \"File Transfer Services\",\n UrlCategory =~ 'IW_fnnc', \"Finance\",\n UrlCategory =~ 'IW_hmed', \"Health and Medicine\",\n UrlCategory =~ 'IW_job', \"Job Search\",\n UrlCategory =~ 'IW_news', \"News\",\n UrlCategory =~ 'IW_docs', \"Online Document Sharing and Collaboration\",\n UrlCategory =~ 'IW_meet', \"Online Meetings\",\n \"Other\")", + "size": 3, + "title": "URL Categories", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "35", + "name": "query - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoWSAEvent\r\n| summarize count() by UrlCategory\r\n| project count_, ['URL Category'] = case(UrlCategory =~ 'IW_infr', \"Infrastructure and CDN\", \r\n UrlCategory =~ 'IW_adv', \"Advertisements\", \r\n UrlCategory =~ 'IW_art', \"Arts\",\r\n UrlCategory =~ 'IW_busi', \"Business and Industry\",\r\n UrlCategory =~ 'IW_csec', \"Computer Security\",\r\n UrlCategory =~ 'IW_comp', \"Computers and Internet\",\r\n UrlCategory =~ 'IW_edu', \"Education\",\r\n UrlCategory =~ 'IW_ent', \"Entertainment\",\r\n UrlCategory =~ 'IW_fts', \"File Transfer Services\",\r\n UrlCategory =~ 'IW_fnnc', \"Finance\",\r\n UrlCategory =~ 'IW_hmed', \"Health and Medicine\",\r\n UrlCategory =~ 'IW_job', \"Job Search\",\r\n UrlCategory =~ 'IW_news', \"News\",\r\n UrlCategory =~ 'IW_docs', \"Online Document Sharing and Collaboration\",\r\n UrlCategory =~ 'IW_meet', \"Online Meetings\",\r\n \"Other\")\r\n| top 8 by ['URL Category'] desc\r\n", + "size": 3, + "title": "Top URL Categories", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "URL Category", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "purple" + } + }, + "showBorder": false + } + }, + "customWidth": "35", + "name": "query - 0", + "styleSettings": { + "maxWidth": "30" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoWSAEvent\n| where isnotempty(DstDvcHostname)\n| summarize count() by DstDvcHostname\n| top 10 by DstDvcHostname\n| order by count_\n| project-rename Domain = DstDvcHostname, ['Total Events'] = count_", + "size": 0, + "title": "Top visited domains", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "tileSettings": { + "titleContent": { + "columnMatch": "User", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "TotalMailsReceived", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 10, + "formatOptions": { + "palette": "magenta" + } + }, + "showBorder": false + } + }, + "customWidth": "30", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoWSAEvent\r\n| where isnotempty(SrcUserName)\r\n| summarize TotalBytes = sum(DstBytes) by SrcUserName\r\n| top 10 by TotalBytes\r\n| project User=SrcUserName, ['Total Bytes (KB)'] = TotalBytes/1000", + "size": 3, + "title": "Top Users", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Total Bytes (KB)", + "formatter": 8, + "formatOptions": { + "palette": "greenRed" + } + } + ] + }, + "sortBy": [] + }, + "customWidth": "33", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoWSAEvent\n| where isnotempty(ThreatName)\n| summarize count() by ThreatName", + "size": 3, + "title": "Discovered Threats", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "30", + "name": "query - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CiscoWSAEvent\r\n| where isnotempty(AmpFileName)\r\n| project TimeGenerated, SrcUserName, AmpFileName, Result=strcat(iff(isnotempty(AmpScanningVerdict) or AmpScanningVerdict !has 'clean', '❌ - Infected', '✅ - Clean'))\r\n", + "size": 1, + "title": "Latest scanned files", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "filter": true + } + }, + "customWidth": "34", + "name": "query - 1" + } + ], + "fromTemplateId": "sentinel-CiscoWSAWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/CiscoWSA/Workbooks/Images/CiscoWSABlack.png b/Solutions/CiscoWSA/Workbooks/Images/CiscoWSABlack.png new file mode 100644 index 0000000000..9af172bb73 Binary files /dev/null and b/Solutions/CiscoWSA/Workbooks/Images/CiscoWSABlack.png differ diff --git a/Solutions/CiscoWSA/Workbooks/Images/CiscoWSAWhite.png b/Solutions/CiscoWSA/Workbooks/Images/CiscoWSAWhite.png new file mode 100644 index 0000000000..bb01ec36de Binary files /dev/null and b/Solutions/CiscoWSA/Workbooks/Images/CiscoWSAWhite.png differ diff --git a/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/main.py b/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/main.py index 96712e1ba5..9c2d4f867c 100644 --- a/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/main.py +++ b/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/main.py @@ -6,6 +6,7 @@ import logging import azure.functions as func import re import time +import aiohttp from .sentinel_connector_async import AzureSentinelConnectorAsync @@ -27,10 +28,10 @@ LINE_SEPARATOR = os.environ.get('lineSeparator', '[\n\r\x0b\v\x0c\f\x1c\x1d\x85 MAX_CONCURRENT_PROCESSING_FILES = int(os.environ.get('MAX_CONCURRENT_PROCESSING_FILES', 20)) # Defines page size while listing files from blob storage. New page is not processed while old page is processing. -MAX_PAGE_SIZE = int(os.environ.get('MAX_PAGE_SIZE', 1000)) +MAX_PAGE_SIZE = int(MAX_CONCURRENT_PROCESSING_FILES * 1.5) # Defines max number of events that can be sent in one request to Azure Sentinel -MAX_BUCKET_SIZE = int(os.environ.get('MAX_BUCKET_SIZE', 1000)) +MAX_BUCKET_SIZE = int(os.environ.get('MAX_BUCKET_SIZE', 2000)) LOG_ANALYTICS_URI = os.environ.get('logAnalyticsUri') @@ -49,20 +50,21 @@ async def main(mytimer: func.TimerRequest): conn = AzureBlobStorageConnector(AZURE_STORAGE_CONNECTION_STRING, CONTAINER_NAME, MAX_CONCURRENT_PROCESSING_FILES) container_client = conn._create_container_client() async with container_client: - cors = [] - async for blob in conn.get_blobs(): - cor = conn.process_blob(blob, container_client) - cors.append(cor) - if len(cors) >= MAX_PAGE_SIZE: - await asyncio.gather(*cors) - cors = [] - if conn.check_if_script_runs_too_long(): - logging.info('Script is running too long. Stop processing new blobs.') - break + async with aiohttp.ClientSession() as session: + cors = [] + async for blob in conn.get_blobs(): + cor = conn.process_blob(blob, container_client, session) + cors.append(cor) + if len(cors) >= MAX_PAGE_SIZE: + await asyncio.gather(*cors) + cors = [] + if conn.check_if_script_runs_too_long(): + logging.info('Script is running too long. Stop processing new blobs.') + break - if cors: - await asyncio.gather(*cors) - logging.info('Processed {} files with {} events.'.format(conn.total_blobs, conn.total_events)) + if cors: + await asyncio.gather(*cors) + logging.info('Processed {} files with {} events.'.format(conn.total_blobs, conn.total_events)) logging.info('Script finished. Processed files: {}. Processed events: {}'.format(conn.total_blobs, conn.total_events)) @@ -77,10 +79,7 @@ class AzureBlobStorageConnector: self.total_events = 0 def _create_container_client(self): - return ContainerClient.from_connection_string(self.__conn_string, self.__container_name, logging_enable=False) - - def _create_sentinel_client(self): - return AzureSentinelConnectorAsync(LOG_ANALYTICS_URI, WORKSPACE_ID, SHARED_KEY, LOG_TYPE, queue_size=MAX_BUCKET_SIZE) + return ContainerClient.from_connection_string(self.__conn_string, self.__container_name, logging_enable=False, max_single_get_size=2*1024*1024, max_chunk_get_size=2*1024*1024) async def get_blobs(self): container_client = self._create_container_client() @@ -96,13 +95,13 @@ class AzureBlobStorageConnector: return duration > max_duration async def delete_blob(self, blob, container_client): - logging.debug("Deleting blob {}".format(blob['name'])) + logging.info("Deleting blob {}".format(blob['name'])) await container_client.delete_blob(blob['name']) - async def process_blob(self, blob, container_client): + async def process_blob(self, blob, container_client, session: aiohttp.ClientSession): async with self.semaphore: - logging.debug("Start processing {}".format(blob['name'])) - sentinel = self._create_sentinel_client() + logging.info("Start processing {}".format(blob['name'])) + sentinel = AzureSentinelConnectorAsync(session, LOG_ANALYTICS_URI, WORKSPACE_ID, SHARED_KEY, LOG_TYPE, queue_size=MAX_BUCKET_SIZE) blob_cor = await container_client.download_blob(blob['name']) s = '' async for chunk in blob_cor.chunks(): @@ -129,6 +128,6 @@ class AzureBlobStorageConnector: await self.delete_blob(blob, container_client) self.total_blobs += 1 self.total_events += sentinel.successfull_sent_events_number - logging.debug("Finish processing {}. Sent events: {}".format(blob['name'], sentinel.successfull_sent_events_number)) + logging.info("Finish processing {}. Sent events: {}".format(blob['name'], sentinel.successfull_sent_events_number)) if self.total_blobs % 100 == 0: logging.info('Processed {} files with {} events.'.format(self.total_blobs, self.total_events)) diff --git a/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/sentinel_connector_async.py b/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/sentinel_connector_async.py index eb4d3c9067..41fcf2ce9b 100644 --- a/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/sentinel_connector_async.py +++ b/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/sentinel_connector_async.py @@ -10,7 +10,7 @@ from collections import deque class AzureSentinelConnectorAsync: - def __init__(self, log_analytics_uri, workspace_id, shared_key, log_type, queue_size=1000, queue_size_bytes=25 * (2**20)): + def __init__(self, session: aiohttp.ClientSession, log_analytics_uri, workspace_id, shared_key, log_type, queue_size=1000, queue_size_bytes=25 * (2**20)): self.log_analytics_uri = log_analytics_uri self.workspace_id = workspace_id self.shared_key = shared_key @@ -21,6 +21,7 @@ class AzureSentinelConnectorAsync: self.successfull_sent_events_number = 0 self.failed_sent_events_number = 0 self.lock = asyncio.Lock() + self.session = session async def send(self, event): events = None @@ -38,8 +39,7 @@ class AzureSentinelConnectorAsync: async def _flush(self, data: list): if data: data = self._split_big_request(data) - async with aiohttp.ClientSession() as session: - await asyncio.gather(*[self._post_data(session, self.workspace_id, self.shared_key, d, self.log_type) for d in data]) + await asyncio.gather(*[self._post_data(self.session, self.workspace_id, self.shared_key, d, self.log_type) for d in data]) def _build_signature(self, workspace_id, shared_key, date, content_length, method, content_type, resource): x_headers = 'x-ms-date:' + date @@ -90,6 +90,7 @@ class AzureSentinelConnectorAsync: async def _make_request(self, session, uri, body, headers): async with session.post(uri, data=body, headers=headers) as response: + await response.text() if not (200 <= response.status <= 299): raise Exception("Error during sending events to Azure Sentinel. Response code: {}".format(response.status)) diff --git a/Solutions/Cloudflare/Data Connectors/CloudflareConn.zip b/Solutions/Cloudflare/Data Connectors/CloudflareConn.zip index 09e9e62f83..0dd04a57f0 100644 Binary files a/Solutions/Cloudflare/Data Connectors/CloudflareConn.zip and b/Solutions/Cloudflare/Data Connectors/CloudflareConn.zip differ diff --git a/Solutions/Cloudflare/Data Connectors/azuredeploy_Cloudflare_API_FunctionApp.json b/Solutions/Cloudflare/Data Connectors/azuredeploy_Cloudflare_API_FunctionApp.json index 2226620966..d00428694b 100644 --- a/Solutions/Cloudflare/Data Connectors/azuredeploy_Cloudflare_API_FunctionApp.json +++ b/Solutions/Cloudflare/Data Connectors/azuredeploy_Cloudflare_API_FunctionApp.json @@ -31,16 +31,9 @@ "description": "Defines how many files can be processed simultaneously. Higher value means higher processing speed and higher memory consumption. If log files are bigger than 50 Mb, it is recommended to use value not higher than 20. If files are smaller, value can be higher." } }, - "FilesPerPage": { - "type": "int", - "defaultValue": 1000, - "metadata": { - "description": "Defines page size while listing files from blob storage. New page is not processed while old page is processing. Value should be higher than СoncurrentProcessingFiles." - } - }, "EventsBucketSize": { "type": "int", - "defaultValue": 1000, + "defaultValue": 2000, "metadata": { "description": "Defines max number of events that can be sent in one request to Azure Sentinel. Higher value means higher processing speed and higher memory consumption." } @@ -176,11 +169,10 @@ "WORKSPACE_ID": "[parameters('AzureSentinelWorkspaceId')]", "SHARED_KEY": "[parameters('AzureSentinelSharedKey')]", "MAX_CONCURRENT_PROCESSING_FILES": "[parameters('SimultaneouslyProcessingFiles')]", - "MAX_PAGE_SIZE": "[parameters('FilesPerPage')]", "MAX_BUCKET_SIZE": "[parameters('EventsBucketSize')]", "logAnalyticsUri": "[variables('LogAnaltyicsUri')]", "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-CloudflareDataConnector-functionapp", - "LINE_SEPARATOR": "[\\n\\r\\x0b\\v\\x0c\\f\\x1c\\x1d\\x85\\x1e\\u2028\\u2029]+" + "lineSeparator": "[\\n\\r\\x0b\\v\\x0c\\f\\x1c\\x1d\\x85\\x1e\\u2028\\u2029]+" } } ] diff --git a/Solutions/Cloudflare/Data Connectors/requirements.txt b/Solutions/Cloudflare/Data Connectors/requirements.txt index 455a827af9..ff577190f0 100644 --- a/Solutions/Cloudflare/Data Connectors/requirements.txt +++ b/Solutions/Cloudflare/Data Connectors/requirements.txt @@ -1,3 +1,3 @@ azure-storage-blob==12.8.0 -aiohttp==3.7.4.post0 +aiohttp==3.8.0 azure-functions==1.6.0 diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConn.zip b/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConn.zip index c1ae58f3af..f6c31df73a 100644 Binary files a/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConn.zip and b/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConn.zip differ diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConnector/__init__.py b/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConnector/__init__.py index 2a580252dd..17b21dfce4 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConnector/__init__.py +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConnector/__init__.py @@ -1,176 +1,151 @@ -import boto3 -import json -import datetime -from botocore.config import Config as BotoCoreConfig -import tempfile +import asyncio import os -import gzip -import time -import base64 -import hashlib -import hmac -import requests -import threading -import azure.functions as func -import logging +import sys +import asyncio +import json +from botocore.config import Config as BotoCoreConfig +from aiobotocore.session import get_session +from gzip_stream import AsyncGZIPDecompressedStream import re +from .sentinel_connector_async import AzureSentinelConnectorAsync +import time +import aiohttp +import logging +import azure.functions as func -customer_id = os.environ['WorkspaceID'] -shared_key = os.environ['WorkspaceKey'] -log_type = "CrowdstrikeReplicatorLogs" +MAX_SCRIPT_EXEC_TIME_MINUTES = 5 + +WORKSPACE_ID = os.environ['WorkspaceID'] +SHARED_KEY = os.environ['WorkspaceKey'] +LOG_TYPE = "CrowdstrikeReplicatorLogs" AWS_KEY = os.environ['AWS_KEY'] AWS_SECRET = os.environ['AWS_SECRET'] AWS_REGION_NAME = os.environ['AWS_REGION_NAME'] QUEUE_URL = os.environ['QUEUE_URL'] VISIBILITY_TIMEOUT = 60 -temp_dir = tempfile.TemporaryDirectory() +LINE_SEPARATOR = os.environ.get('lineSeparator', '[\n\r\x0b\v\x0c\f\x1c\x1d\x85\x1e\u2028\u2029]+') -if 'logAnalyticsUri' in os.environ: - logAnalyticsUri = os.environ['logAnalyticsUri'] - pattern = r"https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$" - match = re.match(pattern,str(logAnalyticsUri)) - if not match: - raise Exception("Invalid Log Analytics Uri.") -else: - logAnalyticsUri = "https://" + customer_id + ".ods.opinsights.azure.com" +# Defines how many files can be processed simultaneously +MAX_CONCURRENT_PROCESSING_FILES = int(os.environ.get('SimultaneouslyProcessingFiles', 5)) -def get_sqs_messages(): +# Defines max number of events that can be sent in one request to Azure Sentinel +MAX_BUCKET_SIZE = int(os.environ.get('EventsBucketSize', 1000)) + +LOG_ANALYTICS_URI = os.environ.get('logAnalyticsUri') +if not LOG_ANALYTICS_URI or str(LOG_ANALYTICS_URI).isspace(): + LOG_ANALYTICS_URI = 'https://' + WORKSPACE_ID + '.ods.opinsights.azure.com' +pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$' +match = re.match(pattern, str(LOG_ANALYTICS_URI)) +if not match: + raise Exception("Invalid Log Analytics Uri.") + +script_start_time = int(time.time()) + +def _create_sqs_client(): + sqs_session = get_session() + return sqs_session.create_client( + 'sqs', + region_name=AWS_REGION_NAME, + aws_access_key_id=AWS_KEY, + aws_secret_access_key=AWS_SECRET + ) + +def _create_s3_client(): + s3_session = get_session() + boto_config = BotoCoreConfig(region_name=AWS_REGION_NAME) + return s3_session.create_client( + 's3', + region_name=AWS_REGION_NAME, + aws_access_key_id=AWS_KEY, + aws_secret_access_key=AWS_SECRET, + config=boto_config + ) + +def check_if_script_runs_too_long(script_start_time): + now = int(time.time()) + duration = now - script_start_time + max_duration = int(MAX_SCRIPT_EXEC_TIME_MINUTES * 60 * 0.85) + return duration > max_duration + +async def main(mytimer: func.TimerRequest): + script_start_time = int(time.time()) logging.info("Creating SQS connection") - sqs = boto3.resource('sqs', region_name=AWS_REGION_NAME, aws_access_key_id=AWS_KEY, aws_secret_access_key=AWS_SECRET) - queue = sqs.Queue(url=QUEUE_URL) - logging.info("Queue connected") - for msg in queue.receive_messages(VisibilityTimeout=VISIBILITY_TIMEOUT): - msg_body = json.loads(msg.body) - ts = datetime.datetime.utcfromtimestamp(msg_body['timestamp'] / 1000).strftime('%Y-%m-%d %H:%M:%S.%f')[:-3] - logging.info("Start processing bucket {0}: {1} files with total size {2}, bucket timestamp: {3}".format(msg_body['bucket'],msg_body['fileCount'],msg_body['totalSize'],ts)) - if "files" in msg_body: - if download_message_files(msg_body) is True: - msg.delete() - -def process_message_files(): - for file in files_for_handling: - process_file(file) - -def download_message_files(msg): - try: - msg_output_path = os.path.join(temp_dir.name, msg['pathPrefix']) - if not os.path.exists(msg_output_path): - os.makedirs(msg_output_path) - for s3_file in msg['files']: - s3_path = s3_file['path'] - local_path = os.path.join(temp_dir.name, s3_path) - logging.info("Start downloading file {}".format(s3_path)) - s3_client.download_file(msg['bucket'], s3_path, local_path) - if check_damaged_archive(local_path) is True: - logging.info("File {} successfully downloaded.".format(s3_path)) - files_for_handling.append(local_path) - else: - logging.warn("File {} damaged. Unpack ERROR.".format(s3_path)) - return True - except Exception as ex: - logging.error("Exception in downloading file from S3. Msg: {0}".format(str(ex))) - return False - -def check_damaged_archive(file_path): - chunksize = 1024*1024 # 10 Mbytes - with gzip.open(file_path, 'rb') as f: - try: - while f.read(chunksize) != '': - return True - except: - return False - -def process_file(file_path): - global processed_messages_success, processed_messages_failed - processed_messages_success = 0 - processed_messages_failed = 0 - size = 1024*1024 - # unzip archive to temp file - out_tmp_file_path = file_path.replace(".gz", ".tmp") - with gzip.open(file_path, 'rb') as f_in: - with open(out_tmp_file_path, 'wb') as f_out: + async with _create_sqs_client() as client: + async with aiohttp.ClientSession() as session: + logging.info('Trying to check messages off the queue...') while True: - data = f_in.read(size) - if not data: + try: + response = await client.receive_message( + QueueUrl=QUEUE_URL, + WaitTimeSeconds=2, + VisibilityTimeout=VISIBILITY_TIMEOUT + ) + if 'Messages' in response: + for msg in response['Messages']: + body_obj = json.loads(msg["Body"]) + logging.info("Got message with MessageId {}. Start processing {} files from Bucket: {}. Path prefix: {}".format(msg["MessageId"], body_obj["fileCount"], body_obj["bucket"], body_obj["pathPrefix"])) + await download_message_files(body_obj, session) + logging.info("Finished processing {} files from MessageId {}. Bucket: {}. Path prefix: {}".format(body_obj["fileCount"], msg["MessageId"], body_obj["bucket"], body_obj["pathPrefix"])) + try: + await client.delete_message( + QueueUrl=QUEUE_URL, + ReceiptHandle=msg['ReceiptHandle'] + ) + except Exception as e: + logging.error("Error during deleting message with MessageId {} from queue. Bucket: {}. Path prefix: {}. Error: {}".format(msg["MessageId"], body_obj["bucket"], body_obj["pathPrefix"], e)) + else: + logging.info('No messages in queue. Re-trying to check...') + except KeyboardInterrupt: break - f_out.write(data) - os.remove(file_path) - threads = [] - with open(out_tmp_file_path) as file_handler: - for data_chunk in split_chunks(file_handler): - chunk_size = len(data_chunk) - logging.info("Processing data chunk of file {} with {} events.".format(out_tmp_file_path, chunk_size)) - data = json.dumps(data_chunk) - t = threading.Thread(target=post_data, args=(data, chunk_size)) - threads.append(t) - t.start() - for t in threads: - t.join() - logging.info("File {} processed. {} events - successfully, {} events - failed.".format(file_path, processed_messages_success,processed_messages_failed)) - os.remove(out_tmp_file_path) -def split_chunks(file_handler, chunk_size=15000): - chunk = [] - for line in file_handler: - chunk.append(json.loads(line)) - if len(chunk) == chunk_size: - yield chunk - chunk = [] - if chunk: - yield chunk + if check_if_script_runs_too_long(script_start_time): + logging.info('Script is running too long. Stop processing new messages from queue.') + break -def build_signature(customer_id, shared_key, date, content_length, method, content_type, resource): - x_headers = 'x-ms-date:' + date - string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource - bytes_to_hash = bytes(string_to_hash, encoding="utf-8") - decoded_key = base64.b64decode(shared_key) - encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode() - authorization = "SharedKey {}:{}".format(customer_id,encoded_hash) - return authorization -def post_data(body,chunk_count): - global processed_messages_success, processed_messages_failed - method = 'POST' - content_type = 'application/json' - resource = '/api/logs' - rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT') - content_length = len(body) - signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource) - uri = logAnalyticsUri + resource + "?api-version=2016-04-01" - headers = { - 'content-type': content_type, - 'Authorization': signature, - 'Log-Type': log_type, - 'x-ms-date': rfc1123date - } - response = requests.post(uri,data=body, headers=headers) - if (response.status_code >= 200 and response.status_code <= 299): - processed_messages_success = processed_messages_success + chunk_count - logging.info("Chunk with {} events was processed and uploaded to Azure".format(chunk_count)) - else: - processed_messages_failed = processed_messages_failed + chunk_count - logging.warn("Problem with uploading to Azure. Response code: {}".format(response.status_code)) +async def process_file(bucket, s3_path, client, semaphore, session): + async with semaphore: + total_events = 0 + logging.info("Start processing file {}".format(s3_path)) + sentinel = AzureSentinelConnectorAsync( + session, + LOG_ANALYTICS_URI, + WORKSPACE_ID, + SHARED_KEY, + LOG_TYPE, + queue_size=MAX_BUCKET_SIZE + ) + response = await client.get_object(Bucket=bucket, Key=s3_path) + s = '' + async for decompressed_chunk in AsyncGZIPDecompressedStream(response["Body"]): + s += decompressed_chunk.decode(errors='ignore') + lines = re.split(r'{0}'.format(LINE_SEPARATOR), s) + for n, line in enumerate(lines): + if n < len(lines) - 1: + if line: + try: + event = json.loads(line) + except ValueError as e: + logging.error('Error while loading json Event at s value {}. Error: {}'.format(line, str(e))) + raise e + await sentinel.send(event) + s = line + if s: + try: + event = json.loads(s) + except ValueError as e: + logging.error('Error while loading json Event at s value {}. Error: {}'.format(line, str(e))) + raise e + await sentinel.send(event) + await sentinel.flush() + total_events += sentinel.successfull_sent_events_number + logging.info("Finish processing file {}. Sent events: {}".format(s3_path, sentinel.successfull_sent_events_number)) -def cb_rename_tmp_to_json(file_path, file_size, lines_count): - out_file_name = file_path.replace(".tmp", ".json") - os.rename(file_path, out_file_name) -def create_s3_client(): - try: - boto_config = BotoCoreConfig(region_name=AWS_REGION_NAME) - return boto3.client('s3', region_name=AWS_REGION_NAME, aws_access_key_id=AWS_KEY, aws_secret_access_key=AWS_SECRET, config=boto_config) - except Exception as ex: - logging.error("Connect to S3 exception. Msg: {0}".format(str(ex))) - return None - -s3_client = create_s3_client() - -def main(mytimer: func.TimerRequest) -> None: - if mytimer.past_due: - logging.info('The timer is past due!') - logging.info('Starting program') - logging.info(logAnalyticsUri) - global files_for_handling - files_for_handling = [] - get_sqs_messages() - process_message_files() \ No newline at end of file +async def download_message_files(msg, session): + semaphore = asyncio.Semaphore(MAX_CONCURRENT_PROCESSING_FILES) + async with _create_s3_client() as client: + cors = [] + for s3_file in msg['files']: + cors.append(process_file(msg['bucket'], s3_file['path'], client, semaphore, session)) + await asyncio.gather(*cors) \ No newline at end of file diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConnector/function.json b/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConnector/function.json index a1c62d7ae9..591d838d56 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConnector/function.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConnector/function.json @@ -9,3 +9,4 @@ } ] } + diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConnector/sentinel_connector_async.py b/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConnector/sentinel_connector_async.py new file mode 100644 index 0000000000..ab02a7d8eb --- /dev/null +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConnector/sentinel_connector_async.py @@ -0,0 +1,108 @@ +import datetime +import logging +import json +import hashlib +import hmac +import base64 +import aiohttp +import asyncio +from collections import deque + + +class AzureSentinelConnectorAsync: + def __init__(self, session: aiohttp.ClientSession, log_analytics_uri, workspace_id, shared_key, log_type, queue_size=1000, queue_size_bytes=25 * (2**20)): + self.log_analytics_uri = log_analytics_uri + self.workspace_id = workspace_id + self.shared_key = shared_key + self.log_type = log_type + self.queue_size = queue_size + self.queue_size_bytes = queue_size_bytes + self._queue = deque() + self.successfull_sent_events_number = 0 + self.failed_sent_events_number = 0 + self.lock = asyncio.Lock() + self.session = session + + async def send(self, event): + events = None + async with self.lock: + self._queue.append(event) + if len(self._queue) >= self.queue_size: + events = list(self._queue) + self._queue.clear() + if events: + await self._flush(events) + + async def flush(self): + await self._flush(list(self._queue)) + + async def _flush(self, data: list): + if data: + data = self._split_big_request(data) + await asyncio.gather(*[self._post_data(self.session, self.workspace_id, self.shared_key, d, self.log_type) for d in data]) + + def _build_signature(self, workspace_id, shared_key, date, content_length, method, content_type, resource): + x_headers = 'x-ms-date:' + date + string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource + bytes_to_hash = bytes(string_to_hash, encoding="utf-8") + decoded_key = base64.b64decode(shared_key) + encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode() + authorization = "SharedKey {}:{}".format(workspace_id, encoded_hash) + return authorization + + async def _post_data(self, session: aiohttp.ClientSession, workspace_id, shared_key, body, log_type): + logging.debug('Start sending data to sentinel') + events_number = len(body) + body = json.dumps(body) + method = 'POST' + content_type = 'application/json' + resource = '/api/logs' + rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT') + content_length = len(body) + signature = self._build_signature(workspace_id, shared_key, rfc1123date, content_length, method, content_type, resource) + uri = self.log_analytics_uri + resource + '?api-version=2016-04-01' + + headers = { + 'content-type': content_type, + 'Authorization': signature, + 'Log-Type': log_type, + 'x-ms-date': rfc1123date + } + + try_number = 1 + while True: + try: + if len(body) < 10: + logging.info(body) + await self._make_request(session, uri, body, headers) + except Exception as err: + if try_number < 3: + logging.warning('Error while sending data to Azure Sentinel. Try number: {}. Trying one more time. {}'.format(try_number, err)) + await asyncio.sleep(try_number) + try_number += 1 + else: + logging.error(str(err)) + self.failed_sent_events_number += events_number + raise err + else: + logging.debug('{} events have been successfully sent to Azure Sentinel'.format(events_number)) + self.successfull_sent_events_number += events_number + break + + + async def _make_request(self, session, uri, body, headers): + async with session.post(uri, data=body, headers=headers, ssl=False) as response: + if not (200 <= response.status <= 299): + raise Exception("Error during sending events to Azure Sentinel. Response code: {}".format(response.status)) + + def _check_size(self, queue): + data_bytes_len = len(json.dumps(queue).encode()) + return data_bytes_len < self.queue_size_bytes + + def _split_big_request(self, queue): + if self._check_size(queue): + return [queue] + else: + middle = int(len(queue) / 2) + queues_list = [queue[:middle], queue[middle:]] + return self._split_big_request(queues_list[0]) + self._split_big_request(queues_list[1]) diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/azuredeploy_Connector_CrowdstrikeFalconAPI_AzureFunction.json b/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/azuredeploy_Connector_CrowdstrikeFalconAPI_AzureFunction.json index df09a5699a..13c9ce86bf 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/azuredeploy_Connector_CrowdstrikeFalconAPI_AzureFunction.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/azuredeploy_Connector_CrowdstrikeFalconAPI_AzureFunction.json @@ -31,6 +31,20 @@ "QUEUE_URL": { "type": "string", "defaultValue": "" + }, + "SimultaneouslyProcessingFiles": { + "type": "int", + "defaultValue": 10, + "metadata": { + "description": "Defines how many files can be processed simultaneously. Higher value means higher processing speed and higher memory consumption. If log files are bigger than 50 Mb, it is recommended to use value not higher than 20. If files are smaller, value can be higher." + } + }, + "EventsBucketSize": { + "type": "int", + "defaultValue": 2000, + "metadata": { + "description": "Defines max number of events that can be sent in one request to Azure Sentinel. Higher value means higher processing speed and higher memory consumption." + } } }, "variables": { @@ -161,6 +175,8 @@ "AWS_SECRET": "[parameters('AWS_SECRET')]", "AWS_REGION_NAME": "[parameters('AWS_REGION_NAME')]", "QUEUE_URL": "[parameters('QUEUE_URL')]", + "MAX_CONCURRENT_PROCESSING_FILES": "[parameters('SimultaneouslyProcessingFiles')]", + "MAX_BUCKET_SIZE": "[parameters('EventsBucketSize')]", "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp" } } diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/requirements.txt b/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/requirements.txt index 6dfae71d2f..93c1d633c2 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/requirements.txt +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/requirements.txt @@ -2,6 +2,7 @@ # The Python Worker is managed by Azure Functions platform # Manually managing azure-functions-worker may cause unexpected issues -azure-functions -boto3 -requests +aiohttp==3.8.0 +azure-functions==1.6.0 +aiobotocore +gzip_stream \ No newline at end of file diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/1.0.9.zip b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/1.0.9.zip new file mode 100644 index 0000000000..af79d26fb4 Binary files /dev/null and b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/1.0.9.zip differ diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json new file mode 100644 index 0000000000..0fffc07e8b --- /dev/null +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json @@ -0,0 +1,442 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/resources/data-sheets/falcon-endpoint-protection-pro/) offers the ideal antivirus replacement solution by combining the most effective prevention technologies and full attack visibility with built-in threat intelligence and response.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 2, **Parsers:** 2, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 5\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors-text1", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for CrowdStrike Falcon Endpoint Protection. You can get CrowdStrike Falcon Endpoint Protection CommonSecurityLog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the CommonSecurityLog table in your Azure Sentinel / Azure Log Analytics workspace." + } + }, + { + "name": "dataconnectors-text2", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Crowdstrike Falcon Data Replicator. You can get Crowdstrike Falcon Data Replicator custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates a custom log table CrowdstrikeReplicatorLogs_CL in your Azure Sentinel / Azure Log Analytics workspace." + } + }, + { + "name": "dataconnectors-text3", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The Solution installs parsers that transform the ingested data into Azure Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Azure Sentinel." + } + }, + { + "name": "dataconnectors-link1", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about normalized format", + "uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema" + } + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "CrowdStrike Falcon Endpoint Protection", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Gain insight into CrowdStrike Falcon Endpoint Protection by analyzing, collecting and correlating sensor detections and authentication events from the Event Stream API" + } + }, + { + "name": "workbook1-name", + "type": "Microsoft.Common.TextBox", + "label": "Display Name", + "defaultValue": "CrowdStrike Falcon Endpoint Protection", + "toolTip": "Display name for the workbook.", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a workbook name" + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Azure Sentinel Solution installs analytic rules for CrowdStrike Falcon Endpoint Protection that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Critical or High Severity Detections by User", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Creates an incident when a large number of Critical/High severity CrowdStrike Falcon sensor detections is triggered by a single user" + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Critical Severity Detection", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Creates an incident when a CrowdStrike Falcon sensor detection is triggered with a Critical Severity" + } + } + ] + } + ] + }, + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "playbook1", + "type": "Microsoft.Common.Section", + "label": "CrowdStrike_Base", + "elements": [ + { + "name": "playbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook will genarate an authentication token from CrowdStrike. Azure Key Vault is required for storing the Crowdstrike ClientID and Secrets, create a key vault first if it does not exist." + } + }, + { + "name": "playbook1-keyvault_Name", + "type": "Microsoft.Common.TextBox", + "label": "KeyVault Name", + "defaultValue": "Crowdstrikekey", + "toolTip": "Please enter KeyVault Name", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the KeyVault Name" + } + }, + { + "name": "playbook1-ClientID", + "type": "Microsoft.Common.TextBox", + "label": "Client ID", + "defaultValue": "ClientID", + "toolTip": "Please enter Client ID", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Client ID" + } + }, + { + "name": "playbook1-ClientSecret", + "type": "Microsoft.Common.TextBox", + "label": "Client Secret", + "defaultValue": "ClientSecret", + "toolTip": "Please enter Client Secret", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Client Secret" + } + }, + { + "name": "playbook1-Service_Endpoint", + "type": "Microsoft.Common.TextBox", + "label": "Service Endpoint", + "defaultValue": "https://api.crowdstrike.com", + "toolTip": "Please enter Service Endpoint", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Service Endpoint" + } + }, + { + "name": "playbook1-LogicAppName", + "type": "Microsoft.Common.TextBox", + "label": "Logic App Name", + "defaultValue": "CrowdStrike_Base", + "toolTip": "Please enter Logic App Name", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Logic App Name" + } + } + ] + }, + { + "name": "playbook2", + "type": "Microsoft.Common.Section", + "label": "CrowdStrike_ContainHost", + "elements": [ + { + "name": "playbook2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook will Contain the device automatically without SOC intervention" + } + }, + { + "name": "playbook2-Playbook_Name", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "Crowdstrike_ContainHost", + "toolTip": "Please enter Playbook Name", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Playbook Name" + } + } + ] + }, + { + "name": "playbook3", + "type": "Microsoft.Common.Section", + "label": "CrowdStrike_Enrichment_GetDeviceInformation", + "elements": [ + { + "name": "playbook3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook will Enrich the sentinel Incident with device information from the crowdstike" + } + }, + { + "name": "playbook3-Playbook_Name", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "Crowdstrike_Enrichment_GetDeviceInformation", + "toolTip": "Please enter Playbook Name", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Playbook Name" + } + } + ] + }, + { + "name": "playbook4", + "type": "Microsoft.Common.Section", + "label": "CrowdStrike_ResponsefromTeams", + "elements": [ + { + "name": "playbook4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook prompts SOC to take necessary actions on Host like Contain/LiftContainment/Run Script/Ignore" + } + }, + { + "name": "playbook4-Playbook_Name", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "CrowdStrike_ResponsefromTeams", + "toolTip": "Please enter Playbook Name", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Playbook Name" + } + }, + { + "name": "playbook4-Teams_GroupId", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "TeamgroupId", + "toolTip": "Please enter Teams Group Id", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter Teams Group Id" + } + }, + { + "name": "playbook4-Teams_ChannelId", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "TeamChannelId", + "toolTip": "Please enter Teams Channel Id", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter Teams Channel Id" + } + } + ] + }, + { + "name": "playbook5", + "type": "Microsoft.Common.Section", + "label": "Crowdstrike_Remediation_Host", + "elements": [ + { + "name": "playbook5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook will Contain the device automatically without SOC intervention" + } + }, + { + "name": "playbook5-Playbook_Name", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "Crowdstrike_Remediation_Host", + "toolTip": "Please enter Playbook Name", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Playbook Name" + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location":"[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(filter.id, toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]", + "workbook1-name": "[steps('workbooks').workbook1.workbook1-name]", + "playbook1-keyvault_Name": "[steps('playbooks').playbook1.playbook1-keyvault_Name]", + "playbook1-ClientID": "[steps('playbooks').playbook1.playbook1-ClientID]", + "playbook1-ClientSecret": "[steps('playbooks').playbook1.playbook1-ClientSecret]", + "playbook1-Service_Endpoint": "[steps('playbooks').playbook1.playbook1-Service_Endpoint]", + "playbook1-LogicAppName": "[steps('playbooks').playbook1.playbook1-LogicAppName]", + "playbook2-Playbook_Name": "[steps('playbooks').playbook2.playbook2-Playbook_Name]", + "playbook3-Playbook_Name": "[steps('playbooks').playbook3.playbook3-Playbook_Name]", + "playbook4-Playbook_Name": "[steps('playbooks').playbook4.playbook4-Playbook_Name]", + "playbook4-Teams_GroupId": "[steps('playbooks').playbook4.playbook4-Teams_GroupId]", + "playbook4-Teams_ChannelId": "[steps('playbooks').playbook4.playbook4-Teams_ChannelId]", + "Playbook_Name": "[steps('playbooks').playbook5.playbook5-Playbook_Name]" + } + } +} diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json new file mode 100644 index 0000000000..6681026cd9 --- /dev/null +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json @@ -0,0 +1,6680 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Eli Forbes - v-eliforbes@microsoft.com", + "comments": "Solution template for CrowdStrike Falcon Endpoint Protection" + }, + "parameters": { + "formattedTimeNow": { + "type": "string", + "defaultValue": "[utcNow('g')]", + "metadata": { + "description": "Appended to workbook displayNames to make them unique" + } + }, + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup" + } + }, + "analytic1-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic2-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "workbook1-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the workbook" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "CrowdStrike Falcon Endpoint Protection", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "connectorName": { + "type": "string", + "defaultValue": "e44378a1-0b25-470f-bc7f-cc1f55437e6c" + }, + "connectorName-2": { + "type": "string", + "defaultValue": "ace76269-6186-4433-809a-39f440b7ef2d" + }, + "playbook1-keyvault_Name": { + "defaultValue": "Crowdstrikekey", + "type": "string", + "minLength": 1 + }, + "playbook1-ClientID": { + "defaultValue": "ClientID", + "type": "string", + "minLength": 1 + }, + "playbook1-ClientSecret": { + "defaultValue": "", + "type": "SecureString" + }, + "playbook1-Service_Endpoint": { + "defaultValue": "https://api.crowdstrike.com", + "type": "string", + "minLength": 1 + }, + "playbook1-LogicAppName": { + "defaultValue": "CrowdStrike_Base", + "type": "string", + "minLength": 1 + }, + "playbook2-Playbook_Name": { + "defaultValue": "Crowdstrike_ContainHost", + "type": "string", + "minLength": 1 + }, + "playbook3-Playbook_Name": { + "defaultValue": "Crowdstrike_Enrichment_GetDeviceInformation", + "type": "string", + "minLength": 1 + }, + "playbook4-Playbook_Name": { + "defaultValue": "Crowdstrike-ResponsefromTeams", + "type": "string", + "minLength": 1 + }, + "playbook4-Teams_GroupId": { + "defaultValue": "TeamgroupId", + "type": "string", + "metadata": { + "description": "GroupId of the Team channel" + } + }, + "playbook4-Teams_ChannelId": { + "defaultValue": "TeamChannelId", + "type": "string", + "metadata": { + "description": "Team ChannelId" + } + }, + "Playbook_Name": { + "defaultValue": "Crowdstrike-Remediation-Host", + "type": "String", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "CrowdStrike_Base_Playbook_Name": { + "defaultValue": "[parameters('playbook1-LogicAppName')]", + "type": "String" + } + }, + "variables": { + "connector-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connectorName'))]", + "_connector-source": "[variables('connector-source')]", + "connector-source-2": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connectorName-2'))]", + "_connector-source-2": "[variables('connector-source-2')]", + "workbook-source": "[concat(resourceGroup().id, '/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'))]", + "_workbook-source": "[variables('workbook-source')]", + "parser-dependency": "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspace'))]", + "playbook1-keyvault_Connection_Name": "keyvault", + "playbook-1-connection-2": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/', 'keyvault')]", + "_playbook-1-connection-2": "[variables('playbook-1-connection-2')]", + "playbook2-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook2-Playbook_Name'))]", + "playbook-2-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azuresentinel')]", + "_playbook-2-connection-2": "[variables('playbook-2-connection-2')]", + "playbook-4-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/teams')]", + "_playbook-4-connection-2": "[variables('playbook-4-connection-2')]", + "playbook3-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook3-Playbook_Name'))]", + "playbook4-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook4-Playbook_Name'))]", + "playbook4-TeamsConnectionName": "[concat('teamsconnector-', parameters('playbook4-Playbook_Name'))]", + "__empty-value": "[concat('')]", + "CrowdStrikeFalconEndpointProtection": "CrowdStrikeFalconEndpointProtection", + "_CrowdStrikeFalconEndpointProtection": "[variables('CrowdStrikeFalconEndpointProtection')]", + "CrowdStrikeFalconDataReplicator": "CrowdStrikeFalconDataReplicator", + "_CrowdStrikeFalconDataReplicator": "[variables('CrowdStrikeFalconDataReplicator')]", + "CrowdStrikeFalconEventStream": "CrowdStrikeFalconEventStream", + "_CrowdStrikeFalconEventStream": "[variables('CrowdStrikeFalconEventStream')]", + "CrowdStrikeReplicator": "CrowdStrikeReplicator", + "_CrowdStrikeReplicator": "[variables('CrowdStrikeReplicator')]", + "CrowdStrikeHighSeverity": "CrowdStrikeHighSeverity", + "_CrowdStrikeHighSeverity": "[variables('CrowdStrikeHighSeverity')]", + "CrowdStrikeCriticalSeverity": "CrowdStrikeCriticalSeverity", + "_CrowdStrikeCriticalSeverity": "[variables('CrowdStrikeCriticalSeverity')]", + "CrowdStrike_Base": "CrowdStrike_Base", + "_CrowdStrike_Base": "[variables('CrowdStrike_Base')]", + "Crowdstrike_ContainHost": "Crowdstrike_ContainHost", + "_Crowdstrike_ContainHost": "[variables('Crowdstrike_ContainHost')]", + "Crowdstrike_Enrichment_GetDeviceInformation": "Crowdstrike_Enrichment_GetDeviceInformation", + "_Crowdstrike_Enrichment_GetDeviceInformation": "[variables('Crowdstrike_Enrichment_GetDeviceInformation')]", + "Crowdstrike-ResponsefromTeams": "Crowdstrike-ResponsefromTeams", + "_Crowdstrike-ResponsefromTeams": "[variables('Crowdstrike-ResponsefromTeams')]", + "Crowdstrike-Remediation-Host": "Crowdstrike-Remediation-Host", + "_Crowdstrike-Remediation-Host": "[variables('Crowdstrike-Remediation-Host')]", + "sourceId": "azuresentinel.azure-sentinel-solution-crowdstrikefalconep", + "_sourceId": "[variables('sourceId')]" + }, + "resources": [ + { + "id": "[variables('_connector-source')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connectorName'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "CrowdStrike Falcon Endpoint Protection", + "publisher": "CrowdStrike", + "descriptionMarkdown": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/endpoint-security-products/) connector allows you to easily connect your CrowdStrike Falcon Event Stream with Azure Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**CrowdStrikeFalconEventStream**](https://aka.ms/sentinel-crowdstrikefalconendpointprotection-parser) which is deployed with the Azure Sentinel Solution.", + "graphQueriesTableName": "CrowdStrikeFalconEventStream", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "{{graphQueriesTableName}}", + "baseQuery": "CommonSecurityLog \n| where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Hosts with Detections", + "query": "{{graphQueriesTableName}} \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstHostName \n | top 10 by count_" + }, + { + "description": "Top 10 Users with Detections", + "query": "{{graphQueriesTableName}} \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstUserName \n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (CrowdStrikeFalconEventStream)", + "lastDataReceivedQuery": "CommonSecurityLog \n| where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog \n| where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CrowdStrikeFalconEventStream**](https://aka.ms/sentinel-crowdstrikefalconendpointprotection-parser) which is deployed with the Azure Sentinel Solution." + }, + { + "title": "1. Linux Syslog agent configuration", + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "innerSteps": [ + { + "title": "1.1 Select or create a Linux machine", + "description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds." + }, + { + "title": "1.2 Install the CEF collector on the Linux machine", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "instructions": [ + { + "parameters": { + "fillWith": [ "WorkspaceId", "PrimaryKey" ], + "label": "Run the following command to install and apply the CEF collector:", + "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + { + "title": "2. Forward CrowdStrike Falcon Event Stream logs to a Syslog agent", + "description": "Deploy the CrowdStrike Falcon SIEM Collector to forward Syslog messages in CEF format to your Azure Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/) to deploy the SIEM Collector and forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address." + }, + { + "title": "3. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "fillWith": [ "WorkspaceId" ], + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "4. Secure your machine ", + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)" + } + ] + } + } + }, + { + "id": "[variables('_connector-source-2')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connectorName-2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "CrowdStrike Falcon Data Replicator", + "publisher": "CrowdStrike", + "descriptionMarkdown": "The [Crowdstrike](https://www.crowdstrike.com/) Falcon Data Replicator connector provides the capability to ingest raw event data from the [Falcon Platform](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/) events into Azure Sentinel. The connector provides ability to get events from Falcon Agents which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", + "additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on a Kusto Function to work as expected [**CrowdstrikeReplicator**](https://aka.ms/sentinel-crowdstrikereplicator-parser) which is deployed with the Azure Sentinel Solution.", + "graphQueriesTableName": "CrowdstrikeReplicatorLogs_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "CrowdstrikeReplicatorLogs_CL", + "baseQuery": "CrowdstrikeReplicatorLogs_CL" + } + ], + "sampleQueries": [ + { + "description": "Data Replicator - All Activities", + "query": "CrowdstrikeReplicator\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "CrowdstrikeReplicatorLogs_CL", + "lastDataReceivedQuery": "CrowdstrikeReplicatorLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CrowdstrikeReplicatorLogs_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "SQS and AWS S3 account credentials/permissions", + "description": "**AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** is required. [See the documentation to learn more about data pulling](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/). To start, contact CrowdStrike support. At your request they will create a CrowdStrike managed Amazon Web Services (AWS) S3 bucket for short term storage purposes as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the S3 bucket to pull logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CrowdstrikeReplicator**](https://aka.ms/sentinel-crowdstrikereplicator-parser) which is deployed with the Azure Sentinel Solution." + }, + { + "description": "**STEP 1 - Contact CrowdStrike support to obtain the credentials and Queue URL.**\n" + }, + { + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Crowdstrike Falcon Data Replicator connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Crowdstrike Falcon Data Replicator connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CrowdstrikeReplicator-azuredeploy)\n2. Select the preferred **AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Crowdstrike Falcon Data Replicator connector manually with Azure Functions (Deployment via Visual Studio Code)." + }, + { + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdstrikeReplicatorXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + }, + { + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic1-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Creates an incident when a large number of Critical/High severity CrowdStrike Falcon sensor detections is triggered by a single user", + "displayName": "Critical or High Severity Detections by User", + "enabled": false, + "query": "let timeframe = 1h;\n let threshold = 15; // update threshold value based on organization's preference\n let NoteableEvents = CrowdStrikeFalconEventStream\n | where TimeGenerated > ago(timeframe)\n | where EventType == \"DetectionSummaryEvent\"\n | where Severity in (\"Critical\", \"High\")\n | summarize Total = count() by DstUserName\n | where Total > threshold;\n CrowdStrikeFalconEventStream\n | where TimeGenerated > ago(timeframe)\n | where EventType == \"DetectionSummaryEvent\"\n | where Severity in (\"Critical\", \"High\")\n | join kind=inner (NoteableEvents) on DstUserName\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by DstHostName, SrcIpAddr, DstUserName, FileName, FileHash, Message\n | extend timestamp = StartTimeUtc, AccountCustomEntity = DstUserName, HostCustomEntity = DstHostName, IPCustomEntity = SrcIpAddr, FileHashCustomEntity = FileHash", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0 + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic2-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Creates an incident when a CrowdStrike Falcon sensor detection is triggered with a Critical Severity", + "displayName": "Critical Severity Detection", + "enabled": false, + "query": "let timeframe = 1h;\n CrowdStrikeFalconEventStream\n | where TimeGenerated > ago(timeframe)\n | where EventType == \"DetectionSummaryEvent\"\n | where Severity == \"Critical\"\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by DstHostName, SrcIpAddr, DstUserName, Activity, Technique, FileName, FilePath, FileHash, Message\n | extend timestamp = StartTimeUtc, AccountCustomEntity = DstUserName, HostCustomEntity = DstHostName, IPCustomEntity = SrcIpAddr, FileHashCustomEntity = FileHash", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0 + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2020-08-01", + "name": "[parameters('workspace')]", + "location": "[parameters('workspace-location')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "CrowdStrike Falcon Endpoint Protection Parser", + "dependsOn": [ + "[variables('parser-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "CrowdStrike Falcon Endpoint Protection Parser", + "category": "Samples", + "functionAlias": "CrowdStrikeFalconEventStream", + "query": "CommonSecurityLog | where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\" | extend EventType = extract(@\"cat=([^;]+)(\\;|$)\",1,AdditionalExtensions), Outcome = extract(@\"outcome=([^;]+)(\\;|$)\",1,AdditionalExtensions), Technique = extract(@\"reason=([^;]+)(\\;|$)\",1,AdditionalExtensions), PatternDisposition = extract(@\"CSMTRPatternDisposition=([^;]+)(\\;|$)\",1,AdditionalExtensions), SessionStartTime = unixtime_seconds_todatetime(toint(extract(@\"sessionStartTimestamp=([^;]+)(\\;|$)\",1,AdditionalExtensions))), SessionEndTime = unixtime_seconds_todatetime(toint(extract(@\"sessionEndTimestamp=([^;]+)(\\;|$)\",1,AdditionalExtensions))) | extend ParentProcessId = iif(DeviceCustomNumber1Label == \"ParentProcessId\" , DeviceCustomNumber1, toint(\"\")), ChildProcessId = iif(DeviceCustomNumber2Label == \"ProcessId\" , DeviceCustomNumber2, toint(\"\")), Offset = iif(DeviceCustomNumber3Label == \"Offset\", DeviceCustomNumber3, toint(\"\")) | project-away DeviceCustomNumber1Label, DeviceCustomNumber1,DeviceCustomNumber2Label, DeviceCustomNumber2,DeviceCustomNumber3Label, DeviceCustomNumber3 | extend EventTimestamp = iif(DeviceCustomDate1Label == \"Timestamp\", todatetime(DeviceCustomDate1), todatetime(\"\")), ExeWrittenTime = iif(DeviceCustomDate1Label == \"ExeWrittenTimestamp\", todatetime(DeviceCustomDate1), todatetime(\"\")), DnsRequestTime = iif(DeviceCustomDate1Label == \"DNS Request Time\", todatetime(DeviceCustomDate1), todatetime(\"\")), NetworkAccessTime = iif(DeviceCustomDate1Label == \"Network Access Timestamp\", todatetime(DeviceCustomDate1), todatetime(\"\")), DocAccessTime = iif(DeviceCustomDate1Label == \"DocAccessTimestamp\" or DeviceCustomDate1Label == \"Document Accessed Timestamp\", todatetime(DeviceCustomDate1), todatetime(\"\")), HashSpreadingEventTime = iif(DeviceCustomDate2Label == \"HashSpreadingEventTime\", todatetime(DeviceCustomDate2), todatetime(\"\")), HashSpreadingSensorTime = iif(DeviceCustomDate2Label == \"HashSpreadingSensorEventTime\", todatetime(DeviceCustomDate2), todatetime(\"\")) | project-away DeviceCustomDate1Label, DeviceCustomDate1, DeviceCustomDate2Label, DeviceCustomDate2 | extend ScanResultName = iif(DeviceCustomString1Label == \"ScanResultNam\", DeviceCustomString1, \"\"), WrittenExeFileName = iif(DeviceCustomString2Label == \"WrittenExeFileName\", DeviceCustomString2, \"\"), QuarantineFileSHA256 = iif(DeviceCustomString2Label == \"QuarantineFileSHA256\", DeviceCustomString2, \"\"), ScanResultEngine = iif(DeviceCustomString2Label == \"ScanResultEngine\", DeviceCustomString2, \"\"), AccessedDocFileName = iif(DeviceCustomString2Label == \"AccessedDocFileName\", DeviceCustomString2, \"\"), WrittenExeFilePath = iif(DeviceCustomString3Label == \"WrittenExeFilePath\", DeviceCustomString3, \"\"), AccessedDocFilePath = iif(DeviceCustomString3Label == \"AccessedDocFilePath\", DeviceCustomString3, \"\"), QuarantineFilePath = iif(DeviceCustomString3Label == \"QuarantineFilePath\", DeviceCustomString3, \"\"), ScanResultVersion = iif(DeviceCustomString4Label == \"ScanResultVersion\", DeviceCustomString4, \"\"), CommandLine = iif(DeviceCustomString5Label == \"CommandLine\", DeviceCustomString5, \"\"), FalconHostLink = iif(DeviceCustomString6Label == \"FalconHostLink\", DeviceCustomString6, \"\") | project-away DeviceCustomString1Label, DeviceCustomString1, DeviceCustomString2Label, DeviceCustomString2, DeviceCustomString3Label, DeviceCustomString3, DeviceCustomString4Label, DeviceCustomString4, DeviceCustomString5Label, DeviceCustomString5, DeviceCustomString6Label, DeviceCustomString6 | project-rename DstHostName = DestinationHostName, DstNtDomain = DestinationNTDomain, DstUserName = DestinationUserName, DstIpAddr = DestinationTranslatedAddress, SrcMacAddr = SourceMACAddress, SrcIpAddr = SourceIP | extend EventType = iif(DeviceEventClassID == \"DetectionSummaryEvent\" or DeviceEventClassID contains \"Detection Summary Event\", \"DetectionSummaryEvent\", EventType), ReceiptTime = unixtime_milliseconds_todatetime(tolong(ReceiptTime)), SensorId = extract(@\"/detail/([^/]+)\\/\",1,FalconHostLink), Severity = case(LogSeverity == 1, \"Informational\", LogSeverity == 2, \"Low\", LogSeverity == 3, \"Medium\", LogSeverity == 4, \"High\", LogSeverity == 5, \"Critical\", LogSeverity)", + "version": 1 + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "CrowdStrike Replicator Parser", + "dependsOn": [ + "[variables('parser-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "CrowdStrike Replicator Parser", + "category": "Samples", + "functionAlias": "CrowdstrikeReplicator", + "query": "let CrowdstrikeReplicatorLogs_view = view () { CrowdstrikeReplicatorLogs_CL | extend EventVendor=\"Crowdstrike\", EventProduct=\"Replicator\", FileMode=column_ifexists('FileMode_s', ''), DeviceSerialNumber=column_ifexists('DeviceSerialNumber_s', ''), IcmpCode=column_ifexists('IcmpCode_s', ''), IcmpType=column_ifexists('IcmpType_s', ''), LastUpdateInstalledTime=column_ifexists('LastUpdateInstalledTime_s', ''), RebootRequired=column_ifexists('RebootRequired_s', ''), PendingUpdateIds=column_ifexists('PendingUpdateIds_s', ''), InstalledUpdateIds=column_ifexists('InstalledUpdateIds_s', ''), InstalledUpdateExtendedStatus=column_ifexists('InstalledUpdateExtendedStatus_s', ''), SupersededUpdateIds=column_ifexists('SupersededUpdateIds_s', ''), ConfigurationDescriptorValue=column_ifexists('ConfigurationDescriptorValue_s', ''), ConfigurationDescriptorAttributes=column_ifexists('ConfigurationDescriptorAttributes_s', ''), DeviceDescriptorUniqueIdentifier=column_ifexists('DeviceDescriptorUniqueIdentifier_s', ''), ConfigurationDescriptorName=column_ifexists('ConfigurationDescriptorName_s', ''), ConfigurationDescriptorNumInterfaces=column_ifexists('ConfigurationDescriptorNumInterfaces_s', ''), ConfigurationDescriptorMaxPowerDraw=column_ifexists('ConfigurationDescriptorMaxPowerDraw_s', ''), ScreenshotsTakenCount=column_ifexists('ScreenshotsTakenCount_s', ''), ExitCode=column_ifexists('ExitCode_s', ''), ParentProcessId=column_ifexists('ParentProcessId_s', ''), DstUserIdentity=column_ifexists('UserSid_s', ''), NetworkListenCount=column_ifexists('NetworkListenCount_s', ''), SuspiciousRawDiskReadCount=column_ifexists('SuspiciousRawDiskReadCount_s', ''), NetworkBindCount=column_ifexists('NetworkBindCount_s', ''), NetworkRecvAcceptCount=column_ifexists('NetworkRecvAcceptCount_s', ''), ContextData=column_ifexists('ContextData_s', ''), Id=column_ifexists('id_g', ''), NewExecutableWrittenCount=column_ifexists('NewExecutableWrittenCount_s', ''), ExeAndServiceCount=column_ifexists('ExeAndServiceCount_s', ''), NetworkCloseCount=column_ifexists('NetworkCloseCount_s', ''), SuspectStackCount=column_ifexists('SuspectStackCount_s', ''), CLICreationCount=column_ifexists('CLICreationCount_s', ''), UnsignedModuleLoadCount=column_ifexists('UnsignedModuleLoadCount_s', ''), UserTime=column_ifexists('UserTime_s', ''), EventMessage=column_ifexists('event_simpleName_s', ''), RawProcessId=column_ifexists('RawProcessId_s', ''), ContextTimeStamp=column_ifexists('ContextTimeStamp_s', ''), AllocateVirtualMemoryCount=column_ifexists('AllocateVirtualMemoryCount_s', ''), ContextProcessId=column_ifexists('ContextProcessId_s', ''), ServiceEventCount=column_ifexists('ServiceEventCount_s', ''), SnapshotFileOpenCount=column_ifexists('SnapshotFileOpenCount_s', ''), RemovableDiskFileWrittenCount=column_ifexists('RemovableDiskFileWrittenCount_s', ''), InjectedDllCount=column_ifexists('InjectedDllCount_s', ''), ModuleLoadCount=column_ifexists('ModuleLoadCount_s', ''), UserMemoryProtectExecutableCount=column_ifexists('UserMemoryProtectExecutableCount_s', ''), NetworkCapableAsepWriteCount=column_ifexists('NetworkCapableAsepWriteCount_s', ''), TargetProcessId=column_ifexists('TargetProcessId_s', ''), DnsRequestCount=column_ifexists('DnsRequestCount_s', ''), ArchiveFileWrittenCount=column_ifexists('ArchiveFileWrittenCount_s', ''), Entitlements=column_ifexists('Entitlements_s', ''), Name=column_ifexists('name_s', ''), ProcessStartTime=column_ifexists('ProcessStartTime_s', ''), SetThreadContextCount=column_ifexists('SetThreadContextCount_s', ''), SuspiciousCredentialModuleLoadCount=column_ifexists('SuspiciousCredentialModuleLoadCount_s', ''), DvcInterfaceGuid=column_ifexists('aid_g', ''), Cid=column_ifexists('cid_g', ''), FileDeletedCount=column_ifexists('FileDeletedCount_s', ''), UserMemoryAllocateExecutableCount=column_ifexists('UserMemoryAllocateExecutableCount_s', ''), DirectoryCreatedCount=column_ifexists('DirectoryCreatedCount_s', ''), NetworkConnectCountUdp=column_ifexists('NetworkConnectCountUdp_s', ''), QueueApcCount=column_ifexists('QueueApcCount_s', ''), ContextThreadId=column_ifexists('ContextThreadId_s', ''), Aip=column_ifexists('aip_s', ''), SuspiciousFontLoadCount=column_ifexists('SuspiciousFontLoadCount_s', ''), ConHostId=column_ifexists('ConHostId_s', ''), NetworkConnectCount=column_ifexists('NetworkConnectCount_s', ''), BinaryExecutableWrittenCount=column_ifexists('BinaryExecutableWrittenCount_s', ''), CycleTime=column_ifexists('CycleTime_s', ''), DvcOs=column_ifexists('event_platform_s', ''), ConHostProcessId=column_ifexists('ConHostProcessId_s', ''), PrivilegedProcessHandleCount=column_ifexists('PrivilegedProcessHandleCount_s', ''), MaxThreadCount=column_ifexists('MaxThreadCount_s', ''), ImageSubsystem=column_ifexists('ImageSubsystem_s', ''), GenericFileWrittenCount=column_ifexists('GenericFileWrittenCount_s', ''), EffectiveTransmissionClass=column_ifexists('EffectiveTransmissionClass_s', ''), ScriptEngineInvocationCount=column_ifexists('ScriptEngineInvocationCount_s', ''), RunDllInvocationCount=column_ifexists('RunDllInvocationCount_s', ''), timestamp=column_ifexists('timestamp_s', ''), CreateProcessCount=column_ifexists('CreateProcessCount_s', ''), KernelTime=column_ifexists('KernelTime_s', ''), DirectoryEnumeratedCount=column_ifexists('DirectoryEnumeratedCount_s', ''), ConfigStateHash=column_ifexists('ConfigStateHash_s', ''), AsepWrittenCount=column_ifexists('AsepWrittenCount_s', ''), SuspiciousDnsRequestCount=column_ifexists('SuspiciousDnsRequestCount_s', ''), DocumentFileWrittenCount=column_ifexists('DocumentFileWrittenCount_s', ''), ProtectVirtualMemoryCount=column_ifexists('ProtectVirtualMemoryCount_s', ''), ProcessHashSha256=column_ifexists('SHA256HashData_s', ''), UserMemoryProtectExecutableRemoteCount=column_ifexists('UserMemoryProtectExecutableRemoteCount_s', ''), ConfigBuild=column_ifexists('ConfigBuild_s', ''), UserMemoryAllocateExecutableRemoteCount=column_ifexists('UserMemoryAllocateExecutableRemoteCount_s', ''), ExecutableDeletedCount=column_ifexists('ExecutableDeletedCount_s', ''), RegKeySecurityDecreasedCount=column_ifexists('RegKeySecurityDecreasedCount_s', ''), InjectedThreadCount=column_ifexists('InjectedThreadCount_s', ''), NetworkModuleLoadCount=column_ifexists('NetworkModuleLoadCount_s', ''), WindowTitle=column_ifexists('WindowTitle_s', ''), ProcessCreateFlags=column_ifexists('ProcessCreateFlags_s', ''), IntegrityLevel=column_ifexists('IntegrityLevel_s', ''), SourceProcessId=column_ifexists('SourceProcessId_s', ''), ProcessHashSha1=column_ifexists('SHA1HashData_s', ''), TokenType=column_ifexists('TokenType_s', ''), ProcessEndTime=column_ifexists('ProcessEndTime_s', ''), AuthenticodeHashData=column_ifexists('AuthenticodeHashData_s', ''), ParentBaseFileName=column_ifexists('ParentBaseFileName_s', ''), SessionId=column_ifexists('SessionId_s', ''), Tags=column_ifexists('Tags_s', ''), ProcessHashMd5=column_ifexists('MD5HashData_g', ''), ProcessSxsFlags=column_ifexists('ProcessSxsFlags_s', ''), AuthenticationId=column_ifexists('AuthenticationId_s', ''), WindowFlags=column_ifexists('WindowFlags_s', ''), ProcessCommandLine=column_ifexists('CommandLine_s', ''), ParentAuthenticationId=column_ifexists('ParentAuthenticationId_s', ''), FileName=column_ifexists('ImageFileName_s', ''), SourceThreadId=column_ifexists('SourceThreadId_s', ''), ProcessParameterFlags=column_ifexists('ProcessParameterFlags_s', ''), SignInfoFlags=column_ifexists('SignInfoFlags_s', ''), ChannelVersion=column_ifexists('ChannelVersion_s', ''), ChannelVersionRequired=column_ifexists('ChannelVersionRequired_s', ''), ChannelId=column_ifexists('ChannelId_s', ''), DnsResponseType=column_ifexists('DnsResponseType_s', ''), IP4Records=column_ifexists('IP4Records_s', ''), CNAMERecords=column_ifexists('CNAMERecords_s', ''), QueryStatus=column_ifexists('QueryStatus_s', ''), InterfaceIndex=column_ifexists('InterfaceIndex_s', ''), DualRequest=column_ifexists('DualRequest_s', ''), FirstIP4Record=column_ifexists('FirstIP4Record_s', ''), UrlDomain=column_ifexists('DomainName_s', ''), RespondingDnsServer=column_ifexists('RespondingDnsServer_s', ''), RequestType=column_ifexists('RequestType_s', ''), FirewallRuleId=column_ifexists('FirewallRuleId_s', ''), Options=column_ifexists('Options_s', ''), MinorFunction=column_ifexists('MinorFunction_s', ''), FileIdentifier=column_ifexists('FileIdentifier_s', ''), Information=column_ifexists('Information_s', ''), ShareAccess=column_ifexists('ShareAccess_s', ''), FileObject=column_ifexists('FileObject_s', ''), FilePermission=column_ifexists('FileAttributes_s', ''), Status=column_ifexists('Status_s', ''), IrpFlags=column_ifexists('IrpFlags_s', ''), MajorFunction=column_ifexists('MajorFunction_s', ''), DesiredAccess=column_ifexists('DesiredAccess_s', ''), OperationFlags=column_ifexists('OperationFlags_s', ''), TargetFileName=column_ifexists('TargetFileName_s', ''), CallStackModuleNamesVersion=column_ifexists('CallStackModuleNamesVersion_s', ''), CsaProcessDataCollectionInstanceId=column_ifexists('CsaProcessDataCollectionInstanceId_s', ''), CallStackModuleNames=column_ifexists('CallStackModuleNames_s', ''), CreateProcessType=column_ifexists('CreateProcessType_s', ''), EtwRawProcessId=column_ifexists('EtwRawProcessId_s', ''), EventMax=column_ifexists('EventMax_s', ''), EtwRawThreadId=column_ifexists('EtwRawThreadId_s', ''), Flags=column_ifexists('Flags_s', ''), EventMin=column_ifexists('EventMin_s', ''), RawThreadId=column_ifexists('RawThreadId_s', ''), SrcIpAddr=column_ifexists('LocalAddressIP4_s', ''), ConnectionFlags=column_ifexists('ConnectionFlags_s', ''), DstIpPort=column_ifexists('RemotePort_s', ''), SrcIpPort=column_ifexists('LocalPort_s', ''), Protocol=column_ifexists('Protocol_s', ''), DstIpAddr=column_ifexists('RemoteAddressIP4_s', ''), ConnectionDirection=column_ifexists('ConnectionDirection_s', ''), InContext=column_ifexists('InContext_s', ''), NetworkContainmentState=column_ifexists('NetworkContainmentState_s', ''), ConfigIDBase=column_ifexists('ConfigIDBase_s', ''), SensorStateBitMap=column_ifexists('SensorStateBitMap_s', ''), ConfigurationVersion=column_ifexists('ConfigurationVersion_s', ''), ConfigIDPlatform=column_ifexists('ConfigIDPlatform_s', ''), ConfigIDBuild=column_ifexists('ConfigIDBuild_s', ''), ProvisionState=column_ifexists('ProvisionState_s', ''), Size=column_ifexists('Size_s', ''), IsOnNetwork=column_ifexists('IsOnNetwork_s', ''), DiskParentDeviceInstanceId=column_ifexists('DiskParentDeviceInstanceId_s', ''), TemporaryFileName=column_ifexists('TemporaryFileName_s', ''), FileEcpBitmask=column_ifexists('FileEcpBitmask_s', ''), IsOnRemovableDisk=column_ifexists('IsOnRemovableDisk_s', ''), ModuleCharacteristics=column_ifexists('ModuleCharacteristics_s', ''), OriginalEventTimeStamp=column_ifexists('OriginalEventTimeStamp_s', ''), MappedFromUserMode=column_ifexists('MappedFromUserMode_s', ''), TreeId=column_ifexists('TreeId_s', ''), PrimaryModule=column_ifexists('PrimaryModule_s', ''), UserIsAdmin=column_ifexists('UserIsAdmin_s', ''), LogoffTime=column_ifexists('LogoffTime_s', ''), LogonTime=column_ifexists('LogonTime_s', ''), LogonDomain=column_ifexists('LogonDomain_s', ''), RemoteAccount=column_ifexists('RemoteAccount_s', ''), UserFlags=column_ifexists('UserFlags_s', ''), LogonServer=column_ifexists('LogonServer_s', ''), DstUserName=column_ifexists('UserName_s', ''), LogonType=column_ifexists('LogonType_s', ''), AuthenticationPackage=column_ifexists('AuthenticationPackage_s', ''), UserPrincipal=column_ifexists('UserPrincipal_s', ''), PasswordLastSet=column_ifexists('PasswordLastSet_s', ''), UserLogoffType=column_ifexists('UserLogoffType_s', ''), UserLogonFlags=column_ifexists('UserLogonFlags_s', ''), Parameter2=column_ifexists('Parameter2_s', ''), Parameter1=column_ifexists('Parameter1_s', ''), Parameter3=column_ifexists('Parameter3_s', ''), Line=column_ifexists('Line_s', ''), ErrorStatus=column_ifexists('ErrorStatus_s', ''), Facility=column_ifexists('Facility_s', ''), File=column_ifexists('File_s', ''), PublicKeys=column_ifexists('PublicKeys_s', ''), HandleCreated=column_ifexists('HandleCreated_s', ''), ExtendedKeyUsages=column_ifexists('ExtendedKeyUsages_s', ''), FileSigningTime=column_ifexists('FileSigningTime_s', ''), Object1Name=column_ifexists('Object1Name_s', ''), Object1Type=column_ifexists('Object1Type_s', ''), Certificate=column_ifexists('Certificate_s', ''), RpcClientProcessId=column_ifexists('RpcClientProcessId_s', ''), SyntheticPR2Flags=column_ifexists('SyntheticPR2Flags_s', ''), MachOSubType=column_ifexists('MachOSubType_s', ''), SessionProcessId=column_ifexists('SessionProcessId_s', ''), SVUID=column_ifexists('SVUID_s', ''), ProcessGroupId=column_ifexists('ProcessGroupId_s', ''), GID=column_ifexists('GID_s', ''), SVGID=column_ifexists('SVGID_s', ''), UID=column_ifexists('UID_s', ''), RGID=column_ifexists('RGID_s', ''), RUID=column_ifexists('RUID_s', ''), NeighborList=column_ifexists('NeighborList_s', ''), DownloadServer=column_ifexists('DownloadServer_s', ''), DownloadPath=column_ifexists('DownloadPath_s', ''), DownloadPort=column_ifexists('DownloadPort_s', ''), CompletionEventId=column_ifexists('CompletionEventId_s', ''), IsTransactedFile=column_ifexists('IsTransactedFile_s', ''), WindowStation=column_ifexists('WindowStation_s', ''), BoundingLimitCount=column_ifexists('BoundingLimitCount_s', ''), ProcessBehaviorBitfield=column_ifexists('ProcessBehaviorBitfield_s', ''), Desktop=column_ifexists('Desktop_s', ''), PatternId=column_ifexists('PatternId_s', ''), ExclusionType=column_ifexists('ExclusionType_s', ''), ExclusionSource=column_ifexists('ExclusionSource_s', ''), DriverLoadFlags=column_ifexists('DriverLoadFlags_s', ''), CompanyName=column_ifexists('CompanyName_s', ''), OriginalFilename=column_ifexists('OriginalFilename_s', ''), FileVersion=column_ifexists('FileVersion_s', ''), GrandParentBaseFileName=column_ifexists('GrandParentBaseFileName_s', ''), ShowWindowFlags=column_ifexists('ShowWindowFlags_s', ''), ThreadStartAddress=column_ifexists('ThreadStartAddress_s', ''), InjectedThreadFlag=column_ifexists('InjectedThreadFlag_s', ''), UserThread=column_ifexists('UserThread_s', ''), TargetThreadModule=column_ifexists('TargetThreadModule_s', ''), TargetThreadId=column_ifexists('TargetThreadId_s', ''), ThreadStartContext=column_ifexists('ThreadStartContext_s', ''), SourceThreadStartAddress=column_ifexists('SourceThreadStartAddress_s', ''), InterfaceGuid=column_ifexists('InterfaceGuid_g', ''), InterfaceVersion=column_ifexists('InterfaceVersion_s', ''), RpcClientThreadId=column_ifexists('RpcClientThreadId_s', ''), TaskXml=column_ifexists('TaskXml_s', ''), TaskAuthor=column_ifexists('TaskAuthor_s', ''), TaskName=column_ifexists('TaskName_s', ''), RpcOpNum=column_ifexists('RpcOpNum_s', ''), TaskExecArguments=column_ifexists('TaskExecArguments_s', ''), TaskExecCommand=column_ifexists('TaskExecCommand_s', ''), RpcNestingLevel=column_ifexists('RpcNestingLevel_s', ''), ErrorLocation=column_ifexists('ErrorLocation_s', ''), ErrorReason=column_ifexists('ErrorReason_s', ''), Parameter64_1=column_ifexists('Parameter64_1_s', ''), ErrorSource=column_ifexists('ErrorSource_s', ''), ParameterSizedBuffer_1=column_ifexists('ParameterSizedBuffer_1_g', ''), ErrorCode=column_ifexists('ErrorCode_s', ''), DeviceProductId=column_ifexists('DeviceProductId_s', ''), DeviceVersion=column_ifexists('DeviceVersion_s', ''), DeviceTimeStamp=column_ifexists('DeviceTimeStamp_s', ''), DeviceInstanceId=column_ifexists('DeviceInstanceId_s', ''), DeviceDescriptorSetHash=column_ifexists('DeviceDescriptorSetHash_s', ''), DeviceVendorId=column_ifexists('DeviceVendorId_s', ''), DeviceManufacturer=column_ifexists('DeviceManufacturer_s', ''), DeviceProduct=column_ifexists('DeviceProduct_s', ''), GroupRid=column_ifexists('GroupRid_s', ''), UserRid=column_ifexists('UserRid_s', ''), DomainSid=column_ifexists('DomainSid_s', ''), LightningLatencyState=column_ifexists('LightningLatencyState_s', ''), UnixMode=column_ifexists('UnixMode_s', ''), VnodeType=column_ifexists('VnodeType_s', ''), TargetDirectoryName=column_ifexists('TargetDirectoryName_s', ''), ApiReturnValue=column_ifexists('ApiReturnValue_s', ''), ServiceDisplayName=column_ifexists('ServiceDisplayName_s', ''), LinkName=column_ifexists('LinkName_s', ''), VersionInfo=column_ifexists('VersionInfo_s', ''), LanguageId=column_ifexists('LanguageId_s', ''), AsepFlags=column_ifexists('AsepFlags_s', ''), RegObjectName=column_ifexists('RegObjectName_s', ''), Data1=column_ifexists('Data1_s', ''), RegOperationType=column_ifexists('RegOperationType_s', ''), ProcessArgs=column_ifexists('TargetCommandLineParameters_s', ''), RegStringValue=column_ifexists('RegStringValue_s', ''), RegType=column_ifexists('RegType_s', ''), AsepClass=column_ifexists('AsepClass_s', ''), AsepIndex=column_ifexists('AsepIndex_s', ''), RegValueName=column_ifexists('RegValueName_s', ''), AsepValueType=column_ifexists('AsepValueType_s', ''), LocalSession=column_ifexists('LocalSession_s', ''), DstDvcHostname=column_ifexists('ClientComputerName_s', ''), PrivilegesBitmask=column_ifexists('PrivilegesBitmask_s', ''), EnabledPrivilegesBitmask=column_ifexists('EnabledPrivilegesBitmask_s', ''), UserGroupsBitmask=column_ifexists('UserGroupsBitmask_s', ''), Timeout=column_ifexists('Timeout_s', ''), ProcessCount=column_ifexists('ProcessCount_s', ''), SuppressType=column_ifexists('SuppressType_s', ''), BoundedCount=column_ifexists('BoundedCount_s', ''), IP6Records=column_ifexists('IP6Records_s', ''), FirstIP6Record=column_ifexists('FirstIP6Record_s', ''), WmiQuery=column_ifexists('WmiQuery_s', ''), WmiNamespaceName=column_ifexists('WmiNamespaceName_s', ''), RegClassificationIndex=column_ifexists('RegClassificationIndex_s', ''), RegClassificationFlags=column_ifexists('RegClassificationFlags_s', ''), RegClassification=column_ifexists('RegClassification_s', ''), SystemTableIndex=column_ifexists('SystemTableIndex_s', ''), ScreenshotType=column_ifexists('ScreenshotType_s', ''), SubStatus=column_ifexists('SubStatus_s', ''), UmppaInjectAbortCount=column_ifexists('UmppaInjectAbortCount_s', ''), UmppaInjectFailedCount=column_ifexists('UmppaInjectFailedCount_s', ''), UmppaInjectionType=column_ifexists('UmppaInjectionType_s', ''), UmppaInjectLoadFailCount=column_ifexists('UmppaInjectLoadFailCount_s', ''), UmppaInjectCfgCheckCount=column_ifexists('UmppaInjectCfgCheckCount_s', ''), UmppaInjectExtensionErrorCount=column_ifexists('UmppaInjectExtensionErrorCount_s', ''), UmppaInjectInvalidThreadCount=column_ifexists('UmppaInjectInvalidThreadCount_s', ''), UmppaInjectFileSectionCount=column_ifexists('UmppaInjectFileSectionCount_s', ''), TotalCount=column_ifexists('TotalCount_s', ''), UmppaInjectLoadErrorCount=column_ifexists('UmppaInjectLoadErrorCount_s', ''), UmppaInjectBadAlertCount=column_ifexists('UmppaInjectBadAlertCount_s', ''), UmppaInjectApcInsertionCount=column_ifexists('UmppaInjectApcInsertionCount_s', ''), UmppaInjectCopyFailCount=column_ifexists('UmppaInjectCopyFailCount_s', ''), FirewallRule=column_ifexists('FirewallRule_s', ''), RegNumericValue=column_ifexists('RegNumericValue_s', ''), VolumeDriveLetter=column_ifexists('VolumeDriveLetter_s', ''), VolumeSnapshotName=column_ifexists('VolumeSnapshotName_s', ''), VolumeName=column_ifexists('VolumeName_s', ''), UserCanonical=column_ifexists('UserCanonical_s', ''), LogonId=column_ifexists('LogonId_s', ''), ConfigStateData=column_ifexists('ConfigStateData_s', ''), FirewallProfile=column_ifexists('FirewallProfile_s', ''), FirewallOption=column_ifexists('FirewallOption_s', ''), FirewallOptionNumericValue=column_ifexists('FirewallOptionNumericValue_s', ''), SmbShareName=column_ifexists('SmbShareName_s', ''), TargetSHA256HashData=column_ifexists('TargetSHA256HashData_s', ''), IsCpuDataCommonOnAllCores=column_ifexists('IsCpuDataCommonOnAllCores_s', ''), SpibarDataFrap=column_ifexists('SpibarDataFrap_s', ''), EfiVariableDbxSha256Hash=column_ifexists('EfiVariableDbxSha256Hash_s', ''), PciConfigDataBgsm=column_ifexists('PciConfigDataBgsm_s', ''), PciConfigDataDpr=column_ifexists('PciConfigDataDpr_s', ''), CpuDataCommonSmrrSupported=column_ifexists('CpuDataCommonSmrrSupported_s', ''), SpibarDataHsfc=column_ifexists('SpibarDataHsfc_s', ''), EfiVariableSecureBoot=column_ifexists('EfiVariableSecureBoot_s', ''), PciConfigDataMesegMask=column_ifexists('PciConfigDataMesegMask_s', ''), PciConfigDataTolud=column_ifexists('PciConfigDataTolud_s', ''), EfiVariableDbxAttributes=column_ifexists('EfiVariableDbxAttributes_s', ''), PciConfigDataPavpc=column_ifexists('PciConfigDataPavpc_s', ''), EfiVariableCustomModeAttributes=column_ifexists('EfiVariableCustomModeAttributes_s', ''), SpibarDataFreg3=column_ifexists('SpibarDataFreg3_s', ''), SpibarDataFreg4=column_ifexists('SpibarDataFreg4_s', ''), SpibarDataFreg1=column_ifexists('SpibarDataFreg1_s', ''), SpibarDataFreg2=column_ifexists('SpibarDataFreg2_s', ''), SpibarDataFreg0=column_ifexists('SpibarDataFreg0_s', ''), EfiSupported=column_ifexists('EfiSupported_s', ''), EfiVariablePkAttributes=column_ifexists('EfiVariablePkAttributes_s', ''), CpuDataCommonPrmrrUncorePhysicalMask=column_ifexists('CpuDataCommonPrmrrUncorePhysicalMask_s', ''), PciConfigDataGenPmconA=column_ifexists('PciConfigDataGenPmconA_s', ''), PciConfigDataTsegmb=column_ifexists('PciConfigDataTsegmb_s', ''), SpibarDataVscc0=column_ifexists('SpibarDataVscc0_s', ''), EfiVariablePkSha256Hash=column_ifexists('EfiVariablePkSha256Hash_s', ''), SpibarDataVscc1=column_ifexists('SpibarDataVscc1_s', ''), CpuDataCommonSmrrPhysicalMask=column_ifexists('CpuDataCommonSmrrPhysicalMask_s', ''), NorthBridgeDeviceId=column_ifexists('NorthBridgeDeviceId_s', ''), IsNorthBridgeSupported=column_ifexists('IsNorthBridgeSupported_s', ''), PciConfigDataTom=column_ifexists('PciConfigDataTom_s', ''), EfiVariableKekSha256Hash=column_ifexists('EfiVariableKekSha256Hash_s', ''), SouthBridgeVendorId=column_ifexists('SouthBridgeVendorId_s', ''), EfiVariableSignatureSupport=column_ifexists('EfiVariableSignatureSupport_s', ''), MmioDataTco1Cnt=column_ifexists('MmioDataTco1Cnt_s', ''), EfiVariableKekAttributes=column_ifexists('EfiVariableKekAttributes_s', ''), FirmwareAnalysisCpuSupported=column_ifexists('FirmwareAnalysisCpuSupported_s', ''), MmioDataSmiEn=column_ifexists('MmioDataSmiEn_s', ''), CpuDataCommonPrmrrUncoreSupported=column_ifexists('CpuDataCommonPrmrrUncoreSupported_s', ''), NorthBridgeVendorId=column_ifexists('NorthBridgeVendorId_s', ''), CpuDataCommonMsrApicBase=column_ifexists('CpuDataCommonMsrApicBase_s', ''), EfiVariableDbAttributes=column_ifexists('EfiVariableDbAttributes_s', ''), SpibarDataPr2=column_ifexists('SpibarDataPr2_s', ''), SpibarDataBfpr=column_ifexists('SpibarDataBfpr_s', ''), SpibarDataPr1=column_ifexists('SpibarDataPr1_s', ''), EfiVariableSecureBootAttributes=column_ifexists('EfiVariableSecureBootAttributes_s', ''), SpibarDataPr0=column_ifexists('SpibarDataPr0_s', ''), IsSouthBridgeSupported=column_ifexists('IsSouthBridgeSupported_s', ''), PciConfigDataHfsts1=column_ifexists('PciConfigDataHfsts1_s', ''), CpuDataCommonMsrFeatureControl=column_ifexists('CpuDataCommonMsrFeatureControl_s', ''), PciConfigDataRemaplimit=column_ifexists('PciConfigDataRemaplimit_s', ''), CpuDataCommonSiliconDebugFeatureControl=column_ifexists('CpuDataCommonSiliconDebugFeatureControl_s', ''), CpuDataCommonSmrrPhysicalBase=column_ifexists('CpuDataCommonSmrrPhysicalBase_s', ''), SouthBridgeDeviceId=column_ifexists('SouthBridgeDeviceId_s', ''), CpuDataCommonPrmrrPhysicalMask=column_ifexists('CpuDataCommonPrmrrPhysicalMask_s', ''), EfiVariableDbSha256Hash=column_ifexists('EfiVariableDbSha256Hash_s', ''), SpibarDataHsfs=column_ifexists('SpibarDataHsfs_s', ''), PciConfigDataRemapbase=column_ifexists('PciConfigDataRemapbase_s', ''), EfiVariableCustomMode=column_ifexists('EfiVariableCustomMode_s', ''), PciConfigDataGgc=column_ifexists('PciConfigDataGgc_s', ''), PciConfigDataTouud=column_ifexists('PciConfigDataTouud_s', ''), SpibarDataPr4=column_ifexists('SpibarDataPr4_s', ''), SpibarDataPr3=column_ifexists('SpibarDataPr3_s', ''), CpuDataCommonPrmrrSupported=column_ifexists('CpuDataCommonPrmrrSupported_s', ''), PciConfigDataSmramc=column_ifexists('PciConfigDataSmramc_s', ''), EfiVariableSignatureSupportAttributes=column_ifexists('EfiVariableSignatureSupportAttributes_s', ''), PciConfigDataBdsm=column_ifexists('PciConfigDataBdsm_s', ''), EfiVariableSetupModeAttributes=column_ifexists('EfiVariableSetupModeAttributes_s', ''), EfiVariableSetupMode=column_ifexists('EfiVariableSetupMode_s', ''), PciConfigDataBiosCntl=column_ifexists('PciConfigDataBiosCntl_s', ''), PciConfigDataMesegBase=column_ifexists('PciConfigDataMesegBase_s', ''), SourceFileName=column_ifexists('SourceFileName_s', ''), NewFileIdentifier=column_ifexists('NewFileIdentifier_s', ''), FeatureVector=column_ifexists('FeatureVector_s', ''), ModelPrediction=column_ifexists('ModelPrediction_s', ''), Malicious=column_ifexists('Malicious_s', ''), FeatureExtractionVersion=column_ifexists('FeatureExtractionVersion_s', ''), FXFileSize=column_ifexists('FXFileSize_s', ''), MLModelVersion=column_ifexists('MLModelVersion_s', ''), FontBufferLength=column_ifexists('FontBufferLength_s', ''), FontFileCount=column_ifexists('FontFileCount_s', ''), FontLoadOperation=column_ifexists('FontLoadOperation_s', ''), FontBuffer=column_ifexists('FontBuffer_s', ''), FontFileName=column_ifexists('FontFileName_s', ''), TemplateInstanceId=column_ifexists('TemplateInstanceId_s', ''), PatternDisposition=column_ifexists('PatternDisposition_s', ''), ServicePackMajor=column_ifexists('ServicePackMajor_s', ''), ProductSku=column_ifexists('ProductSku_s', ''), PointerSize=column_ifexists('PointerSize_s', ''), ProductName=column_ifexists('ProductName_s', ''), AgentVersion=column_ifexists('AgentVersion_s', ''), ServicePackMinor=column_ifexists('ServicePackMinor_s', ''), SuiteMask=column_ifexists('SuiteMask_s', ''), SubBuildNumber=column_ifexists('SubBuildNumber_s', ''), PlatformId=column_ifexists('PlatformId_s', ''), BuildType=column_ifexists('BuildType_s', ''), MajorVersion=column_ifexists('MajorVersion_s', ''), ProductType=column_ifexists('ProductType_s', ''), MinorVersion=column_ifexists('MinorVersion_s', ''), CheckedBuild=column_ifexists('CheckedBuild_s', ''), BuildNumber=column_ifexists('BuildNumber_s', ''), RFMState=column_ifexists('RFMState_s', ''), FirmwareAnalysisEclControlInterfaceVersion=column_ifexists('FirmwareAnalysisEclControlInterfaceVersion_s', ''), FirmwareAnalysisEclConsumerInterfaceVersion=column_ifexists('FirmwareAnalysisEclConsumerInterfaceVersion_s', ''), BootTimeFunctionalityLevel=column_ifexists('BootTimeFunctionalityLevel_s', ''), ReasonOfFunctionalityLevel=column_ifexists('ReasonOfFunctionalityLevel_s', ''), CurrentFunctionalityLevel=column_ifexists('CurrentFunctionalityLevel_s', ''), PciAttachmentState=column_ifexists('PciAttachmentState_s', ''), LocalAddressIP6=column_ifexists('LocalAddressIP6_s', ''), RemoteAddressIP6=column_ifexists('RemoteAddressIP6_s', ''), RegBinaryValue=column_ifexists('RegBinaryValue_s', ''), ServiceDescription=column_ifexists('ServiceDescription_s', ''), ServiceSecurity=column_ifexists('ServiceSecurity_s', ''), ServiceImagePath=column_ifexists('ServiceImagePath_s', ''), ServiceStart=column_ifexists('ServiceStart_s', ''), ServiceType=column_ifexists('ServiceType_s', ''), ServiceFailureActions=column_ifexists('ServiceFailureActions_s', ''), ServiceErrorControl=column_ifexists('ServiceErrorControl_s', ''), SymbolicLinkName=column_ifexists('SymbolicLinkName_s', ''), SymbolicLinkTarget=column_ifexists('SymbolicLinkTarget_s', ''), DevicePropertyClassName=column_ifexists('DevicePropertyClassName_s', ''), DeviceActiveConfigurationNumber=column_ifexists('DeviceActiveConfigurationNumber_s', ''), DevicePropertyClassGuid=column_ifexists('DevicePropertyClassGuid_g', ''), DeviceUsbSubclass=column_ifexists('DeviceUsbSubclass_s', ''), ParentHubInstanceId=column_ifexists('ParentHubInstanceId_s', ''), DeviceConnectionStatus=column_ifexists('DeviceConnectionStatus_s', ''), DeviceUsbClass=column_ifexists('DeviceUsbClass_s', ''), ParentHubPort=column_ifexists('ParentHubPort_s', ''), DevicePropertyManufacturer=column_ifexists('DevicePropertyManufacturer_s', ''), DevicePropertyLocationInformation=column_ifexists('DevicePropertyLocationInformation_s', ''), DeviceProtocol=column_ifexists('DeviceProtocol_s', ''), DevicePropertyDeviceDescription=column_ifexists('DevicePropertyDeviceDescription_s', ''), DeviceUsbVersion=column_ifexists('DeviceUsbVersion_s', ''), ModuleBaseAddress=column_ifexists('ModuleBaseAddress_s', ''), ModuleSize=column_ifexists('ModuleSize_s', ''), IsOnClearCaseMvfs=column_ifexists('IsOnClearCaseMvfs_s', ''), DllCharacteristics=column_ifexists('DllCharacteristics_s', ''), ActiveCpuCount=column_ifexists('ActiveCpuCount_s', ''), MemoryTotal=column_ifexists('MemoryTotal_s', ''), BillingType=column_ifexists('BillingType_s', ''), ConnectionCipher=column_ifexists('ConnectionCipher_s', ''), ConnectType=column_ifexists('ConnectType_s', ''), ConnectionProtocol=column_ifexists('ConnectionProtocol_s', ''), ConnectionHash=column_ifexists('ConnectionHash_s', ''), ConnectTime=column_ifexists('ConnectTime_s', ''), ConnectionHashStrength=column_ifexists('ConnectionHashStrength_s', ''), FailedConnectCount=column_ifexists('FailedConnectCount_s', ''), ConnectionCipherStrength=column_ifexists('ConnectionCipherStrength_s', ''), ConnectionExchangeStrength=column_ifexists('ConnectionExchangeStrength_s', ''), ConnectionExchange=column_ifexists('ConnectionExchange_s', ''), PreviousConnectTime=column_ifexists('PreviousConnectTime_s', ''), FalconServiceServletErrors=column_ifexists('FalconServiceServletErrors_s', ''), FalconServiceComponent=column_ifexists('FalconServiceComponent_s', ''), FalconServiceServletStarts=column_ifexists('FalconServiceServletStarts_s', ''), FalconServiceState=column_ifexists('FalconServiceState_s', ''), ScriptContent=column_ifexists('ScriptContent_s', ''), OriginalContentLength=column_ifexists('OriginalContentLength_s', ''), ScriptingLanguageId=column_ifexists('ScriptingLanguageId_s', ''), ParentImageFileName=column_ifexists('ParentImageFileName_s', ''), GrandparentImageFileName=column_ifexists('GrandparentImageFileName_s', ''), ScriptContentName=column_ifexists('ScriptContentName_s', ''), HostProcessType=column_ifexists('HostProcessType_s', ''), ProcessParentCommandLine=column_ifexists('ParentCommandLine_s', ''), ContentSHA256HashData=column_ifexists('ContentSHA256HashData_s', ''), ProcessGrandparentCommandLine=column_ifexists('GrandparentCommandLine_s', '') | project TimeGenerated, EventVendor, EventProduct, FileMode, DeviceSerialNumber, IcmpCode, IcmpType, LastUpdateInstalledTime, RebootRequired, PendingUpdateIds, InstalledUpdateIds, InstalledUpdateExtendedStatus, SupersededUpdateIds, ConfigurationDescriptorValue, ConfigurationDescriptorAttributes, DeviceDescriptorUniqueIdentifier, ConfigurationDescriptorName, ConfigurationDescriptorNumInterfaces, ConfigurationDescriptorMaxPowerDraw, ScreenshotsTakenCount, ExitCode, ParentProcessId, DstUserIdentity, NetworkListenCount, SuspiciousRawDiskReadCount, NetworkBindCount, NetworkRecvAcceptCount, ContextData, Id, NewExecutableWrittenCount, ExeAndServiceCount, NetworkCloseCount, SuspectStackCount, CLICreationCount, UnsignedModuleLoadCount, UserTime, EventMessage, RawProcessId, ContextTimeStamp, AllocateVirtualMemoryCount, ContextProcessId, ServiceEventCount, SnapshotFileOpenCount, RemovableDiskFileWrittenCount, InjectedDllCount, ModuleLoadCount, UserMemoryProtectExecutableCount, NetworkCapableAsepWriteCount, TargetProcessId, DnsRequestCount, ArchiveFileWrittenCount, Entitlements, Name, ProcessStartTime, SetThreadContextCount, SuspiciousCredentialModuleLoadCount, DvcInterfaceGuid, Cid, FileDeletedCount, UserMemoryAllocateExecutableCount, DirectoryCreatedCount, NetworkConnectCountUdp, QueueApcCount, ContextThreadId, Aip, SuspiciousFontLoadCount, ConHostId, NetworkConnectCount, BinaryExecutableWrittenCount, CycleTime, DvcOs, ConHostProcessId, PrivilegedProcessHandleCount, MaxThreadCount, ImageSubsystem, GenericFileWrittenCount, EffectiveTransmissionClass, ScriptEngineInvocationCount, RunDllInvocationCount, timestamp, CreateProcessCount, KernelTime, DirectoryEnumeratedCount, ConfigStateHash, AsepWrittenCount, SuspiciousDnsRequestCount, DocumentFileWrittenCount, ProtectVirtualMemoryCount, ProcessHashSha256, UserMemoryProtectExecutableRemoteCount, ConfigBuild, UserMemoryAllocateExecutableRemoteCount, ExecutableDeletedCount, RegKeySecurityDecreasedCount, InjectedThreadCount, NetworkModuleLoadCount, WindowTitle, ProcessCreateFlags, IntegrityLevel, SourceProcessId, ProcessHashSha1, TokenType, ProcessEndTime, AuthenticodeHashData, ParentBaseFileName, SessionId, Tags, ProcessHashMd5, ProcessSxsFlags, AuthenticationId, WindowFlags, ProcessCommandLine, ParentAuthenticationId, FileName, SourceThreadId, ProcessParameterFlags, SignInfoFlags, ChannelVersion, ChannelVersionRequired, ChannelId, DnsResponseType, IP4Records, CNAMERecords, QueryStatus, InterfaceIndex, DualRequest, FirstIP4Record, UrlDomain, RespondingDnsServer, RequestType, FirewallRuleId, Options, MinorFunction, FileIdentifier, Information, ShareAccess, FileObject, FilePermission, Status, IrpFlags, MajorFunction, DesiredAccess, OperationFlags, TargetFileName, CallStackModuleNamesVersion, CsaProcessDataCollectionInstanceId, CallStackModuleNames, CreateProcessType, EtwRawProcessId, EventMax, EtwRawThreadId, Flags, EventMin, RawThreadId, SrcIpAddr, ConnectionFlags, DstIpPort, SrcIpPort, Protocol, DstIpAddr, ConnectionDirection, InContext, NetworkContainmentState, ConfigIDBase, SensorStateBitMap, ConfigurationVersion, ConfigIDPlatform, ConfigIDBuild, ProvisionState, Size, IsOnNetwork, DiskParentDeviceInstanceId, TemporaryFileName, FileEcpBitmask, IsOnRemovableDisk, ModuleCharacteristics, OriginalEventTimeStamp, MappedFromUserMode, TreeId, PrimaryModule, UserIsAdmin, LogoffTime, LogonTime, LogonDomain, RemoteAccount, UserFlags, LogonServer, DstUserName, LogonType, AuthenticationPackage, UserPrincipal, PasswordLastSet, UserLogoffType, UserLogonFlags, Parameter2, Parameter1, Parameter3, Line, ErrorStatus, Facility, File, PublicKeys, HandleCreated, ExtendedKeyUsages, FileSigningTime, Object1Name, Object1Type, Certificate, RpcClientProcessId, SyntheticPR2Flags, MachOSubType, SessionProcessId, SVUID, ProcessGroupId, GID, SVGID, UID, RGID, RUID, NeighborList, DownloadServer, DownloadPath, DownloadPort, CompletionEventId, IsTransactedFile, WindowStation, BoundingLimitCount, ProcessBehaviorBitfield, Desktop, PatternId, ExclusionType, ExclusionSource, DriverLoadFlags, CompanyName, OriginalFilename, FileVersion, GrandParentBaseFileName, ShowWindowFlags, ThreadStartAddress, InjectedThreadFlag, UserThread, TargetThreadModule, TargetThreadId, ThreadStartContext, SourceThreadStartAddress, InterfaceGuid, InterfaceVersion, RpcClientThreadId, TaskXml, TaskAuthor, TaskName, RpcOpNum, TaskExecArguments, TaskExecCommand, RpcNestingLevel, ErrorLocation, ErrorReason, Parameter64_1, ErrorSource, ParameterSizedBuffer_1, ErrorCode, DeviceProductId, DeviceVersion, DeviceTimeStamp, DeviceInstanceId, DeviceDescriptorSetHash, DeviceVendorId, DeviceManufacturer, DeviceProduct, GroupRid, UserRid, DomainSid, LightningLatencyState, UnixMode, VnodeType, TargetDirectoryName, ApiReturnValue, ServiceDisplayName, LinkName, VersionInfo, LanguageId, AsepFlags, RegObjectName, Data1, RegOperationType, ProcessArgs, RegStringValue, RegType, AsepClass, AsepIndex, RegValueName, AsepValueType, LocalSession, DstDvcHostname, PrivilegesBitmask, EnabledPrivilegesBitmask, UserGroupsBitmask, Timeout, ProcessCount, SuppressType, BoundedCount, IP6Records, FirstIP6Record, WmiQuery, WmiNamespaceName, RegClassificationIndex, RegClassificationFlags, RegClassification, SystemTableIndex, ScreenshotType, SubStatus, UmppaInjectAbortCount, UmppaInjectFailedCount, UmppaInjectionType, UmppaInjectLoadFailCount, UmppaInjectCfgCheckCount, UmppaInjectExtensionErrorCount, UmppaInjectInvalidThreadCount, UmppaInjectFileSectionCount, TotalCount, UmppaInjectLoadErrorCount, UmppaInjectBadAlertCount, UmppaInjectApcInsertionCount, UmppaInjectCopyFailCount, FirewallRule, RegNumericValue, VolumeDriveLetter, VolumeSnapshotName, VolumeName, UserCanonical, LogonId, ConfigStateData, FirewallProfile, FirewallOption, FirewallOptionNumericValue, SmbShareName, TargetSHA256HashData, IsCpuDataCommonOnAllCores, SpibarDataFrap, EfiVariableDbxSha256Hash, PciConfigDataBgsm, PciConfigDataDpr, CpuDataCommonSmrrSupported, SpibarDataHsfc, EfiVariableSecureBoot, PciConfigDataMesegMask, PciConfigDataTolud, EfiVariableDbxAttributes, PciConfigDataPavpc, EfiVariableCustomModeAttributes, SpibarDataFreg3, SpibarDataFreg4, SpibarDataFreg1, SpibarDataFreg2, SpibarDataFreg0, EfiSupported, EfiVariablePkAttributes, CpuDataCommonPrmrrUncorePhysicalMask, PciConfigDataGenPmconA, PciConfigDataTsegmb, SpibarDataVscc0, EfiVariablePkSha256Hash, SpibarDataVscc1, CpuDataCommonSmrrPhysicalMask, NorthBridgeDeviceId, IsNorthBridgeSupported, PciConfigDataTom, EfiVariableKekSha256Hash, SouthBridgeVendorId, EfiVariableSignatureSupport, MmioDataTco1Cnt, EfiVariableKekAttributes, FirmwareAnalysisCpuSupported, MmioDataSmiEn, CpuDataCommonPrmrrUncoreSupported, NorthBridgeVendorId, CpuDataCommonMsrApicBase, EfiVariableDbAttributes, SpibarDataPr2, SpibarDataBfpr, SpibarDataPr1, EfiVariableSecureBootAttributes, SpibarDataPr0, IsSouthBridgeSupported, PciConfigDataHfsts1, CpuDataCommonMsrFeatureControl, PciConfigDataRemaplimit, CpuDataCommonSiliconDebugFeatureControl, CpuDataCommonSmrrPhysicalBase, SouthBridgeDeviceId, CpuDataCommonPrmrrPhysicalMask, EfiVariableDbSha256Hash, SpibarDataHsfs, PciConfigDataRemapbase, EfiVariableCustomMode, PciConfigDataGgc, PciConfigDataTouud, SpibarDataPr4, SpibarDataPr3, CpuDataCommonPrmrrSupported, PciConfigDataSmramc, EfiVariableSignatureSupportAttributes, PciConfigDataBdsm, EfiVariableSetupModeAttributes, EfiVariableSetupMode, PciConfigDataBiosCntl, PciConfigDataMesegBase, SourceFileName, NewFileIdentifier, FeatureVector, ModelPrediction, Malicious, FeatureExtractionVersion, FXFileSize, MLModelVersion, FontBufferLength, FontFileCount, FontLoadOperation, FontBuffer, FontFileName, TemplateInstanceId, PatternDisposition, ServicePackMajor, ProductSku, PointerSize, ProductName, AgentVersion, ServicePackMinor, SuiteMask, SubBuildNumber, PlatformId, BuildType, MajorVersion, ProductType, MinorVersion, CheckedBuild, BuildNumber, RFMState, FirmwareAnalysisEclControlInterfaceVersion, FirmwareAnalysisEclConsumerInterfaceVersion, BootTimeFunctionalityLevel, ReasonOfFunctionalityLevel, CurrentFunctionalityLevel, PciAttachmentState, LocalAddressIP6, RemoteAddressIP6, RegBinaryValue, ServiceDescription, ServiceSecurity, ServiceImagePath, ServiceStart, ServiceType, ServiceFailureActions, ServiceErrorControl, SymbolicLinkName, SymbolicLinkTarget, DevicePropertyClassName, DeviceActiveConfigurationNumber, DevicePropertyClassGuid, DeviceUsbSubclass, ParentHubInstanceId, DeviceConnectionStatus, DeviceUsbClass, ParentHubPort, DevicePropertyManufacturer, DevicePropertyLocationInformation, DeviceProtocol, DevicePropertyDeviceDescription, DeviceUsbVersion, ModuleBaseAddress, ModuleSize, IsOnClearCaseMvfs, DllCharacteristics, ActiveCpuCount, MemoryTotal, BillingType, ConnectionCipher, ConnectType, ConnectionProtocol, ConnectionHash, ConnectTime, ConnectionHashStrength, FailedConnectCount, ConnectionCipherStrength, ConnectionExchangeStrength, ConnectionExchange, PreviousConnectTime, FalconServiceServletErrors, FalconServiceComponent, FalconServiceServletStarts, FalconServiceState, ScriptContent, OriginalContentLength, ScriptingLanguageId, ParentImageFileName, GrandparentImageFileName, ScriptContentName, HostProcessType, ProcessParentCommandLine, ContentSHA256HashData, ProcessGrandparentCommandLine }; CrowdstrikeReplicatorLogs_view", + "version": 1 + } + } + ] + }, + { + "type": "Microsoft.Insights/workbooks", + "name": "[parameters('workbook1-id')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2020-02-12", + "properties": { + "displayName": "[concat(parameters('workbook1-name'), ' - ', parameters('formattedTimeNow'))]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5f6ef388-eba8-456d-a86d-b0e5d13753dc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"e75aea48-9de8-48ca-8420-93fcdda9b996\",\"cellValue\":\"TabName\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Detections\",\"subTarget\":\"Detections\",\"style\":\"link\"},{\"id\":\"e06768ad-90d3-49d2-aa55-bac601c19769\",\"cellValue\":\"TabName\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Authentication\",\"subTarget\":\"Authentication\",\"style\":\"link\"}]},\"name\":\"links - 7\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"28302220-bac7-4011-bd0b-b8565627887e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Operation\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"AuthActivityAuditEvent\\\"\\r\\n| distinct Activity\\r\\n| sort by Activity asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"94066942-9782-41b5-b60d-4ea12fda9a28\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TargetUserName\",\"label\":\"Target User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"AuthActivityAuditEvent\\\"\\r\\n| distinct DstUserName\\r\\n| sort by DstUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Authentication\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"AuthActivityAuditEvent\\\"\\r\\n| where Activity in ({Operation}) or '*' in ({Operation})\\r\\n| where DstUserName in ({TargetUserName}) or '*' in ({TargetUserName})\\r\\n| summarize Total = count() by Activity, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total Events by Operation over Time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"customWidth\":\"75\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Authentication\"},\"name\":\"query - 2 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4d809240-d4ee-4266-adc0-cb05344a2f5a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hostnames\",\"label\":\"Hostname\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| distinct DstHostName\\r\\n| sort by DstHostName asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Usernames\",\"label\":\"Username\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| distinct DstUserName\\r\\n| sort by DstUserName asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"id\":\"3be22ee0-2638-4205-bfb4-ba56f9baee92\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Tactics\",\"label\":\"Tactic\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| distinct Activity\\r\\n| sort by Activity asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"id\":\"6c37e6c7-3704-4a9c-a10c-227c1d46b694\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensorId\",\"label\":\"Sensor ID\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| distinct SensorId\\r\\n| sort by SensorId asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"id\":\"6e7adfa5-99de-4a23-bf94-2322beee79f1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| distinct Severity\\r\\n| sort by Severity asc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"id\":\"e3a85e7b-f5ed-43d6-a398-fc1a20bb42f7\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Detections\"},\"name\":\"parameters - 1\"},{\"type\":1,\"content\":{\"json\":\"___\"},\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Detections\"},\"name\":\"text - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| where DstHostName in ({Hostnames}) or '*' in ({Hostnames})\\r\\n| where DstUserName in ({Usernames}) or '*' in ({Usernames})\\r\\n| where Activity in ({Tactics}) or '*' in ({Tactics})\\r\\n| where SensorId in ({SensorId}) or '*' in ({SensorId})\\r\\n| where Severity in ({Severity}) or '*' in ({Severity})\\r\\n| summarize ['Total Detections'] = count() by EventType\",\"size\":4,\"showAnalytics\":true,\"title\":\"Total Detections\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Total Detections\",\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Detections\"},\"name\":\"query - 2 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| where DstHostName in ({Hostnames}) or '*' in ({Hostnames})\\r\\n| where DstUserName in ({Usernames}) or '*' in ({Usernames})\\r\\n| where Activity in ({Tactics}) or '*' in ({Tactics})\\r\\n| where SensorId in ({SensorId}) or '*' in ({SensorId})\\r\\n| where Severity in ({Severity}) or '*' in ({Severity})\\r\\n| summarize Total = dcount(SensorId) by EventType\",\"size\":4,\"showAnalytics\":true,\"title\":\"Number of Sensors\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Total\",\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":0}}},\"showBorder\":false}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Detections\"},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| where DstHostName in ({Hostnames}) or '*' in ({Hostnames})\\r\\n| where DstUserName in ({Usernames}) or '*' in ({Usernames})\\r\\n| where Activity in ({Tactics}) or '*' in ({Tactics})\\r\\n| where SensorId in ({SensorId}) or '*' in ({SensorId})\\r\\n| where Severity in ({Severity}) or '*' in ({Severity})\\r\\n| summarize Total = count() by Severity\",\"size\":4,\"showAnalytics\":true,\"title\":\"Detection by Severity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"redDark\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"blue\"},{\"seriesName\":\"Critical\",\"color\":\"redBright\"}]}},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Detections\"},\"name\":\"query - 2 - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"___\"},\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Detections\"},\"name\":\"text - 17 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| where DstHostName in ({Hostnames}) or '*' in ({Hostnames})\\r\\n| where DstUserName in ({Usernames}) or '*' in ({Usernames})\\r\\n| where Activity in ({Tactics}) or '*' in ({Tactics})\\r\\n| where SensorId in ({SensorId}) or '*' in ({SensorId})\\r\\n| where Severity in ({Severity}) or '*' in ({Severity})\\r\\n| where Severity == \\\"Critical\\\"\\r\\n| summarize Total = count() by TimeGenerated, Severity, DstHostName, DstUserName, Activity, Technique, Message\\r\\n| sort by TimeGenerated desc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Critical Severity Events\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":8,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}]}},\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Detections\"},\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| where DstHostName in ({Hostnames}) or '*' in ({Hostnames})\\r\\n| where DstUserName in ({Usernames}) or '*' in ({Usernames})\\r\\n| where Activity in ({Tactics}) or '*' in ({Tactics})\\r\\n| where SensorId in ({SensorId}) or '*' in ({SensorId})\\r\\n| where Severity in ({Severity}) or '*' in ({Severity})\\r\\n| summarize Total = count() by Hostname = DstHostName, ['IP Address'] = SrcIpAddr, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total Detections by Host over Time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Detections\"},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| where DstHostName in ({Hostnames}) or '*' in ({Hostnames})\\r\\n| where DstUserName in ({Usernames}) or '*' in ({Usernames})\\r\\n| where Activity in ({Tactics}) or '*' in ({Tactics})\\r\\n| where SensorId in ({SensorId}) or '*' in ({SensorId})\\r\\n| where Severity in ({Severity}) or '*' in ({Severity})\\r\\n| summarize Total = count() by Hostname = DstHostName, ['IP Address'] = SrcIpAddr\\r\\n| top 10 by Total desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Hosts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":8,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}]}},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Detections\"},\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"AuthActivityAuditEvent\\\"\\r\\n| where Activity in ({Operation}) or '*' in ({Operation})\\r\\n| where DstUserName in ({TargetUserName}) or '*' in ({TargetUserName})\\r\\n| summarize Total = count() by Activity\\r\\n| sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total Events by Operation\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":8,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}}]}},\"customWidth\":\"25\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Authentication\"},\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"AuthActivityAuditEvent\\\"\\r\\n| where Activity in ({Operation}) or '*' in ({Operation})\\r\\n| where DstUserName in ({TargetUserName}) or '*' in ({TargetUserName})\\r\\n| where Outcome == \\\"false\\\"\\r\\n| summarize Total = count() by TimeGenerated, Activity, ['Target Username'] = DstUserName, ['IP Address'] = DstIpAddr\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Failed Events\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":8,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}}]}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Authentication\"},\"name\":\"query - 2 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"AuthActivityAuditEvent\\\"\\r\\n| where Activity in ({Operation}) or '*' in ({Operation})\\r\\n| where DstUserName in ({TargetUserName}) or '*' in ({TargetUserName})\\r\\n| where Outcome == \\\"false\\\"\\r\\n| summarize Total = count() by User = DstUserName\\r\\n| sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total Failed Events by User\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":8,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Authentication\"},\"name\":\"query - 2 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"AuthActivityAuditEvent\\\"\\r\\n| where Activity in ({Operation}) or '*' in ({Operation})\\r\\n| where DstUserName in ({TargetUserName}) or '*' in ({TargetUserName})\\r\\n| where Outcome == \\\"false\\\"\\r\\n| summarize Total = count() by ['IP Address'] = DstIpAddr\\r\\n| sort by Total desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total Failed Events by IP Address\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":8,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Authentication\"},\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| where DstHostName in ({Hostnames}) or '*' in ({Hostnames})\\r\\n| where DstUserName in ({Usernames}) or '*' in ({Usernames})\\r\\n| where Activity in ({Tactics}) or '*' in ({Tactics})\\r\\n| where SensorId in ({SensorId}) or '*' in ({SensorId})\\r\\n| where Severity in ({Severity}) or '*' in ({Severity})\\r\\n| summarize Total = count() by DstUserName, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total Detections by User over Time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Detections\"},\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| where DstHostName in ({Hostnames}) or '*' in ({Hostnames})\\r\\n| where DstUserName in ({Usernames}) or '*' in ({Usernames})\\r\\n| where Activity in ({Tactics}) or '*' in ({Tactics})\\r\\n| where SensorId in ({SensorId}) or '*' in ({SensorId})\\r\\n| where Severity in ({Severity}) or '*' in ({Severity})\\r\\n| summarize Total = count() by Username = DstUserName\\r\\n| top 10 by Total desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":8,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]}},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Detections\"},\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| where DstHostName in ({Hostnames}) or '*' in ({Hostnames})\\r\\n| where DstUserName in ({Usernames}) or '*' in ({Usernames})\\r\\n| where Activity in ({Tactics}) or '*' in ({Tactics})\\r\\n| where SensorId in ({SensorId}) or '*' in ({SensorId})\\r\\n| where Severity in ({Severity}) or '*' in ({Severity})\\r\\n| summarize Total = count() by FileName, FilePath, Tactic = Activity\\r\\n| top 10 by Total desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"File-Based Detections\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":8,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}],\"filter\":true}},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Detections\"},\"name\":\"query - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| where DstHostName in ({Hostnames}) or '*' in ({Hostnames})\\r\\n| where DstUserName in ({Usernames}) or '*' in ({Usernames})\\r\\n| where Activity in ({Tactics}) or '*' in ({Tactics})\\r\\n| where SensorId in ({SensorId}) or '*' in ({SensorId})\\r\\n| where Severity in ({Severity}) or '*' in ({Severity})\\r\\n| summarize Total = count() by FileName, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"File-Based Detections over Time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Detections\"},\"name\":\"query - 15 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| where DstHostName in ({Hostnames}) or '*' in ({Hostnames})\\r\\n| where DstUserName in ({Usernames}) or '*' in ({Usernames})\\r\\n| where Activity in ({Tactics}) or '*' in ({Tactics})\\r\\n| where SensorId in ({SensorId}) or '*' in ({SensorId})\\r\\n| where Severity in ({Severity}) or '*' in ({Severity})\\r\\n| summarize Total = count() by Activity, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total Detections by Tactics over Time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Detections\"},\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CrowdStrikeFalconEventStream\\r\\n| where EventType == \\\"DetectionSummaryEvent\\\"\\r\\n| where DstHostName in ({Hostnames}) or '*' in ({Hostnames})\\r\\n| where DstUserName in ({Usernames}) or '*' in ({Usernames})\\r\\n| where Activity in ({Tactics}) or '*' in ({Tactics})\\r\\n| where SensorId in ({SensorId}) or '*' in ({SensorId})\\r\\n| where Severity in ({Severity}) or '*' in ({Severity})\\r\\n| summarize Total = count() by Activity\\r\\n| top 10 by Total desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detections by Tactics\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":8,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Total\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"TabName\",\"comparison\":\"isEqualTo\",\"value\":\"Detections\"},\"name\":\"query - 2 - Copy - Copy - Copy\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourcegroups/eco-connector-test/providers/microsoft.operationalinsights/workspaces/eco-connector-test\"],\"fromTemplateId\":\"sentinel-UserWorkbook\"}", + "version": "1.0", + "sourceId": "[variables('_workbook-source')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2018-07-01-preview", + "name": "[variables('playbook1-keyvault_Connection_Name')]", + "location": "[parameters('workspace-location')]", + "properties": { + "api": { + "id": "[variables('_playbook-1-connection-2')]" + }, + "displayName": "[variables('playbook1-keyvault_Connection_Name')]", + "parameterValueType": "Alternative", + "AlternativeParameterValues": { + "vaultName": "[parameters('playbook1-keyvault_Name')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[parameters('playbook1-LogicAppName')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook1-keyvault_Connection_Name'))]" + ], + "tags": { + "displayName": "[parameters('playbook1-LogicAppName')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "manual": { + "type": "Request", + "kind": "Http" + } + }, + "actions": { + "Get_secret_-_Client_ID": { + "runAfter": { + "Initialize_variable_ClientSecret": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(variables('ClientID'))}/value" + }, + "description": "This gets the secret Client Id from the keyvault", + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "Get_secret_-_Client_Secret": { + "runAfter": { + "Get_secret_-_Client_ID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(variables('ClientSecret'))}/value" + }, + "description": "This gets the Clientsecret from the keyvault", + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "HTTP_-_Get_Access_Token": { + "runAfter": { + "Initialize_variable_Falcon_Host_URL": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": "client_id=@{body('Get_secret_-_Client_ID')?['value']}&client_secret=@{body('Get_secret_-_Client_Secret')?['value']}", + "headers": { + "Content-Type": "application/x-www-form-urlencoded", + "accept": "application/json" + }, + "method": "POST", + "uri": "@{variables('FalconHost')}/oauth2/token" + }, + "description": "This calls the crowdstrike to generate the access token", + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "Initialize_variable_ClientID": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ClientID", + "type": "string", + "value": "[parameters('playbook1-ClientID')]" + } + ] + } + }, + "Initialize_variable_ClientSecret": { + "runAfter": { + "Initialize_variable_ClientID": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ClientSecret", + "type": "string", + "value": "[parameters('playbook1-ClientSecret')]" + } + ] + } + }, + "Initialize_variable_Falcon_Host_URL": { + "runAfter": { + "Get_secret_-_Client_Secret": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "FalconHost", + "type": "string", + "value": "[parameters('playbook1-Service_Endpoint')]" + } + ] + }, + "description": "This is to hold the Falcon Host URL" + }, + "Parse_JSON_-_Access_Token_Response": { + "runAfter": { + "HTTP_-_Get_Access_Token": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Get_Access_Token')", + "schema": { + "properties": { + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + }, + "token_type": { + "type": "string" + } + }, + "type": "object" + } + }, + "description": "prepare json format for get access token response", + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs" + ] + } + } + }, + "Response": { + "runAfter": { + "Parse_JSON_-_Access_Token_Response": [ + "Succeeded" + ] + }, + "type": "Response", + "kind": "Http", + "inputs": { + "body": { + "AccessToken": "Bearer @{body('Parse_JSON_-_Access_Token_Response')?['access_token']}", + "FalconHost": "@{variables('FalconHost')}" + }, + "statusCode": 200 + }, + "description": "This holds the access token and falcon host URL" + } + } + }, + "parameters": { + "$connections": { + "value": { + "keyvault": { + "id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/', 'keyvault')]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-keyvault_Connection_Name'))]", + "connectionName": "[variables('playbook1-keyvault_Connection_Name')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2018-07-01-preview", + "name": "[variables('playbook2-AzureSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "properties": { + "api": { + "id": "[variables('_playbook-2-connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[parameters('playbook2-Playbook_Name')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook2-AzureSentinelConnectionName'))]", + "[resourceId('Microsoft.Logic/workflows', parameters('playbook1-LogicAppName'))]" + ], + "tags": { + "displayName": "[parameters('playbook2-Playbook_Name')]" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Add_comment_to_incident_(V3)": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{outputs('Compose_image_to_add_in_the_incident')}CrowdStrike_ContainHost playbook run results:

@{variables('Comment')}

" + }, + "path": "/Incidents/Comment" + }, + "runAfter": { + "Compose_image_to_add_in_the_incident": [ + "Succeeded" + ] + }, + "description": "This adds comments to the azure sentinel incident" + }, + "Compose_image_to_add_in_the_incident": { + "type": "Compose", + "inputs": "", + "runAfter": { + "Condition_to_check_if_device_is_present_in_falcon_host_crowdstrike": [ + "Succeeded" + ] + }, + "description": "This composes the crowd strike image to comment in the incident" + }, + "Condition_to_check_if_crowdstrike_action_is_successful": { + "type": "If", + "expression": { + "and": [ + { + "equals": [ + "@variables('Successfromcrowdstike')", + "Success" + ] + } + ] + }, + "actions": { + "Update_incident": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Closed", + "classification": { + "ClassificationAndReason": "Benign Positive - Suspicious But Expected", + "ClassificationReasonText": "CrowdStrike_ContainHost playbook ran and closed this incident" + } + }, + "path": "/Incidents" + } + } + }, + "runAfter": { + "Add_comment_to_incident_(V3)": [ + "Succeeded" + ] + }, + "description": "This checks if crowdstrike action is successful or not" + }, + "Condition_to_check_if_device_is_present_in_falcon_host_crowdstrike": { + "type": "If", + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_JSON_Get_device_id_response')?['resources']?[0]", + "@null" + ] + } + } + ] + }, + "actions": { + "Append_to_string_variable_comment_for_device_information": { + "type": "AppendToStringVariable", + "inputs": { + "name": "Comment", + "value": "Devices information from crowdstrike: @{body('Create_HTML_table_for_device_information')}" + }, + "runAfter": { + "Create_HTML_table_for_device_information": [ + "Succeeded" + ] + }, + "description": "Append html format of device information to comment in the incident" + }, + "Create_HTML_table_for_device_information": { + "type": "Table", + "inputs": { + "from": "@body('Parse_JSON_device_information_response')?['resources']", + "format": "HTML", + "columns": [ + { + "header": "device_id", + "value": "@item()?['device_id']" + }, + { + "header": "external_ip", + "value": "@item()?['external_ip']" + }, + { + "header": "mac_address", + "value": "@item()?['mac_address']" + }, + { + "header": "hostname", + "value": "@item()?['hostname']" + }, + { + "header": "first_seen", + "value": "@item()?['first_seen']" + }, + { + "header": "last_seen", + "value": "@item()?['last_seen']" + }, + { + "header": "local_ip", + "value": "@item()?['local_ip']" + }, + { + "header": "machine_domain", + "value": "@item()?['machine_domain']" + }, + { + "header": "os_version", + "value": "@item()?['os_version']" + } + ] + }, + "runAfter": { + "Parse_JSON_device_information_response": [ + "Succeeded" + ] + }, + "description": "prepare HTML table format to update in the incident" + }, + "HTTP_-_Get_device_information_": { + "type": "Http", + "inputs": { + "method": "GET", + "uri": "@{body('CrowdStrike_Base')?['FalconHost']}/devices/entities/devices/v1?ids=@{body('Parse_JSON_Get_device_id_response')?['resources']?[0]}", + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base')?['AccessToken']}", + "Content-Type": "application/json" + } + }, + "description": "This gets the device information from crowdstrike" + }, + "Parse_JSON_device_information_response": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Get_device_information_')", + "schema": { + "properties": { + "errors": { + "type": "array" + }, + "meta": { + "properties": { + "powered_by": { + "type": "string" + }, + "query_time": { + "type": "number" + }, + "trace_id": { + "type": "string" + } + }, + "type": "object" + }, + "resources": { + "items": { + "properties": { + "agent_load_flags": { + "type": "string" + }, + "agent_local_time": { + "type": "string" + }, + "agent_version": { + "type": "string" + }, + "bios_manufacturer": { + "type": "string" + }, + "bios_version": { + "type": "string" + }, + "build_number": { + "type": "string" + }, + "cid": { + "type": "string" + }, + "config_id_base": { + "type": "string" + }, + "config_id_build": { + "type": "string" + }, + "config_id_platform": { + "type": "string" + }, + "cpu_signature": { + "type": "string" + }, + "device_id": { + "type": "string" + }, + "device_policies": { + "properties": { + "device_control": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + } + }, + "type": "object" + }, + "firewall": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "rule_set_id": { + "type": "string" + } + }, + "type": "object" + }, + "global_config": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "settings_hash": { + "type": "string" + } + }, + "type": "object" + }, + "prevention": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "rule_groups": { + "items": { + "type": "string" + }, + "type": "array" + }, + "settings_hash": { + "type": "string" + } + }, + "type": "object" + }, + "remote_response": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "settings_hash": { + "type": "string" + } + }, + "type": "object" + }, + "sensor_update": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "settings_hash": { + "type": "string" + }, + "uninstall_protection": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "external_ip": { + "type": "string" + }, + "first_seen": { + "type": "string" + }, + "group_hash": { + "type": "string" + }, + "groups": { + "items": { + "type": "string" + }, + "type": "array" + }, + "hostname": { + "type": "string" + }, + "last_seen": { + "type": "string" + }, + "local_ip": { + "type": "string" + }, + "mac_address": { + "type": "string" + }, + "machine_domain": { + "type": "string" + }, + "major_version": { + "type": "string" + }, + "meta": { + "properties": { + "version": { + "type": "string" + } + }, + "type": "object" + }, + "minor_version": { + "type": "string" + }, + "modified_timestamp": { + "type": "string" + }, + "os_version": { + "type": "string" + }, + "ou": { + "items": { + "type": "string" + }, + "type": "array" + }, + "platform_id": { + "type": "string" + }, + "platform_name": { + "type": "string" + }, + "pointer_size": { + "type": "string" + }, + "policies": { + "items": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "rule_groups": { + "items": { + "type": "string" + }, + "type": "array" + }, + "settings_hash": { + "type": "string" + } + }, + "required": [ + "policy_type", + "policy_id", + "applied", + "settings_hash", + "assigned_date", + "applied_date", + "rule_groups" + ], + "type": "object" + }, + "type": "array" + }, + "product_type": { + "type": "string" + }, + "product_type_desc": { + "type": "string" + }, + "provision_status": { + "type": "string" + }, + "reduced_functionality_mode": { + "type": "string" + }, + "serial_number": { + "type": "string" + }, + "service_pack_major": { + "type": "string" + }, + "service_pack_minor": { + "type": "string" + }, + "site_name": { + "type": "string" + }, + "slow_changing_modified_timestamp": { + "type": "string" + }, + "status": { + "type": "string" + }, + "system_manufacturer": { + "type": "string" + }, + "system_product_name": { + "type": "string" + }, + "tags": { + "type": "array" + } + }, + "required": [ + "device_id", + "cid", + "agent_load_flags", + "agent_local_time", + "agent_version", + "bios_manufacturer", + "bios_version", + "build_number", + "config_id_base", + "config_id_build", + "config_id_platform", + "cpu_signature", + "external_ip", + "mac_address", + "hostname", + "first_seen", + "last_seen", + "local_ip", + "machine_domain", + "major_version", + "minor_version", + "platform_id", + "platform_name", + "policies", + "reduced_functionality_mode", + "device_policies", + "groups", + "group_hash", + "product_type", + "product_type_desc", + "provision_status", + "serial_number", + "service_pack_major", + "service_pack_minor", + "pointer_size", + "status", + "system_manufacturer", + "system_product_name", + "tags", + "modified_timestamp", + "slow_changing_modified_timestamp", + "meta" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "runAfter": { + "HTTP_-_Get_device_information_": [ + "Succeeded" + ] + }, + "description": "prepare Json message for device information" + }, + "Switch_to_check_the_device_status": { + "type": "Switch", + "expression": "@body('Parse_JSON_device_information_response')?['resources']?[0]?['status']", + "cases": { + "Case_-_contained": { + "case": "contained", + "actions": { + "Append_to_string_variable_comment_if_host_is_contained": { + "type": "AppendToStringVariable", + "inputs": { + "name": "Comment", + "value": "Host Status : Contained Actions taken on devices : No action taken from playbook" + }, + "description": "This appends comments if the host status is already contained" + }, + "Set_variable_success_from_crowdstirke_in_case_of_host_is_already_contained": { + "type": "SetVariable", + "inputs": { + "name": "Successfromcrowdstike", + "value": "Success" + }, + "runAfter": { + "Append_to_string_variable_comment_if_host_is_contained": [ + "Succeeded" + ] + }, + "description": "This sets the variable success from crowdstrike to update in the incident" + } + } + }, + "Case_-_containment_pending": { + "case": "containment_pending", + "actions": { + "Append_to_string_variable_comment_if_host_status_is_containment_pending": { + "type": "AppendToStringVariable", + "inputs": { + "name": "Comment", + "value": "Host Status : containment_pending Actions taken on devices : No action taken from playbook" + }, + "description": "This appends comments if the host status is containment pending" + }, + "Set_variable_success_from_crowdstirke_in_case_of_containment_pending": { + "type": "SetVariable", + "inputs": { + "name": "Successfromcrowdstike", + "value": "Success" + }, + "runAfter": { + "Append_to_string_variable_comment_if_host_status_is_containment_pending": [ + "Succeeded" + ] + }, + "description": "This sets the variable success from crowdstrike to update in the incident" + } + } + }, + "Case_-_lift_containment_pending": { + "case": "lift_containment_pending", + "actions": { + "Append_to_string_variable_comment_if_host_status_is_lift_containment_pending": { + "type": "AppendToStringVariable", + "inputs": { + "name": "Comment", + "value": "Host Status : Lift_containment_pending Actions taken on devices : No action taken from playbook" + }, + "description": "Append to variable comment if host status is lift containment pending" + }, + "Set_variable_success_from_crowdstirke_in_case_of_lift_containment_pending": { + "type": "SetVariable", + "inputs": { + "name": "Successfromcrowdstike", + "value": "Success" + }, + "runAfter": { + "Append_to_string_variable_comment_if_host_status_is_lift_containment_pending": [ + "Succeeded" + ] + }, + "description": "This sets the variable success from crowdstrike to update in the incident" + } + } + }, + "Case_-_not_contained": { + "case": "normal", + "actions": { + "Condition_to_check_if_contain_success_or_not": { + "type": "If", + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_-_Contain_a_host')['statusCode']", + 202 + ] + } + ] + }, + "actions": { + "Append_to_string_variable_comment_if_host_is_contained_by_playbook": { + "type": "AppendToStringVariable", + "inputs": { + "name": "Comment", + "value": "Host Status : Contained Actions taken on devices : The playbook sucessfully contained the host" + }, + "description": "This appends the variable comment if host is contained by playbook" + }, + "Set_variable_success_from_crowdstirke_in_case_of_success": { + "type": "SetVariable", + "inputs": { + "name": "Successfromcrowdstike", + "value": "Success" + }, + "runAfter": { + "Append_to_string_variable_comment_if_host_is_contained_by_playbook": [ + "Succeeded" + ] + }, + "description": "This sets variable success from crowdstirke in case of success" + } + }, + "runAfter": { + "HTTP_-_Contain_a_host": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_string_variable_comment_if_host_is_not_contained_by_playbook": { + "type": "AppendToStringVariable", + "inputs": { + "name": "Comment", + "value": "Host Status : Not contained/Normal Actions taken on devices : The playbook failed to contain the host" + }, + "description": "This sets the variable comment if host is not contained by playbook" + }, + "Set_variable_success_from_crowdstrike_in_case_of_failure": { + "type": "SetVariable", + "inputs": { + "name": "Successfromcrowdstike", + "value": "Failure" + }, + "runAfter": { + "Append_to_string_variable_comment_if_host_is_not_contained_by_playbook": [ + "Succeeded" + ] + }, + "description": "This sets variable success from crowdstirke in case of Failure" + } + } + }, + "description": "condition to check if contain a host is success or failure" + }, + "HTTP_-_Contain_a_host": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@{body('CrowdStrike_Base')?['FalconHost']}/devices/entities/devices-actions/v2?action_name=contain", + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base')?['AccessToken']}", + "Content-Type": "application/json" + }, + "body": { + "action_parameters": [ + { + "name": "contain" + } + ], + "ids": [ + "@{body('Parse_JSON_Get_device_id_response')?['resources']?[0]}" + ] + } + }, + "description": "This will contain a host in crowdstrike" + } + } + } + }, + "runAfter": { + "Append_to_string_variable_comment_for_device_information": [ + "Succeeded" + ] + }, + "description": "This checks on the device status" + } + }, + "runAfter": { + "Parse_JSON_Get_device_id_response": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_string_variable_comment_if_no_device_exist": { + "type": "AppendToStringVariable", + "inputs": { + "name": "Comment", + "value": "There is no device present in Crowdstrike" + }, + "description": "This appends test to comment if no device available in crowdstrike" + }, + "Set_variable_success_from_crowdstrike": { + "type": "SetVariable", + "inputs": { + "name": "Successfromcrowdstike", + "value": "Success" + }, + "runAfter": { + "Append_to_string_variable_comment_if_no_device_exist": [ + "Succeeded" + ] + }, + "description": "This sets the variable success in case of no device info found" + } + } + }, + "description": "This checks if device is present in crowdstrike or not" + }, + "CrowdStrike_Base": { + "type": "Workflow", + "inputs": { + "host": { + "triggerName": "manual", + "workflow": { + "id": "[resourceId('Microsoft.Logic/workflows', parameters('playbook1-LogicAppName'))]" + } + } + }, + "runAfter": { + "Initialize_variable_success_from_crowdstrike": [ + "Succeeded" + ] + }, + "description": "Call the base logic App to get access token and Falcon Host URL", + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "Entities_-_Get_Hosts": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "path": "/entities/host" + } + }, + "HTTP_-_Get_device_id": { + "type": "Http", + "inputs": { + "method": "GET", + "uri": "@{body('CrowdStrike_Base')?['FalconHost']}/devices/queries/devices/v1?filter=hostname:'@{body('Entities_-_Get_Hosts')?['Hosts']?[0]?['HostName']}'", + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base')?['AccessToken']}", + "Content-Type": "application/json" + } + }, + "runAfter": { + "CrowdStrike_Base": [ + "Succeeded" + ] + }, + "description": "This gets the device id from crowdstrike by filtering on hostname" + }, + "Initialize_variable_comment": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Comment", + "type": "string" + } + ] + }, + "runAfter": { + "Entities_-_Get_Hosts": [ + "Succeeded" + ] + }, + "description": "This is used to store comments to update in the incident" + }, + "Initialize_variable_success_from_crowdstrike": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Successfromcrowdstike", + "type": "string" + } + ] + }, + "runAfter": { + "Initialize_variable_comment": [ + "Succeeded" + ] + }, + "description": "This is used to hold the success or failure information from crowdstrike api actions" + }, + "Parse_JSON_Get_device_id_response": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Get_device_id')", + "schema": { + "meta": { + "pagination": { + "limit": 100, + "offset": 1, + "total": 1 + }, + "powered_by": "device-api", + "query_time": 0.005041315, + "trace_id": "aa7b84f5-3e81-4980-ad9f-c14b6d8ca577" + }, + "resources": [ + "cdc977a72a8c49528bb82f89dde2c2e9" + ] + } + }, + "runAfter": { + "HTTP_-_Get_device_id": [ + "Succeeded" + ] + }, + "description": "prepare json message for the device id response" + } + }, + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered_(Private_Preview_only)": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/incident-creation" + } + } + }, + "contentVersion": "1.0.0.0" + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-AzureSentinelConnectionName'))]", + "connectionName": "[variables('playbook2-AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azuresentinel')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2018-07-01-preview", + "name": "[variables('playbook3-AzureSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "properties": { + "api": { + "id": "[variables('_playbook-2-connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[parameters('playbook3-Playbook_Name')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook3-AzureSentinelConnectionName'))]", + "[resourceId('Microsoft.Logic/workflows', parameters('playbook1-LogicAppName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Compose_image_to_add_in_the_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{outputs('Compose_image_to_add_in_the_incident')}Crowdstrike_Enrichment_GetDeviceInformation playbook run results:

@{variables('Comment')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Compose_image_to_add_in_the_incident": { + "type": "Compose", + "inputs": "\"Lamp\"", + "runAfter": { + "Condition__to_check_if_device_id_returns_results": [ + "Succeeded" + ] + }, + "description": "This composes crowdstrike image to comment in the incident" + }, + "Condition__to_check_if_device_id_returns_results": { + "type": "If", + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_JSON_Get_device_id_response')?['resources']?[0]", + "@null" + ] + } + } + ] + }, + "actions": { + "Append_to_string_variable_comment_for_device_information": { + "type": "AppendToStringVariable", + "inputs": { + "name": "Comment", + "value": "Device information: @{body('Create_HTML_table_for_device_information')}" + }, + "runAfter": { + "Create_HTML_table_for_device_information": [ + "Succeeded" + ] + }, + "description": "Appends device information to comment variable" + }, + "Condition_if_detections_are_present_for_the_host": { + "type": "If", + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_JSON_search_detections_response')?['resources']?[0]", + "@null" + ] + } + } + ] + }, + "actions": { + "Append_to_string_variable_detection_information": { + "type": "AppendToStringVariable", + "inputs": { + "name": "Comment", + "value": "Detection Information: @{body('Select_detection_information')}" + }, + "runAfter": { + "Select_detection_information": [ + "Succeeded" + ] + }, + "description": "This appends detection information to comment variable" + }, + "HTTP-Get_detection_information": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@{body('CrowdStrike_Base')?['FalconHost']}/detects/entities/summaries/GET/v1", + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base')?['AccessToken']}", + "Content-Type": "application/json" + }, + "body": { + "ids": "@body('Parse_JSON_search_detections_response')?['resources']" + } + }, + "description": "This gets the detection information from the crowdstrike" + }, + "Parse_JSON_detection_information_response": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP-Get_detection_information')", + "schema": { + "properties": { + "errors": { + "type": "array" + }, + "meta": { + "properties": { + "powered_by": { + "type": "string" + }, + "query_time": { + "type": "number" + }, + "trace_id": { + "type": "string" + } + }, + "type": "object" + }, + "resources": { + "items": { + "properties": { + "behaviors": { + "items": { + "properties": { + "alleged_filetype": { + "type": "string" + }, + "behavior_id": { + "type": "string" + }, + "cmdline": { + "type": "string" + }, + "confidence": { + "type": "integer" + }, + "control_graph_id": { + "type": "string" + }, + "device_id": { + "type": "string" + }, + "display_name": { + "type": "string" + }, + "filename": { + "type": "string" + }, + "filepath": { + "type": "string" + }, + "ioc_description": { + "type": "string" + }, + "ioc_source": { + "type": "string" + }, + "ioc_type": { + "type": "string" + }, + "ioc_value": { + "type": "string" + }, + "md5": { + "type": "string" + }, + "objective": { + "type": "string" + }, + "parent_details": { + "properties": { + "parent_cmdline": { + "type": "string" + }, + "parent_md5": { + "type": "string" + }, + "parent_process_graph_id": { + "type": "string" + }, + "parent_sha256": { + "type": "string" + } + }, + "type": "object" + }, + "pattern_disposition": { + "type": "integer" + }, + "pattern_disposition_details": { + "properties": { + "bootup_safeguard_enabled": { + "type": "boolean" + }, + "critical_process_disabled": { + "type": "boolean" + }, + "detect": { + "type": "boolean" + }, + "fs_operation_blocked": { + "type": "boolean" + }, + "handle_operation_downgraded": { + "type": "boolean" + }, + "inddet_mask": { + "type": "boolean" + }, + "indicator": { + "type": "boolean" + }, + "kill_parent": { + "type": "boolean" + }, + "kill_process": { + "type": "boolean" + }, + "kill_subprocess": { + "type": "boolean" + }, + "operation_blocked": { + "type": "boolean" + }, + "policy_disabled": { + "type": "boolean" + }, + "process_blocked": { + "type": "boolean" + }, + "quarantine_file": { + "type": "boolean" + }, + "quarantine_machine": { + "type": "boolean" + }, + "registry_operation_blocked": { + "type": "boolean" + }, + "rooting": { + "type": "boolean" + }, + "sensor_only": { + "type": "boolean" + } + }, + "type": "object" + }, + "scenario": { + "type": "string" + }, + "severity": { + "type": "integer" + }, + "sha256": { + "type": "string" + }, + "tactic": { + "type": "string" + }, + "tactic_id": { + "type": "string" + }, + "technique": { + "type": "string" + }, + "technique_id": { + "type": "string" + }, + "timestamp": { + "type": "string" + }, + "triggering_process_graph_id": { + "type": "string" + }, + "user_id": { + "type": "string" + }, + "user_name": { + "type": "string" + } + }, + "required": [ + "device_id", + "timestamp", + "behavior_id", + "filename", + "filepath", + "alleged_filetype", + "cmdline", + "scenario", + "objective", + "tactic", + "tactic_id", + "technique", + "technique_id", + "display_name", + "severity", + "confidence", + "ioc_type", + "ioc_value", + "ioc_source", + "ioc_description", + "user_name", + "user_id", + "control_graph_id", + "triggering_process_graph_id", + "sha256", + "md5", + "parent_details", + "pattern_disposition", + "pattern_disposition_details" + ], + "type": "object" + }, + "type": "array" + }, + "behaviors_processed": { + "items": { + "type": "string" + }, + "type": "array" + }, + "cid": { + "type": "string" + }, + "created_timestamp": { + "type": "string" + }, + "detection_id": { + "type": "string" + }, + "device": { + "properties": { + "agent_load_flags": { + "type": "string" + }, + "agent_local_time": { + "type": "string" + }, + "agent_version": { + "type": "string" + }, + "bios_manufacturer": { + "type": "string" + }, + "bios_version": { + "type": "string" + }, + "cid": { + "type": "string" + }, + "config_id_base": { + "type": "string" + }, + "config_id_build": { + "type": "string" + }, + "config_id_platform": { + "type": "string" + }, + "device_id": { + "type": "string" + }, + "external_ip": { + "type": "string" + }, + "first_seen": { + "type": "string" + }, + "groups": { + "items": { + "type": "string" + }, + "type": "array" + }, + "hostname": { + "type": "string" + }, + "last_seen": { + "type": "string" + }, + "local_ip": { + "type": "string" + }, + "mac_address": { + "type": "string" + }, + "machine_domain": { + "type": "string" + }, + "major_version": { + "type": "string" + }, + "minor_version": { + "type": "string" + }, + "modified_timestamp": { + "type": "string" + }, + "os_version": { + "type": "string" + }, + "ou": { + "items": { + "type": "string" + }, + "type": "array" + }, + "platform_id": { + "type": "string" + }, + "platform_name": { + "type": "string" + }, + "product_type": { + "type": "string" + }, + "product_type_desc": { + "type": "string" + }, + "site_name": { + "type": "string" + }, + "status": { + "type": "string" + }, + "system_manufacturer": { + "type": "string" + }, + "system_product_name": { + "type": "string" + } + }, + "type": "object" + }, + "email_sent": { + "type": "boolean" + }, + "first_behavior": { + "type": "string" + }, + "hostinfo": { + "properties": { + "active_directory_dn_display": { + "items": { + "type": "string" + }, + "type": "array" + }, + "domain": { + "type": "string" + } + }, + "type": "object" + }, + "last_behavior": { + "type": "string" + }, + "max_confidence": { + "type": "integer" + }, + "max_severity": { + "type": "integer" + }, + "max_severity_displayname": { + "type": "string" + }, + "seconds_to_resolved": { + "type": "integer" + }, + "seconds_to_triaged": { + "type": "integer" + }, + "show_in_ui": { + "type": "boolean" + }, + "status": { + "type": "string" + } + }, + "required": [ + "cid", + "created_timestamp", + "detection_id", + "device", + "behaviors", + "email_sent", + "first_behavior", + "last_behavior", + "max_confidence", + "max_severity", + "max_severity_displayname", + "show_in_ui", + "status", + "hostinfo", + "seconds_to_triaged", + "seconds_to_resolved", + "behaviors_processed" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "runAfter": { + "HTTP-Get_detection_information": [ + "Succeeded" + ] + }, + "description": "prepares json message for detection information" + }, + "Select_detection_information": { + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_detection_information_response')?['resources']", + "select": { + "detection_id": "@item()?['detection_id']", + "device_id": "@item()?['device']?['device_id']", + "domain": "@item()?['hostinfo']?['domain']", + "local_ip": "@item()?['device']?['local_ip']" + } + }, + "runAfter": { + "Parse_JSON_detection_information_response": [ + "Succeeded" + ] + }, + "description": "compose detection information" + } + }, + "runAfter": { + "Parse_JSON_search_detections_response": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_string_variable_comment_if_no_detections_are_present": { + "type": "AppendToStringVariable", + "inputs": { + "name": "Comment", + "value": "There are no detections present for this device." + }, + "description": "this appends text to comments if no detections are present" + } + } + }, + "description": "This checks if detections are present for the host" + }, + "Create_HTML_table_for_device_information": { + "type": "Table", + "inputs": { + "from": "@body('Parse_JSON_device_information_response')?['resources']", + "format": "HTML", + "columns": [ + { + "header": "device_id", + "value": "@item()?['device_id']" + }, + { + "header": "external_ip", + "value": "@item()?['external_ip']" + }, + { + "header": "mac_address", + "value": "@item()?['mac_address']" + }, + { + "header": "hostname", + "value": "@item()?['hostname']" + }, + { + "header": "first_seen", + "value": "@item()?['first_seen']" + }, + { + "header": "last_seen", + "value": "@item()?['last_seen']" + }, + { + "header": "local_ip", + "value": "@item()?['local_ip']" + }, + { + "header": "machine_domain", + "value": "@item()?['machine_domain']" + }, + { + "header": "os_version", + "value": "@item()?['os_version']" + } + ] + }, + "runAfter": { + "Parse_JSON_device_information_response": [ + "Succeeded" + ] + }, + "description": "prepares HTML table for device information" + }, + "HTTP_-Search_for_detections": { + "type": "Http", + "inputs": { + "method": "GET", + "uri": "@{body('CrowdStrike_Base')?['FalconHost']}/detects/queries/detects/v1?filter=first_behavior:>'@{variables('Timestamp')}'&device_id:'@{body('Parse_JSON_Get_device_id_response')?['resources']?[0]}'&sort=first_behavior.desc", + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base')?['AccessToken']}", + "Content-Type": "application/json" + } + }, + "runAfter": { + "Set_variable_timestamp_for_past_3_days": [ + "Succeeded" + ] + }, + "description": "searches the detections based on the filters from crowdstrike" + }, + "HTTP_-_Get_device_information_": { + "type": "Http", + "inputs": { + "method": "GET", + "uri": "@{body('CrowdStrike_Base')?['FalconHost']}/devices/entities/devices/v1?ids=@{body('Parse_JSON_Get_device_id_response')?['resources']?[0]}", + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base')?['AccessToken']}", + "Content-Type": "application/json" + } + }, + "description": "This gets the device information from crowdstrike" + }, + "Parse_JSON_device_information_response": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Get_device_information_')", + "schema": { + "properties": { + "errors": { + "type": "array" + }, + "meta": { + "properties": { + "powered_by": { + "type": "string" + }, + "query_time": { + "type": "number" + }, + "trace_id": { + "type": "string" + } + }, + "type": "object" + }, + "resources": { + "items": { + "properties": { + "agent_load_flags": { + "type": "string" + }, + "agent_local_time": { + "type": "string" + }, + "agent_version": { + "type": "string" + }, + "bios_manufacturer": { + "type": "string" + }, + "bios_version": { + "type": "string" + }, + "build_number": { + "type": "string" + }, + "cid": { + "type": "string" + }, + "config_id_base": { + "type": "string" + }, + "config_id_build": { + "type": "string" + }, + "config_id_platform": { + "type": "string" + }, + "cpu_signature": { + "type": "string" + }, + "device_id": { + "type": "string" + }, + "device_policies": { + "properties": { + "device_control": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + } + }, + "type": "object" + }, + "firewall": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "rule_set_id": { + "type": "string" + } + }, + "type": "object" + }, + "global_config": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "settings_hash": { + "type": "string" + } + }, + "type": "object" + }, + "prevention": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "rule_groups": { + "items": { + "type": "string" + }, + "type": "array" + }, + "settings_hash": { + "type": "string" + } + }, + "type": "object" + }, + "remote_response": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "settings_hash": { + "type": "string" + } + }, + "type": "object" + }, + "sensor_update": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "settings_hash": { + "type": "string" + }, + "uninstall_protection": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "external_ip": { + "type": "string" + }, + "first_seen": { + "type": "string" + }, + "group_hash": { + "type": "string" + }, + "groups": { + "items": { + "type": "string" + }, + "type": "array" + }, + "hostname": { + "type": "string" + }, + "last_seen": { + "type": "string" + }, + "local_ip": { + "type": "string" + }, + "mac_address": { + "type": "string" + }, + "machine_domain": { + "type": "string" + }, + "major_version": { + "type": "string" + }, + "meta": { + "properties": { + "version": { + "type": "string" + } + }, + "type": "object" + }, + "minor_version": { + "type": "string" + }, + "modified_timestamp": { + "type": "string" + }, + "os_version": { + "type": "string" + }, + "ou": { + "items": { + "type": "string" + }, + "type": "array" + }, + "platform_id": { + "type": "string" + }, + "platform_name": { + "type": "string" + }, + "pointer_size": { + "type": "string" + }, + "policies": { + "items": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "rule_groups": { + "items": { + "type": "string" + }, + "type": "array" + }, + "settings_hash": { + "type": "string" + } + }, + "required": [ + "policy_type", + "policy_id", + "applied", + "settings_hash", + "assigned_date", + "applied_date", + "rule_groups" + ], + "type": "object" + }, + "type": "array" + }, + "product_type": { + "type": "string" + }, + "product_type_desc": { + "type": "string" + }, + "provision_status": { + "type": "string" + }, + "reduced_functionality_mode": { + "type": "string" + }, + "serial_number": { + "type": "string" + }, + "service_pack_major": { + "type": "string" + }, + "service_pack_minor": { + "type": "string" + }, + "site_name": { + "type": "string" + }, + "slow_changing_modified_timestamp": { + "type": "string" + }, + "status": { + "type": "string" + }, + "system_manufacturer": { + "type": "string" + }, + "system_product_name": { + "type": "string" + }, + "tags": { + "type": "array" + } + }, + "required": [ + "device_id", + "cid", + "agent_load_flags", + "agent_local_time", + "agent_version", + "bios_manufacturer", + "bios_version", + "build_number", + "config_id_base", + "config_id_build", + "config_id_platform", + "cpu_signature", + "external_ip", + "mac_address", + "hostname", + "first_seen", + "last_seen", + "local_ip", + "major_version", + "minor_version", + "os_version", + "platform_id", + "platform_name", + "policies", + "reduced_functionality_mode", + "device_policies", + "groups", + "group_hash", + "product_type", + "product_type_desc", + "provision_status", + "serial_number", + "service_pack_major", + "service_pack_minor", + "pointer_size", + "status", + "system_manufacturer", + "system_product_name", + "tags", + "modified_timestamp", + "slow_changing_modified_timestamp", + "meta" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "runAfter": { + "HTTP_-_Get_device_information_": [ + "Succeeded" + ] + }, + "description": "prepares json for device information" + }, + "Parse_JSON_search_detections_response": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-Search_for_detections')", + "schema": { + "properties": { + "errors": { + "type": "array" + }, + "meta": { + "properties": { + "pagination": { + "properties": { + "limit": { + "type": "integer" + }, + "offset": { + "type": "integer" + }, + "total": { + "type": "integer" + } + }, + "type": "object" + }, + "powered_by": { + "type": "string" + }, + "query_time": { + "type": "number" + }, + "trace_id": { + "type": "string" + } + }, + "type": "object" + }, + "resources": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "runAfter": { + "HTTP_-Search_for_detections": [ + "Succeeded" + ] + }, + "description": "prepares json for search detections" + }, + "Set_variable_timestamp_for_past_3_days": { + "type": "SetVariable", + "inputs": { + "name": "Timestamp", + "value": "@{getPastTime(3, 'Day')}" + }, + "runAfter": { + "Append_to_string_variable_comment_for_device_information": [ + "Succeeded" + ] + }, + "description": "set variable timestamp for past 3 days to filter detections" + } + }, + "runAfter": { + "Parse_JSON_Get_device_id_response": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_string_variable_if_no_devices_are_present": { + "type": "AppendToStringVariable", + "inputs": { + "name": "Comment", + "value": "There are no devices present" + }, + "description": "This appends text to string variable if no devices are present" + } + } + }, + "description": "This checks if device is present in falcon host or not" + }, + "CrowdStrike_Base": { + "runAfter": { + "Initialize_variable_comment": [ + "Succeeded" + ] + }, + "type": "Workflow", + "inputs": { + "host": { + "triggerName": "manual", + "workflow": { + "id": "[resourceId('Microsoft.Logic/workflows', parameters('playbook1-LogicAppName'))]" + } + } + }, + "description": "This is to call the base logic app to get the access token and falcon host URL" + }, + "Entities_-_Get_Hosts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/host" + } + }, + "HTTP_-_Get_device_id": { + "type": "Http", + "inputs": { + "method": "GET", + "uri": "@{body('CrowdStrike_Base')?['FalconHost']}/devices/queries/devices/v1?filter=hostname:'@{body('Entities_-_Get_Hosts')?['Hosts']?[0]?['HostName']}'", + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base')?['AccessToken']}", + "Content-Type": "application/json" + } + }, + "runAfter": { + "CrowdStrike_Base": [ + "Succeeded" + ] + }, + "description": "This filters the device id by hostname" + }, + "Initialize_variable_comment": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Comment", + "type": "string" + } + ] + }, + "runAfter": { + "Initialize_variable_timestamp": [ + "Succeeded" + ] + }, + "description": "This holds the variable comment to include in the incident" + }, + "Initialize_variable_timestamp": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Timestamp", + "type": "string" + } + ] + }, + "runAfter": { + "Entities_-_Get_Hosts": [ + "Succeeded" + ] + }, + "description": "Initialize timestamp variable to hold the timestamp" + }, + "Parse_JSON_Get_device_id_response": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Get_device_id')", + "schema": { + "meta": { + "pagination": { + "limit": 100, + "offset": 1, + "total": 1 + }, + "powered_by": "device-api", + "query_time": 0.005041315, + "trace_id": "aa7b84f5-3e81-4980-ad9f-c14b6d8ca577" + }, + "resources": [ + "cdc977a72a8c49528bb82f89dde2c2e9" + ] + } + }, + "runAfter": { + "HTTP_-_Get_device_id": [ + "Succeeded" + ] + }, + "description": "prepares json for the device id response" + } + }, + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered_(Private_Preview_only)": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "contentVersion": "1.0.0.0" + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook3-AzureSentinelConnectionName'))]", + "connectionName": "[variables('playbook3-AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azuresentinel')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2018-07-01-preview", + "name": "[variables('playbook4-AzureSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "properties": { + "api": { + "id": "[variables('_playbook-2-connection-2')]" + } + + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2018-07-01-preview", + "name": "[variables('playbook4-TeamsConnectionName')]", + "location": "[parameters('workspace-location')]", + "properties": { + "api": { + "id": "[variables('_playbook-4-connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[parameters('playbook4-Playbook_Name')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook4-AzureSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook4-TeamsConnectionName'))]", + "[resourceId('Microsoft.Logic/workflows', parameters('playbook1-LogicAppName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Compose_image_to_add_in_the_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{outputs('Compose_image_to_add_in_the_incident')}  Crowdstrike_ResponsefromTeams playbook run results :
\nDevice information:
\n@{variables('DeviceInfo')}
\nActions Taken :
\n@{variables('ActionTaken')}
\n

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "description": "This comments in the incident" + }, + "Append_to_array_variable_device_actions_to_Ignore": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "DeviceActions", + "value": { + "title": "Ignore", + "type": "Action.Submit" + } + }, + "runAfter": { + "Condition_to_check_if_device_id_returns_results": [ + "Succeeded" + ] + }, + "description": "appends Ignore option to device actions" + }, + "Compose_image_to_add_in_the_incident": { + "type": "Compose", + "inputs": "\"Lamp\"\n", + "runAfter": { + "Post_your_own_adaptive_card_as_the_Flow_bot_to_a_channel": [ + "Succeeded" + ] + }, + "description": "This composes image to be added in the comments of the incident" + }, + "Condition_to_check_if_SOC_changes_incident_configuration": { + "type": "If", + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['submitActionId']", + "Ignore" + ] + } + } + ] + }, + "actions": { + "Update_incident": { + "type": "ApiConnection", + "inputs": { + "body": { + "classification": { + "ClassificationAndReason": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['incidentStatus']}", + "ClassificationReasonText": "Crowdstrike_ResponsefromTeams playbook ran and closed this incident" + }, + "incidentArmId": "@triggerBody()?['object']?['id']", + "severity": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['incidentSeverity']}", + "status": "Closed" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + }, + "description": "This updates the azure sentinel incident" + } + }, + "runAfter": { + "Add_comment_to_incident_(V3)": [ + "Succeeded" + ] + }, + "description": "This checks if SOC changed the incident configuration" + }, + "Condition_to_check_if_device_id_returns_results": { + "type": "If", + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_JSON_Get_device_id_response')?['resources']?[0]", + "@null" + ] + } + } + ] + }, + "actions": { + "Condition_to_check_if_any_policies_are_present": { + "type": "If", + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_JSON_device_information_response')?['resources']?[0]?['policies']?[0]", + "@null" + ] + } + } + ] + }, + "actions": { + "Append_to_array_variable_adaptive_card_body_policies": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Adaptivecardbody", + "value": { + "columns": [ + { + "items": "@body('Select_policies_to_display_in_the_adaptive_card')", + "type": "Column" + } + ], + "type": "ColumnSet" + } + }, + "runAfter": { + "Append_to_array_variable_adaptive_card_policy_text": [ + "Succeeded" + ] + }, + "description": "This appends the list of policies to display in adaptive card" + }, + "Append_to_array_variable_adaptive_card_policy_text": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Adaptivecardbody", + "value": { + "text": "Applied policies on this host:", + "type": "TextBlock" + } + }, + "runAfter": { + "Select_policies_to_display_in_the_adaptive_card": [ + "Succeeded" + ] + }, + "description": "This appends text to adaptive card body for policy text" + }, + "Select_policies_to_display_in_the_adaptive_card": { + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_device_information_response')?['resources']?[0]?['policies']", + "select": { + "text": "@item()?['policy_type']", + "type": "TextBlock" + } + }, + "description": "This composes the policies to be displayed on the adaptive card" + } + }, + "runAfter": { + "Switch_to_check_the_status_of_the_host": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_array_variable_if_no_policies_are_present": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Adaptivecardbody", + "value": { + "text": "There are no policies applied for this host", + "type": "TextBlock" + } + }, + "description": "This appends text to adaptive card body if no policies are present" + } + } + }, + "description": "This checks if any policies are present" + }, + "Create_HTML_table_for_device_information": { + "type": "Table", + "inputs": { + "from": "@body('Parse_JSON_device_information_response')?['resources']", + "format": "HTML", + "columns": [ + { + "header": "device_id", + "value": "@item()?['device_id']" + }, + { + "header": "external_ip", + "value": "@item()?['external_ip']" + }, + { + "header": "mac_address", + "value": "@item()?['mac_address']" + }, + { + "header": "hostname", + "value": "@item()?['hostname']" + }, + { + "header": "first_seen", + "value": "@item()?['first_seen']" + }, + { + "header": "last_seen", + "value": "@item()?['last_seen']" + }, + { + "header": "local_ip", + "value": "@item()?['local_ip']" + }, + { + "header": "machine_domain", + "value": "@item()?['machine_domain']" + }, + { + "header": "os_version", + "value": "@item()?['os_version']" + } + ] + }, + "runAfter": { + "Parse_JSON_device_information_response": [ + "Succeeded" + ] + }, + "description": "prepare html table of device information" + }, + "HTTP_-_Get_device_information": { + "type": "Http", + "inputs": { + "method": "GET", + "uri": "@{body('CrowdStrike_Base')?['FalconHost']}/devices/entities/devices/v1?ids=@{body('Parse_JSON_Get_device_id_response')?['resources']?[0]}", + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base')?['AccessToken']}", + "Content-Type": "application/json" + } + }, + "description": "This gets the device information from crowdstrike" + }, + "Parse_JSON_device_information_response": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Get_device_information')", + "schema": { + "properties": { + "errors": { + "type": "array" + }, + "meta": { + "properties": { + "powered_by": { + "type": "string" + }, + "query_time": { + "type": "number" + }, + "trace_id": { + "type": "string" + } + }, + "type": "object" + }, + "resources": { + "items": { + "properties": { + "agent_load_flags": { + "type": "string" + }, + "agent_local_time": { + "type": "string" + }, + "agent_version": { + "type": "string" + }, + "bios_manufacturer": { + "type": "string" + }, + "bios_version": { + "type": "string" + }, + "build_number": { + "type": "string" + }, + "cid": { + "type": "string" + }, + "config_id_base": { + "type": "string" + }, + "config_id_build": { + "type": "string" + }, + "config_id_platform": { + "type": "string" + }, + "cpu_signature": { + "type": "string" + }, + "device_id": { + "type": "string" + }, + "device_policies": { + "properties": { + "device_control": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + } + }, + "type": "object" + }, + "firewall": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "rule_set_id": { + "type": "string" + } + }, + "type": "object" + }, + "global_config": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "settings_hash": { + "type": "string" + } + }, + "type": "object" + }, + "prevention": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "rule_groups": { + "items": { + "type": "string" + }, + "type": "array" + }, + "settings_hash": { + "type": "string" + } + }, + "type": "object" + }, + "remote_response": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "settings_hash": { + "type": "string" + } + }, + "type": "object" + }, + "sensor_update": { + "properties": { + "applied": { + "type": "boolean" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "settings_hash": { + "type": "string" + }, + "uninstall_protection": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "external_ip": { + "type": "string" + }, + "first_seen": { + "type": "string" + }, + "group_hash": { + "type": "string" + }, + "groups": { + "items": { + "type": "string" + }, + "type": "array" + }, + "hostname": { + "type": "string" + }, + "last_seen": { + "type": "string" + }, + "local_ip": { + "type": "string" + }, + "mac_address": { + "type": "string" + }, + "machine_domain": { + "type": "string" + }, + "major_version": { + "type": "string" + }, + "meta": { + "properties": { + "version": { + "type": "string" + } + }, + "type": "object" + }, + "minor_version": { + "type": "string" + }, + "modified_timestamp": { + "type": "string" + }, + "os_version": { + "type": "string" + }, + "ou": { + "items": { + "type": "string" + }, + "type": "array" + }, + "platform_id": { + "type": "string" + }, + "platform_name": { + "type": "string" + }, + "pointer_size": { + "type": "string" + }, + "policies": { + "items": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "rule_groups": { + "items": { + "type": "string" + }, + "type": "array" + }, + "settings_hash": { + "type": "string" + } + }, + "required": [ + "policy_type", + "policy_id", + "applied", + "settings_hash", + "assigned_date", + "applied_date", + "rule_groups" + ], + "type": "object" + }, + "type": "array" + }, + "product_type": { + "type": "string" + }, + "product_type_desc": { + "type": "string" + }, + "provision_status": { + "type": "string" + }, + "reduced_functionality_mode": { + "type": "string" + }, + "serial_number": { + "type": "string" + }, + "service_pack_major": { + "type": "string" + }, + "service_pack_minor": { + "type": "string" + }, + "site_name": { + "type": "string" + }, + "slow_changing_modified_timestamp": { + "type": "string" + }, + "status": { + "type": "string" + }, + "system_manufacturer": { + "type": "string" + }, + "system_product_name": { + "type": "string" + }, + "tags": { + "type": "array" + } + }, + "required": [ + "device_id", + "cid", + "agent_load_flags", + "agent_local_time", + "agent_version", + "bios_manufacturer", + "bios_version", + "build_number", + "config_id_base", + "config_id_build", + "config_id_platform", + "cpu_signature", + "external_ip", + "mac_address", + "hostname", + "first_seen", + "last_seen", + "local_ip", + "major_version", + "minor_version", + "os_version", + "platform_id", + "platform_name", + "policies", + "reduced_functionality_mode", + "device_policies", + "groups", + "group_hash", + "product_type", + "product_type_desc", + "provision_status", + "serial_number", + "service_pack_major", + "service_pack_minor", + "pointer_size", + "status", + "system_manufacturer", + "system_product_name", + "tags", + "modified_timestamp", + "slow_changing_modified_timestamp", + "meta" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "runAfter": { + "HTTP_-_Get_device_information": [ + "Succeeded" + ] + }, + "description": "prepare json for device information" + }, + "Set_variable_adaptive_card_body_if_host_is_present": { + "type": "SetVariable", + "inputs": { + "name": "Adaptivecardbody", + "value": [ + { + "size": "large", + "text": "Suspicious Device - Azure Sentinel", + "type": "TextBlock", + "weight": "bolder", + "wrap": true + }, + { + "text": "Possible comprised device detected by the provider ", + "type": "TextBlock", + "wrap": true + }, + { + "text": " @{triggerBody()?['object']?['properties']?['severity']} Incident - CrowdStrike actions @{triggerBody()?['object']?['properties']?['title']}", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + }, + { + "text": " Incident No : @{triggerBody()?['object']?['properties']?['incidentNumber']} ", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + }, + { + "text": "Incident description", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + }, + { + "text": "@{triggerBody()?['object']?['properties']?['description']}", + "type": "TextBlock", + "wrap": true + }, + { + "text": "[[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})", + "type": "TextBlock", + "wrap": true + }, + { + "size": "Small", + "style": "Person", + "type": "Image", + "url": "https://uploads4.craft.co/uploads/company/logo/852xx/85212/normal_1171b7695370eb94.jpg" + }, + { + "text": "CrowdStrike host information", + "type": "TextBlock", + "weight": "Bolder" + }, + { + "text": "Hostname: @{body('Parse_JSON_device_information_response')?['resources']?[0]?['hostname']}", + "type": "TextBlock", + "weight": "Bolder" + }, + { + "text": "local_ip: @{body('Parse_JSON_device_information_response')?['resources']?[0]?['local_ip']} ", + "type": "TextBlock" + }, + { + "text": "machine_domain: @{body('Parse_JSON_device_information_response')?['resources']?[0]?['machine_domain']} ", + "type": "TextBlock" + }, + { + "text": "os_version: @{body('Parse_JSON_device_information_response')?['resources']?[0]?['os_version']} ", + "type": "TextBlock" + } + ] + }, + "runAfter": { + "Set_variable_device_info": [ + "Succeeded" + ] + }, + "description": "set adaptive card body with host information if host is present" + }, + "Set_variable_device_info": { + "type": "SetVariable", + "inputs": { + "name": "DeviceInfo", + "value": "@body('Create_HTML_table_for_device_information')" + }, + "runAfter": { + "Create_HTML_table_for_device_information": [ + "Succeeded" + ] + }, + "description": "sets device info to comment in the incident" + }, + "Switch_to_check_the_status_of_the_host": { + "type": "Switch", + "expression": "@body('Parse_JSON_device_information_response')?['resources']?[0]?['status']", + "cases": { + "Case_-_conatined": { + "case": "contained", + "actions": { + "Append_to_array_variable_adaptive_card_body_if_host_is_contained": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Adaptivecardbody", + "value": { + "text": "Host status is contained", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + } + }, + "description": "This appends adaptive card body if host is contained" + }, + "Append_to_array_variable_device_actions_if_status_is_contained": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "DeviceActions", + "value": { + "title": "Lift Containment", + "type": "Action.Submit" + } + }, + "runAfter": { + "Append_to_array_variable_adaptive_card_body_if_host_is_contained": [ + "Succeeded" + ] + } + } + } + }, + "Case_-_containment_pending": { + "case": "containment_pending", + "actions": { + "Append_to_array_variable_adaptive_card_body_if_containment_pending_status": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Adaptivecardbody", + "value": { + "text": "Host status is in the process of moving from un-contained to contained", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + } + }, + "runAfter": { + "Set_variable_device_actions_to_empty_for_containment_pending": [ + "Succeeded" + ] + }, + "description": "This appends adaptive card body if host status is containment pending" + }, + "Set_variable_device_actions_to_empty_for_containment_pending": { + "type": "SetVariable", + "inputs": { + "name": "DeviceActions", + "value": [ + { + "title": "Submit", + "type": "Action.Submit" + } + ] + }, + "description": "This sets the device actions if status is containment pending" + } + } + }, + "Case_-_lift_containment_pending": { + "case": "lift_containment_pending", + "actions": { + "Append_to_array_variable_adaptive_card_body_if_lift_containment_pending_status": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Adaptivecardbody", + "value": { + "text": "Host status is in the process of moving from contained to un-contained", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + } + }, + "runAfter": { + "Set_variable_device_actions_to_empty_for_lift_containment_pending": [ + "Succeeded" + ] + }, + "description": "This appends adaptive card body if host status is lift containment pending" + }, + "Set_variable_device_actions_to_empty_for_lift_containment_pending": { + "type": "SetVariable", + "inputs": { + "name": "DeviceActions", + "value": [ + { + "title": "Submit", + "type": "Action.Submit" + } + ] + }, + "description": "This sets the device actions if status is lift containment pending" + } + } + }, + "Case_-_not_contained": { + "case": "normal", + "actions": { + "Append_to_array_variable_adaptive_card_body_for_normal_status": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Adaptivecardbody", + "value": { + "text": "Host is not contained", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + } + }, + "description": "This appends text to adaptive card body if host is not contained" + }, + "Append_to_array_variable_device_actions": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "DeviceActions", + "value": { + "title": "Contain", + "type": "Action.Submit" + } + }, + "runAfter": { + "Append_to_array_variable_adaptive_card_body_for_normal_status": [ + "Succeeded" + ] + } + }, + "Condition_to_check_the_scripts": { + "type": "If", + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_JSON_get_scripts_response')?['resources']?[0]", + "@null" + ] + } + } + ] + }, + "actions": { + "Append_to_array_variable_device_actions_to_contain": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "DeviceActions", + "value": { + "card": { + "$schema": "http://adaptivecards.io/schemas/adaptive-card.json", + "actions": [ + { + "title": "Run", + "type": "Action.Submit" + } + ], + "body": [ + { + "text": "Choose a script to run ", + "type": "TextBlock", + "wrap": true + }, + { + "choices": "@variables('Scriptoptions')", + "id": "script", + "type": "Input.ChoiceSet" + } + ], + "type": "AdaptiveCard" + }, + "title": "Run Script", + "type": "Action.ShowCard" + } + }, + "runAfter": { + "Set_variable_script_options": [ + "Succeeded" + ] + }, + "description": "This sets the device actions to contain" + }, + "Select_script_names_to_display_in_the_adaptive_card_dropdown": { + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_get_scripts_response')?['resources']", + "select": { + "title": "@item()?['name']", + "value": "@item()?['name']" + } + }, + "description": "This selects all the script names to display in the adaptive card" + }, + "Set_variable_script_options": { + "type": "SetVariable", + "inputs": { + "name": "Scriptoptions", + "value": "@body('Select_script_names_to_display_in_the_adaptive_card_dropdown')" + }, + "runAfter": { + "Select_script_names_to_display_in_the_adaptive_card_dropdown": [ + "Succeeded" + ] + }, + "description": "This sets the script names to script options variable" + } + }, + "runAfter": { + "Parse_JSON_get_scripts_response": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_array_variable_adaptive_card_body_if_no_scripts_are_present": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Adaptivecardbody", + "value": { + "text": "There are no scripts to run ", + "type": "TextBlock", + "wrap": true + } + }, + "runAfter": { + "Append_to_array_variable_device_actions_if_no_scripts_are_available": [ + "Succeeded" + ] + }, + "description": "appends adaptive carb body text if no scripts are present" + }, + "Append_to_array_variable_device_actions_if_no_scripts_are_available": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "DeviceActions", + "value": {} + }, + "runAfter": { + "Set_variable_script_options_to_empty_if_no_scripts_are_available": [ + "Succeeded" + ] + }, + "description": "appends device actions to empty if no scripts were run" + }, + "Set_variable_script_options_to_empty_if_no_scripts_are_available": { + "type": "SetVariable", + "inputs": { + "name": "Scriptoptions", + "value": [] + }, + "description": "This sets the script options to null if no scripts are present" + } + } + }, + "description": "condition to check if scripts are present in the device" + }, + "HTTP_-_Get_Scripts": { + "type": "Http", + "inputs": { + "method": "GET", + "uri": "@{body('CrowdStrike_Base')?['FalconHost']}/real-time-response/entities/scripts/v1", + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base')?['AccessToken']}", + "Content-Type": "application/json" + } + }, + "runAfter": { + "Append_to_array_variable_device_actions": [ + "Succeeded" + ] + }, + "description": "This gets the list of scripts in the falcon host" + }, + "Parse_JSON_get_scripts_response": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Get_Scripts')", + "schema": { + "properties": { + "body": { + "properties": { + "meta": { + "properties": { + "powered_by": { + "type": "string" + }, + "query_time": { + "type": "number" + }, + "trace_id": { + "type": "string" + } + }, + "type": "object" + }, + "resources": { + "items": { + "properties": { + "content": { + "type": "string" + }, + "created_by": { + "type": "string" + }, + "created_by_uuid": { + "type": "string" + }, + "created_timestamp": { + "type": "string" + }, + "description": { + "type": "string" + }, + "file_type": { + "type": "string" + }, + "id": { + "type": "string" + }, + "modified_by": { + "type": "string" + }, + "modified_timestamp": { + "type": "string" + }, + "name": { + "type": "string" + }, + "permission_type": { + "type": "string" + }, + "platform": { + "items": { + "type": "string" + }, + "type": "array" + }, + "run_attempt_count": { + "type": "integer" + }, + "run_success_count": { + "type": "integer" + }, + "sha256": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "write_access": { + "type": "boolean" + } + }, + "required": [ + "id", + "name", + "description", + "file_type", + "platform", + "size", + "content", + "created_by", + "created_by_uuid", + "created_timestamp", + "modified_by", + "modified_timestamp", + "sha256", + "permission_type", + "run_attempt_count", + "run_success_count", + "write_access" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "headers": { + "properties": { + "Content-Length": { + "type": "string" + }, + "Content-Type": { + "type": "string" + }, + "Date": { + "type": "string" + }, + "X-Cs-Region": { + "type": "string" + }, + "X-Ratelimit-Limit": { + "type": "string" + }, + "X-Ratelimit-Remaining": { + "type": "string" + } + }, + "type": "object" + }, + "statusCode": { + "type": "integer" + } + }, + "type": "object" + } + }, + "runAfter": { + "HTTP_-_Get_Scripts": [ + "Succeeded" + ] + }, + "description": "prepare Json for get script response body" + } + } + } + }, + "runAfter": { + "Set_variable_adaptive_card_body_if_host_is_present": [ + "Succeeded" + ] + }, + "description": "This checks the status on the host" + } + }, + "runAfter": { + "Parse_JSON_Get_device_id_response": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_array_variable_action_summary_if_no_devices_are_present": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "ActionSummary", + "value": { + "text": "No devices are present", + "type": "TextBlock" + } + }, + "runAfter": { + "Append_to_array_variable_device_actions_if_no_devices_are_present": [ + "Succeeded" + ] + }, + "description": "appends action summary if no devices are present" + }, + "Append_to_array_variable_device_actions_if_no_devices_are_present": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "DeviceActions", + "value": { + "title": "Submit", + "type": "Action.Submit" + } + }, + "runAfter": { + "Set_variable_device_info_if_no_devices_are_present": [ + "Succeeded" + ] + }, + "description": "appends device actions if no devices are present" + }, + "Append_to_string_variable_action_taken_if_no_devices_are_present": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ActionTaken", + "value": "No devices are present..So no action taken on device" + }, + "runAfter": { + "Append_to_array_variable_action_summary_if_no_devices_are_present": [ + "Succeeded" + ] + }, + "description": "appends action taken if no devices are present" + }, + "Set_variable_adaptive_card_body_if_no_devices_are_present": { + "type": "SetVariable", + "inputs": { + "name": "Adaptivecardbody", + "value": [ + { + "size": "large", + "text": "Suspicious Device - Azure Sentinel", + "type": "TextBlock", + "weight": "bolder", + "wrap": true + }, + { + "text": "Possible comprised device detected by the provider ", + "type": "TextBlock", + "wrap": true + }, + { + "text": " @{triggerBody()?['object']?['properties']?['severity']} Incident @{triggerBody()?['object']?['properties']?['title']} ", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + }, + { + "text": " Incident No : @{triggerBody()?['object']?['properties']?['incidentNumber']} ", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + }, + { + "text": "Incident description", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + }, + { + "text": "@{triggerBody()?['object']?['properties']?['description']}", + "type": "TextBlock", + "wrap": true + }, + { + "text": "[[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})", + "type": "TextBlock", + "wrap": true + }, + { + "size": "Small", + "style": "Person", + "type": "Image", + "url": "https://uploads4.craft.co/uploads/company/logo/852xx/85212/normal_1171b7695370eb94.jpg" + }, + { + "text": "CrowdStrike", + "type": "TextBlock", + "weight": "Bolder" + }, + { + "text": "Hostname : @{body('Entities_-_Get_Hosts')?['Hosts']?[0]?['HostName']}", + "type": "TextBlock", + "weight": "Bolder" + }, + { + "text": "There are no devices present ", + "type": "TextBlock", + "weight": "Bolder" + } + ] + }, + "description": "prepare adaptive card body if no devices are present" + }, + "Set_variable_device_info_if_no_devices_are_present": { + "type": "SetVariable", + "inputs": { + "name": "DeviceInfo", + "value": "No devices are present" + }, + "runAfter": { + "Set_variable_adaptive_card_body_if_no_devices_are_present": [ + "Succeeded" + ] + }, + "description": "sets device info to comment in the incident" + } + } + }, + "description": "This checks if device id is present in crowdstrike" + }, + "CrowdStrike_Base": { + "runAfter": { + "Initialize_variable_actions_taken": [ + "Succeeded" + ] + }, + "type": "Workflow", + "inputs": { + "host": { + "triggerName": "manual", + "workflow": { + "id": "[resourceId('Microsoft.Logic/workflows', parameters('playbook1-LogicAppName'))]" + } + } + }, + "description": "call to base logic app to get the access token and Falcon host URL", + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "CrowdStrike_Base_call_after_SOC_responds": { + "runAfter": { + "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": [ + "Succeeded" + ] + }, + "type": "Workflow", + "inputs": { + "host": { + "triggerName": "manual", + "workflow": { + "id": "[resourceId('Microsoft.Logic/workflows', parameters('playbook1-LogicAppName'))]" + } + } + }, + "description": "This calls the crowdstrike base playbook where we will generate the authentication key again as it expires every 30 mins", + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "Entities_-_Get_Hosts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/host" + } + + }, + "HTTP_-_Get_device_id": { + "type": "Http", + "inputs": { + "method": "GET", + "uri": "@{body('CrowdStrike_Base')?['FalconHost']}/devices/queries/devices/v1?filter=hostname:'@{body('Entities_-_Get_Hosts')?['Hosts']?[0]?['HostName']}'", + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base')?['AccessToken']}", + "Content-Type": "application/json" + } + }, + "runAfter": { + "CrowdStrike_Base": [ + "Succeeded" + ] + }, + "description": "This filters the device id by hostname" + }, + "Initialize_variable_action_summary": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ActionSummary", + "type": "array", + "value": [] + } + ] + }, + "runAfter": { + "Initialize_variable_adaptive_card_body": [ + "Succeeded" + ] + }, + "description": "variable to store action summary json to display in summarized adaptive card" + }, + "Initialize_variable_actions_taken": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ActionTaken", + "type": "string" + } + ] + }, + "runAfter": { + "Initialize_variable_script_options": [ + "Succeeded" + ] + } + }, + "Initialize_variable_adaptive_card_body": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Adaptivecardbody", + "type": "array", + "value": [] + } + ] + }, + "runAfter": { + "Entities_-_Get_Hosts": [ + "Succeeded" + ] + }, + "description": "variable to store adaptive card body json" + }, + "Initialize_variable_device_actions": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "DeviceActions", + "type": "array", + "value": [] + } + ] + }, + "runAfter": { + "Initialize_variable_action_summary": [ + "Succeeded" + ] + }, + "description": "variable to store device actions such as contain/lift containment or Ignore" + }, + "Initialize_variable_device_information": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "DeviceInfo", + "type": "string" + } + ] + }, + "runAfter": { + "Initialize_variable_device_actions": [ + "Succeeded" + ] + }, + "description": "variable to store device information" + }, + "Initialize_variable_script_options": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Scriptoptions", + "type": "array", + "value": [] + } + ] + }, + "runAfter": { + "Initialize_variable_device_information": [ + "Succeeded" + ] + }, + "description": "This holds the script options such as script names and Ignore" + }, + "Parse_JSON_Get_device_id_response": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Get_device_id')", + "schema": { + "meta": { + "pagination": { + "limit": 100, + "offset": 1, + "total": 1 + }, + "powered_by": "device-api", + "query_time": 0.005041315, + "trace_id": "aa7b84f5-3e81-4980-ad9f-c14b6d8ca577" + }, + "resources": [ + "cdc977a72a8c49528bb82f89dde2c2e9" + ] + } + }, + "runAfter": { + "HTTP_-_Get_device_id": [ + "Succeeded" + ] + }, + "description": "prepare json from get device id response" + }, + "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": { + "runAfter": { + "Append_to_array_variable_device_actions_to_Ignore": [ + "Succeeded" + ] + }, + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "body": { + "messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\":[\n{\n \"columns\": [\n {\n \"items\": @{variables('Adaptivecardbody')},\n \"type\": \"Column\"\n }\n ],\n \"type\": \"ColumnSet\"\n},\n {\n \"type\": \"ColumnSet\",\n \"columns\": [{ \"type\": \"Column\", \"items\": [ { \"type\": \"TextBlock\", \"size\": \"Medium\", \"weight\": \"Bolder\", \"text\": \"Incident configuration :\", \"wrap\": true } ], \"width\": \"auto\"}\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [{ \"type\": \"Column\", \"items\": [ { \"type\": \"Image\", \"style\": \"Person\", \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\", \"size\": \"Small\" } ], \"width\": \"auto\"}\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Azure Sentinal incident?\"\n },\n {\n \"choices\": [{ \"isSelected\": true, \"title\": \"False Positive - Inaccurate Data\", \"value\": \"False Positive - Inaccurate Data\"},{ \"isSelected\": true, \"title\": \"False Positive - Incorrect Alert Logic\", \"value\": \"False Positive - Incorrect Alert Logic\"},{ \"title\": \"True Positive - Suspicious Activity\", \"value\": \"True Positive - Suspicious Activity\"},{ \"title\": \"Benign Positive - Suspicious But Expected\", \"value\": \"Benign Positive - Suspicious But Expected\"},{ \"title\": \"Undetermined\", \"value\": \"Undetermined\"}\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Azure Sentinel Incident Severity?\"\n },\n {\n \"choices\": [{ \"title\": \"High\", \"value\": \"High\"},{ \"title\": \"Medium\", \"value\": \"Medium\"},{ \"title\": \"Low\", \"value\": \"Low\"},{ \"title\": \"Don't change\", \"value\": \"same\"}\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n }\n],\n\t\"actions\": @{variables('DeviceActions')},\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", + "recipient": { + "channelId": "[parameters('playbook4-Teams_ChannelId')]" + }, + "shouldUpdateCard": true + }, + "notificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions", + "queries": { + "groupId": "[parameters('playbook4-Teams_GroupId')]" + } + } + }, + "Post_your_own_adaptive_card_as_the_Flow_bot_to_a_channel": { + "runAfter": { + "Switch_to_take_action_on_device_based_on_SOC_choice": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"size\": \"large\",\n \"text\": \"Suspicious Device - Azure Sentinel\",\n \"type\": \"TextBlock\",\n \"weight\": \"bolder\",\n \"wrap\": true\n },\n {\n \"text\": \"Possible comprised device detected by the provider \",\n \"type\": \"TextBlock\",\n \"wrap\": true\n },\n {\n \"text\": \" @{triggerBody()?['object']?['properties']?['severity']} Incident @{triggerBody()?['object']?['properties']?['title']} \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"text\": \" Incident No : @{triggerBody()?['object']?['properties']?['incidentNumber']} \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"text\": \"Incident description\",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"text\": \"@{triggerBody()?['object']?['properties']?['description']}\",\n \"type\": \"TextBlock\",\n \"wrap\": true\n },\n {\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"type\": \"TextBlock\",\n \"wrap\": true\n },\n {\n \"size\": \"Small\",\n \"style\": \"Person\",\n \"type\": \"Image\",\n \"url\": \"https://uploads4.craft.co/uploads/company/logo/852xx/85212/normal_1171b7695370eb94.jpg\"\n },\n {\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"text\": \"Below is the summary of actions taken by SOC\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"text\": \"Hostname : @{body('Entities_-_Get_Hosts')?['Hosts']?[0]?['HostName']}\",\n \"wrap\": true\n },\n {\n \"columns\": [\n {\n \"items\": @{variables('ActionSummary')},\n \"type\": \"Column\",\n \"wrap\": true\n }\n ],\n \"separator\": \"true\",\n \"type\": \"ColumnSet\",\n \"width\": \"stretch\"\n}\n ],\n\"width\":\"auto\",\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", + "recipient": { + "channelId": "[parameters('playbook4-Teams_ChannelId')]" + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "method": "post", + "path": "/flowbot/actions/adaptivecard/recipienttypes/channel", + "queries": { + "groupId": "[parameters('playbook4-Teams_GroupId')]" + } + }, + "description": "This posts a summarized adaptive card to SOC" + }, + "Switch_to_take_action_on_device_based_on_SOC_choice": { + "type": "Switch", + "expression": "@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['submitActionId']", + "cases": { + "Case": { + "case": "Submit", + "actions": { + "Append_to_array_variable_action_summary_in_case_of_submit": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "ActionSummary", + "value": { + "text": "No actions taken on the host", + "type": "TextBlock" + } + }, + "description": "appends action summary in case of submit" + }, + "Append_to_string_variable_action_taken_in_case_of_submit": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ActionTaken", + "value": "No actions taken on the host" + }, + "runAfter": { + "Append_to_array_variable_action_summary_in_case_of_submit": [ + "Succeeded" + ] + }, + "description": "appends action taken in case of submit" + } + } + }, + "Case_-_Contain_a_host": { + "case": "Contain", + "actions": { + "Condition_to_check_if_contain_success_or_not": { + "type": "If", + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Contain_a_device')['statusCode']", + 202 + ] + } + ] + }, + "actions": { + "Append_to_array_variable_action_summary_in_case_of_contain_success": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "ActionSummary", + "value": { + "text": " @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['submitActionId']} the device , Status : Success", + "type": "TextBlock" + } + }, + "description": "This appends action summary in case of contain a host success" + }, + "Append_to_string_variable_action_taken_in_case_of_contain_success": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ActionTaken", + "value": " @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['submitActionId']} the device , Status : Success" + }, + "runAfter": { + "Append_to_array_variable_action_summary_in_case_of_contain_success": [ + "Succeeded" + ] + }, + "description": "This appends action taken in case of contain a host success" + } + }, + "runAfter": { + "HTTP_Contain_a_device": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_array_variable_action_summary_in_case_of_contain_failure": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "ActionSummary", + "value": { + "text": " @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['submitActionId']} device , Status : Failed , Error : @{body('HTTP_Contain_a_device')?['errors']} , Statuscode : @{outputs('HTTP_Contain_a_device')['statusCode']}", + "type": "TextBlock" + } + }, + "description": "This appends action summary in case of contain a host failure" + }, + "Append_to_string_variable_in_case_of_contain_failure": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ActionTaken", + "value": " @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['submitActionId']} device , Status : Failed , Error : @{body('HTTP_Contain_a_device')?['errors']} , Statuscode : @{outputs('HTTP_Contain_a_device')['statusCode']}" + }, + "runAfter": { + "Append_to_array_variable_action_summary_in_case_of_contain_failure": [ + "Succeeded" + ] + }, + "description": "This appends action taken in case of contain a host failure" + } + } + }, + "description": "This checks if contain success or not in crowdstrike" + }, + "HTTP_Contain_a_device": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@{body('CrowdStrike_Base_call_after_SOC_responds')?['FalconHost']}/devices/entities/devices-actions/v2?action_name=contain", + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base_call_after_SOC_responds')?['AccessToken']}", + "Content-Type": "application/json" + }, + "body": { + "action_parameters": [ + { + "name": "contain" + } + ], + "ids": [ + "@{body('Parse_JSON_Get_device_id_response')?['resources']?[0]}" + ] + } + }, + "description": "This contains a host in crowdstrike" + } + } + }, + "Case_-_Ignore": { + "case": "Ignore", + "actions": { + "Append_to_array_variable_in_case_of_ignore_host": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "ActionSummary", + "value": { + "text": "No actions taken on the host", + "type": "TextBlock" + } + }, + "description": "This appends action summary to Ignore in case of ignore" + }, + "Append_to_string_variable_action_taken_in_case_of_ignore": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ActionTaken", + "value": "No actions taken on the host" + }, + "runAfter": { + "Append_to_array_variable_in_case_of_ignore_host": [ + "Succeeded" + ] + }, + "description": "This appends action taken in case of Ignore" + } + } + }, + "Case_-_Lift_containment": { + "case": "Lift Containment", + "actions": { + "Condition_to_check_if_lift_containment_is_success_or_not": { + "type": "If", + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Lift_containment_on_device')['statusCode']", + 202 + ] + } + ] + }, + "actions": { + "Append_to_array_variable_action_summary_in_case_of_lift_containment_successful": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "ActionSummary", + "value": { + "text": " Containment lifted , Status : Success", + "type": "TextBlock" + } + }, + "description": "This appends action summary in case of lift containment success" + }, + "Append_to_string_variable_action_taken_in_case_of_lift_containment_success": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ActionTaken", + "value": " Containment lifted , Status : Success" + }, + "runAfter": { + "Append_to_array_variable_action_summary_in_case_of_lift_containment_successful": [ + "Succeeded" + ] + }, + "description": "This appends action taken in case of lift containment success" + } + }, + "runAfter": { + "HTTP_Lift_containment_on_device": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_array_variable_action_summary_in_case_of_lift_containment_failure": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "ActionSummary", + "value": { + "text": "Containment not lifted , Status : Failure , Error : @{body('HTTP_Lift_containment_on_device')?['errors']} , Statuscode : @{outputs('HTTP_Lift_containment_on_device')['statusCode']}", + "type": "TextBlock" + } + }, + "description": "This appends action summary in case of lift containment failure" + }, + "Append_to_string_variable_action_taken_in_case_of_lift_containment_failure": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ActionTaken", + "value": " Containment not lifted , Status : Failure , Error : @{body('HTTP_Lift_containment_on_device')?['errors']} , Statuscode : @{outputs('HTTP_Lift_containment_on_device')['statusCode']}\n" + }, + "runAfter": { + "Append_to_array_variable_action_summary_in_case_of_lift_containment_failure": [ + "Succeeded" + ] + }, + "description": "This appends action taken in case of lift containment failure" + } + } + }, + "description": "This checks if lift containment success or not from crowdstrike" + }, + "HTTP_Lift_containment_on_device": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@{body('CrowdStrike_Base_call_after_SOC_responds')?['FalconHost']}/devices/entities/devices-actions/v2?action_name=lift_containment", + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base_call_after_SOC_responds')?['AccessToken']}", + "Content-Type": "application/json" + }, + "body": { + "action_parameters": [ + { + "name": "lift_containment" + } + ], + "ids": [ + "@{body('Parse_JSON_Get_device_id_response')?['resources']?[0]}" + ] + } + }, + "description": "This lifts the containment on host in crowdstrike" + } + } + }, + "Case_-_Run_a_script": { + "case": "Run", + "actions": { + "Condition_to_run_a_script_if_SOC_selects_run_a_script": { + "type": "If", + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['script']", + "@null" + ] + } + } + ] + }, + "actions": { + "Condition_to_check_if_session_to_host_is_created_or_not": { + "type": "If", + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_create_a_session_to_host_to_run_a_script')?['statusCode']", + 201 + ] + } + ] + }, + "actions": { + "Condition_to_check_if_run_a_script_on_host_is_success_or_not": { + "type": "If", + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_run_a_script')['statusCode']", + 201 + ] + } + ] + }, + "actions": { + "Append_to_array_variable_action_summary_if_run_script_success": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "ActionSummary", + "value": { + "text": "Run script @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['script']} , Status : Success", + "type": "TextBlock" + } + }, + "description": "appends action summary if script run success" + }, + "Append_to_string_variable_action_taken_if_run_script_success": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ActionTaken", + "value": "Run script @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['script']} and Status : Success" + }, + "runAfter": { + "Append_to_array_variable_action_summary_if_run_script_success": [ + "Succeeded" + ] + }, + "description": "appends action taken if run script success" + } + }, + "runAfter": { + "HTTP_run_a_script": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_array_variable_action_summary_if_run_script_failed": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "ActionSummary", + "value": { + "text": "Run script @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['script']} , Status : Failure , Error : @{outputs('HTTP_run_a_script')['errors']} , statuscode : @{outputs('HTTP_run_a_script')['statusCode']}", + "type": "TextBlock" + } + }, + "description": "appends action summary if script run failed" + }, + "Append_to_string_variable_action_taken_if_run_script_failed": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ActionTaken", + "value": "Run script @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['script']} and Status : Failure , Error : @{outputs('HTTP_run_a_script')['errors']} , statuscode : @{outputs('HTTP_run_a_script')['statusCode']}" + }, + "runAfter": { + "Append_to_array_variable_action_summary_if_run_script_failed": [ + "Succeeded" + ] + }, + "description": "appends action taken if run script success" + } + } + }, + "description": "This checks if run a script is success or not" + }, + "HTTP_run_a_script": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@{body('CrowdStrike_Base_call_after_SOC_responds')?['FalconHost']}/real-time-response/entities/admin-command/v1", + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base_call_after_SOC_responds')?['AccessToken']}", + "Content-Type": "application/json" + }, + "body": { + "base_command": "runscript", + "command_string": "runscript -CloudFile=@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['script']}", + "session_id": "@{body('Parse_JSON_create_a_session_to_a_host')?['resources']?[0]?['session_id']}" + } + }, + "runAfter": { + "Parse_JSON_create_a_session_to_a_host": [ + "Succeeded" + ] + }, + "description": "Run a script in crowdstrike host" + }, + "Parse_JSON_create_a_session_to_a_host": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_create_a_session_to_host_to_run_a_script')", + "schema": { + "properties": { + "body": { + "properties": { + "meta": { + "properties": { + "powered_by": { + "type": "string" + }, + "query_time": { + "type": "number" + }, + "trace_id": { + "type": "string" + } + }, + "type": "object" + }, + "resources": { + "items": { + "properties": { + "created_at": { + "type": "string" + }, + "existing_aid_sessions": { + "type": "integer" + }, + "offline_queued": { + "type": "boolean" + }, + "pwd": { + "type": "string" + }, + "scripts": { + "items": { + "properties": { + "args": { + "items": { + "properties": { + "arg_name": { + "type": "string" + }, + "arg_type": { + "type": "string" + }, + "command_level": { + "type": "string" + }, + "created_at": { + "type": "string" + }, + "data_type": { + "type": "string" + }, + "default_value": { + "type": "string" + }, + "description": { + "type": "string" + }, + "encoding": { + "type": "string" + }, + "id": { + "type": "integer" + }, + "required": { + "type": "boolean" + }, + "requires_value": { + "type": "boolean" + }, + "script_id": { + "type": "integer" + }, + "sequence": { + "type": "integer" + }, + "updated_at": { + "type": "string" + } + }, + "required": [ + "id", + "created_at", + "updated_at", + "script_id", + "arg_type", + "data_type", + "requires_value", + "arg_name", + "description", + "default_value", + "required", + "sequence", + "options", + "encoding", + "command_level" + ], + "type": "object" + }, + "type": "array" + }, + "command": { + "type": "string" + }, + "description": { + "type": "string" + }, + "examples": { + "type": "string" + }, + "internal_only": { + "type": "boolean" + }, + "runnable": { + "type": "boolean" + }, + "sub_commands": { + "type": "array" + } + }, + "required": [ + "command", + "description", + "examples", + "internal_only", + "runnable", + "sub_commands", + "args" + ], + "type": "object" + }, + "type": "array" + }, + "session_id": { + "type": "string" + } + }, + "required": [ + "session_id", + "scripts", + "existing_aid_sessions", + "created_at", + "pwd", + "offline_queued" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "headers": { + "properties": { + "Content-Length": { + "type": "string" + }, + "Content-Type": { + "type": "string" + }, + "Date": { + "type": "string" + }, + "Transfer-Encoding": { + "type": "string" + }, + "X-Cs-Region": { + "type": "string" + }, + "X-Ratelimit-Limit": { + "type": "string" + }, + "X-Ratelimit-Remaining": { + "type": "string" + } + }, + "type": "object" + }, + "statusCode": { + "type": "integer" + } + }, + "type": "object" + } + }, + "description": "prepare json message for create session to host" + } + }, + "runAfter": { + "HTTP_create_a_session_to_host_to_run_a_script": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_array_variable_action_summary_if_session_not_created_to_host": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "ActionSummary", + "value": { + "text": "Script @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['script']} did not run as not able to establish/create a session to that host , Status : Failure ", + "type": "TextBlock" + } + }, + "description": "appends action summary if session not created to host" + }, + "Append_to_string_variable_action_taken_if_session_not_created_to_host": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ActionTaken", + "value": "Script @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['script']} did not run and Status : Failure , Error : Not able to create a session to that host" + }, + "runAfter": { + "Append_to_array_variable_action_summary_if_session_not_created_to_host": [ + "Succeeded" + ] + }, + "description": "appends action taken if no host session is established" + } + } + }, + "description": "This checks if session is created or not" + }, + "HTTP_create_a_session_to_host_to_run_a_script": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@{body('CrowdStrike_Base_call_after_SOC_responds')?['FalconHost']}/real-time-response/entities/sessions/v1", + "headers": { + "Content-Type": "application/json", + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base_call_after_SOC_responds')?['AccessToken']}" + }, + "body": { + "device_id": "@{body('Parse_JSON_Get_device_id_response')?['resources']?[0]}" + } + }, + "description": "This creates an RTR session to host in crowdstrike" + } + }, + "else": { + "actions": { + "Append_to_array_variable_action_summary_if_no_scripts_are_selected_to_run": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "ActionSummary", + "value": { + "text": "No script selected to run ", + "type": "TextBlock" + } + }, + "description": "This appends action summary if no script is selected" + }, + "Append_to_string_variable_action_taken_if_no_script_seleted_to_run": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ActionTaken", + "value": "No script selected to run" + }, + "runAfter": { + "Append_to_array_variable_action_summary_if_no_scripts_are_selected_to_run": [ + "Succeeded" + ] + }, + "description": "appends action taken if no script selected to run" + } + } + } + } + } + } + }, + "runAfter": { + "CrowdStrike_Base_call_after_SOC_responds": [ + "Succeeded" + ] + }, + "description": "This checks the SOC choice and leas to different actions based on choice" + } + }, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered_(Private_Preview_only)": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "contentVersion": "1.0.0.0", + "outputs": {} + + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook4-AzureSentinelConnectionName'))]", + "connectionName": "[variables('playbook4-AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azuresentinel')]" + }, + "teams": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook4-TeamsConnectionName'))]", + "connectionName": "[variables('playbook4-TeamsConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/teams')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[parameters('Playbook_Name')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[resourceId('Microsoft.Logic/workflows', parameters('playbook1-LogicAppName'))]" + ], + "tags": { + "displayName": "Crowdstrike_ContainHost" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "triggers": { + "manual": { + "type": "Request", + "kind": "Http", + "inputs": { + "schema": { + "properties": { + "Hosts": { + "items": { + "properties": { + "Hostname": { + "type": "string" + } + }, + "required": [ + "Hostname" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "runtimeConfiguration": { + "concurrency": { + "runs": 1 + } + } + } + }, + "actions": { + "Condition_to_check_if_crowdstrike_action_is_successful": { + "actions": { + "Response": { + "type": "Response", + "kind": "Http", + "inputs": { + "body": "@outputs('Result')", + "statusCode": 200 + }, + "operationOptions": "Asynchronous" + } + }, + "runAfter": { + "Filter_array": [ + "Succeeded", + "TimedOut", + "Skipped", + "Failed" + ] + }, + "else": { + "actions": { + "Compose_Crowdstrike_Logo": { + "runAfter": { + "Scope_output": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "" + }, + "Compose_HTTP_Failed_Response": { + "runAfter": { + "Create_HTML_table_to_capture_error_information": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "[concat('@{outputs(''Compose_Crowdstrike_Logo'')} ', parameters('Playbook_Name'), ' Playbook\n\nException occured while Quarantining the Device. Please find the below exception information:\n\n@{body(''Create_HTML_table_to_capture_error_information'')}')]" + }, + "Create_HTML_table_to_capture_error_information": { + "runAfter": { + "Compose_Crowdstrike_Logo": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "columns": [ + { + "header": "MethodName", + "value": "@item()?['name']" + }, + { + "header": "Error", + "value": "@item()?['outputs']?['body']?['error']?['message']" + }, + { + "header": "StatusCode", + "value": "@item()?['outputs']?['statusCode']" + } + ], + "format": "HTML", + "from": "@outputs('Filter_array')?['body']" + } + }, + "Response_if_playbook_get(s)_failed": { + "runAfter": { + "Compose_HTTP_Failed_Response": [ + "Succeeded" + ] + }, + "type": "Response", + "kind": "Http", + "inputs": { + "body": "@outputs('Compose_HTTP_Failed_Response')", + "statusCode": "@outputs('Scope_output')['statusCode']" + }, + "operationOptions": "Asynchronous" + }, + "Scope_output": { + "type": "Compose", + "inputs": "@outputs('Filter_array')?['body']?[0]?['outputs']" + } + } + }, + "expression": { + "and": [ + { + "lessOrEquals": [ + "@length(body('Filter_array'))", + 0 + ] + } + ] + }, + "type": "If", + "description": "This checks if crowdstrike action is successful or not" + }, + "Filter_array": { + "runAfter": { + "Scope": [ + "Succeeded", + "TimedOut", + "Skipped", + "Failed" + ] + }, + "type": "Query", + "inputs": { + "from": "@result('Scope')", + "where": "@equals(item()?['status'], 'Failed')" + } + }, + "Initialize_variable_comment": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Comment", + "type": "array" + } + ] + }, + "description": "This is used to store comments to update in the incident" + }, + "Initialize_variable_for_Comment_variable": { + "runAfter": { + "Initialize_variable_success_from_crowdstrike": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "CommentObjVar", + "type": "object" + } + ] + } + }, + "Initialize_variable_success_from_crowdstrike": { + "runAfter": { + "Initialize_variable_comment": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Successfromcrowdstike", + "type": "string" + } + ] + }, + "description": "This is used to hold the success or failure information from crowdstrike api actions" + }, + "Scope": { + "actions": { + "Compose_image_to_add_in_the_incident": { + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "", + "description": "This composes the crowd strike image to comment in the incident" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_hosts": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('Comment')" + } + }, + "CrowdStrike_Base": { + "type": "Workflow", + "inputs": { + "host": { + "triggerName": "manual", + "workflow": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name ,'/providers/Microsoft.Logic/workflows/', parameters('CrowdStrike_Base_Playbook_Name'))]" + } + } + }, + "description": "Call the base logic App to get access token and Falcon Host URL", + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "For_each_hosts": { + "foreach": "@triggerBody()?['Hosts']", + "actions": { + "Condition_to_check_if_device_is_present_in_falcon_host_crowdstrike": { + "actions": { + "HTTP_-_Get_device_information_": { + "type": "Http", + "inputs": { + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base')?['AccessToken']}", + "Content-Type": "application/json" + }, + "method": "GET", + "uri": "@{body('CrowdStrike_Base')?['FalconHost']}/devices/entities/devices/v1?ids=@{body('Parse_JSON_Get_device_id_response')?['resources']?[0]}" + }, + "description": "This gets the device information from crowdstrike" + }, + "Parse_JSON_device_information_response": { + "runAfter": { + "HTTP_-_Get_device_information_": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Get_device_information_')", + "schema": { + "properties": { + "errors": { + "type": "array" + }, + "meta": { + "properties": { + "powered_by": { + "type": "string" + }, + "query_time": { + "type": "number" + }, + "trace_id": { + "type": "string" + } + }, + "type": "object" + }, + "resources": { + "items": { + "properties": { + "agent_load_flags": { + "type": "string" + }, + "agent_local_time": { + "type": "string" + }, + "agent_version": { + "type": "string" + }, + "bios_manufacturer": { + "type": "string" + }, + "bios_version": { + "type": "string" + }, + "build_number": { + "type": "string" + }, + "cid": { + "type": "string" + }, + "config_id_base": { + "type": "string" + }, + "config_id_build": { + "type": "string" + }, + "config_id_platform": { + "type": "string" + }, + "cpu_signature": { + "type": "string" + }, + "device_id": { + "type": "string" + }, + "device_policies": { + "properties": { + "device_control": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + } + }, + "type": "object" + }, + "firewall": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "rule_set_id": { + "type": "string" + } + }, + "type": "object" + }, + "global_config": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "settings_hash": { + "type": "string" + } + }, + "type": "object" + }, + "prevention": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "rule_groups": { + "items": { + "type": "string" + }, + "type": "array" + }, + "settings_hash": { + "type": "string" + } + }, + "type": "object" + }, + "remote_response": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "settings_hash": { + "type": "string" + } + }, + "type": "object" + }, + "sensor_update": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "settings_hash": { + "type": "string" + }, + "uninstall_protection": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "external_ip": { + "type": "string" + }, + "first_seen": { + "type": "string" + }, + "group_hash": { + "type": "string" + }, + "groups": { + "items": { + "type": "string" + }, + "type": "array" + }, + "hostname": { + "type": "string" + }, + "last_seen": { + "type": "string" + }, + "local_ip": { + "type": "string" + }, + "mac_address": { + "type": "string" + }, + "machine_domain": { + "type": "string" + }, + "major_version": { + "type": "string" + }, + "meta": { + "properties": { + "version": { + "type": "string" + } + }, + "type": "object" + }, + "minor_version": { + "type": "string" + }, + "modified_timestamp": { + "type": "string" + }, + "os_version": { + "type": "string" + }, + "ou": { + "items": { + "type": "string" + }, + "type": "array" + }, + "platform_id": { + "type": "string" + }, + "platform_name": { + "type": "string" + }, + "pointer_size": { + "type": "string" + }, + "policies": { + "items": { + "properties": { + "applied": { + "type": "boolean" + }, + "applied_date": { + "type": "string" + }, + "assigned_date": { + "type": "string" + }, + "policy_id": { + "type": "string" + }, + "policy_type": { + "type": "string" + }, + "rule_groups": { + "items": { + "type": "string" + }, + "type": "array" + }, + "settings_hash": { + "type": "string" + } + }, + "required": [ + "policy_type", + "policy_id", + "applied", + "settings_hash", + "assigned_date", + "applied_date", + "rule_groups" + ], + "type": "object" + }, + "type": "array" + }, + "product_type": { + "type": "string" + }, + "product_type_desc": { + "type": "string" + }, + "provision_status": { + "type": "string" + }, + "reduced_functionality_mode": { + "type": "string" + }, + "serial_number": { + "type": "string" + }, + "service_pack_major": { + "type": "string" + }, + "service_pack_minor": { + "type": "string" + }, + "site_name": { + "type": "string" + }, + "slow_changing_modified_timestamp": { + "type": "string" + }, + "status": { + "type": "string" + }, + "system_manufacturer": { + "type": "string" + }, + "system_product_name": { + "type": "string" + }, + "tags": { + "type": "array" + } + }, + "required": [ + "device_id", + "cid", + "agent_load_flags", + "agent_local_time", + "agent_version", + "bios_manufacturer", + "bios_version", + "build_number", + "config_id_base", + "config_id_build", + "config_id_platform", + "cpu_signature", + "external_ip", + "mac_address", + "hostname", + "first_seen", + "last_seen", + "local_ip", + "machine_domain", + "major_version", + "minor_version", + "platform_id", + "platform_name", + "policies", + "reduced_functionality_mode", + "device_policies", + "groups", + "group_hash", + "product_type", + "product_type_desc", + "provision_status", + "serial_number", + "service_pack_major", + "service_pack_minor", + "pointer_size", + "status", + "system_manufacturer", + "system_product_name", + "tags", + "modified_timestamp", + "slow_changing_modified_timestamp", + "meta" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "description": "prepare Json message for device information" + }, + "Switch_to_check_the_device_status": { + "runAfter": { + "Parse_JSON_device_information_response": [ + "Succeeded" + ] + }, + "cases": { + "Case_-_contained": { + "case": "contained", + "actions": { + "Append_to_string_variable_comment_if_host_is_contained": { + "runAfter": { + "Set_variable_comment_variable": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Comment", + "value": "@variables('CommentObjVar')" + } + }, + "Set_variable_comment_variable": { + "type": "SetVariable", + "inputs": { + "name": "CommentObjVar", + "value": { + "action": "No action taken from playbook", + "device_id": "@{body('Parse_JSON_device_information_response')?['resources']?['device_id']}", + "external_ip": "@{body('Parse_JSON_device_information_response')?['resources']?['external_ip']}", + "first_seen": "@{body('Parse_JSON_device_information_response')?['resources']?['first_seen']}", + "hostname": "@{body('Parse_JSON_device_information_response')?['resources']?['hostname']}", + "hoststatus": "Contained", + "last_seen": "@{body('Parse_JSON_device_information_response')?['resources']?['last_seen']}", + "local_ip": "@{body('Parse_JSON_device_information_response')?['resources']?['local_ip']}", + "mac_address": "@{body('Parse_JSON_device_information_response')?['resources']?['mac_address']}", + "machine_domain": "@{body('Parse_JSON_device_information_response')?['resources']?['machine_domain']}" + } + } + }, + "Set_variable_success_from_crowdstirke_in_case_of_host_is_already_contained": { + "runAfter": { + "Append_to_string_variable_comment_if_host_is_contained": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Successfromcrowdstike", + "value": "Success" + }, + "description": "This sets the variable success from crowdstrike to update in the incident" + } + } + }, + "Case_-_containment_pending": { + "case": "containment_pending", + "actions": { + "Append_to_string_variable_comment_if_host_status_is_containment_pending": { + "runAfter": { + "Set_variable": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Comment", + "value": "@variables('CommentObjVar')" + }, + "description": "Append to string variable comment if host status is containment pending" + }, + "Set_variable": { + "type": "SetVariable", + "inputs": { + "name": "CommentObjVar", + "value": { + "action": "No action taken from playbook", + "device_id": "@{body('Parse_JSON_device_information_response')?['resources']?['device_id']}", + "external_ip": "@{body('Parse_JSON_device_information_response')?['resources']?['external_ip']}", + "first_seen": "@{body('Parse_JSON_device_information_response')?['resources']?['first_seen']}", + "hostname": "@{body('Parse_JSON_device_information_response')?['resources']?['hostname']}", + "hoststatus": "containment_pending", + "last_seen": "@{body('Parse_JSON_device_information_response')?['resources']?['last_seen']}", + "local_ip": "@{body('Parse_JSON_device_information_response')?['resources']?['local_ip']}", + "mac_address": "@{body('Parse_JSON_device_information_response')?['resources']?['mac_address']}", + "machine_domain": "@{body('Parse_JSON_device_information_response')?['resources']?['machine_domain']}" + } + } + }, + "Set_variable_success_from_crowdstirke_in_case_of_containment_pending": { + "runAfter": { + "Append_to_string_variable_comment_if_host_status_is_containment_pending": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Successfromcrowdstike", + "value": "Success" + }, + "description": "This sets the variable success from crowdstrike to update in the incident" + } + } + }, + "Case_-_lift_containment_pending": { + "case": "lift_containment_pending", + "actions": { + "Append_to_string_variable_comment_if_host_status_is_lift_containment_pending": { + "runAfter": { + "Set_variable_2": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Comment", + "value": "@variables('CommentObjVar')" + }, + "description": "Append to string variable comment if host status is lift containment pending" + }, + "Set_variable_2": { + "type": "SetVariable", + "inputs": { + "name": "CommentObjVar", + "value": { + "action": "No action taken from playbook", + "device_id": "@{body('Parse_JSON_device_information_response')?['resources']?['device_id']}", + "external_ip": "@{body('Parse_JSON_device_information_response')?['resources']?['external_ip']}", + "first_seen": "@{body('Parse_JSON_device_information_response')?['resources']?['first_seen']}", + "hostname": "@{body('Parse_JSON_device_information_response')?['resources']?['hostname']}", + "hoststatus": "Lift_containment_pending", + "last_seen": "@{body('Parse_JSON_device_information_response')?['resources']?['last_seen']}", + "local_ip": "@{body('Parse_JSON_device_information_response')?['resources']?['local_ip']}", + "mac_address": "@{body('Parse_JSON_device_information_response')?['resources']?['mac_address']}", + "machine_domain": "@{body('Parse_JSON_device_information_response')?['resources']?['machine_domain']}" + } + } + }, + "Set_variable_success_from_crowdstirke_in_case_of_lift_containment_pending": { + "runAfter": { + "Append_to_string_variable_comment_if_host_status_is_lift_containment_pending": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Successfromcrowdstike", + "value": "Success" + }, + "description": "This sets the variable success from crowdstrike to update in the incident" + } + } + }, + "Case_-_not_contained": { + "case": "normal", + "actions": { + "Condition_to_check_if_contain_success_or_not": { + "actions": { + "Append_to_string_variable_comment_if_host_is_contained_by_playbook": { + "runAfter": { + "Set_variable_comment_variable_contained": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Comment", + "value": "@variables('CommentObjVar')" + }, + "description": "Append to string variable comment if host is contained by playbook" + }, + "Set_variable_comment_variable_contained": { + "type": "SetVariable", + "inputs": { + "name": "CommentObjVar", + "value": { + "action": "The playbook sucessfully contained the host", + "device_id": "@{body('Parse_JSON_device_information_response')?['resources']?['device_id']}", + "external_ip": "@{body('Parse_JSON_device_information_response')?['resources']?['external_ip']}", + "first_seen": "@{body('Parse_JSON_device_information_response')?['resources']?['first_seen']}", + "hostname": "@{body('Parse_JSON_device_information_response')?['resources']?['hostname']}", + "hoststatus": "Contained", + "last_seen": "@{body('Parse_JSON_device_information_response')?['resources']?['last_seen']}", + "local_ip": "@{body('Parse_JSON_device_information_response')?['resources']?['local_ip']}", + "mac_address": "@{body('Parse_JSON_device_information_response')?['resources']?['mac_address']}", + "machine_domain": "@{body('Parse_JSON_device_information_response')?['resources']?['machine_domain']}" + } + } + }, + "Set_variable_success_from_crowdstirke_in_case_of_success": { + "runAfter": { + "Append_to_string_variable_comment_if_host_is_contained_by_playbook": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Successfromcrowdstike", + "value": "Success" + }, + "description": "This sets variable success from crowdstirke in case of success" + } + }, + "runAfter": { + "HTTP_-_Contain_a_host": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_string_variable_comment_if_host_is_not_contained_by_playbook": { + "runAfter": { + "Set_variable_comment_variable_not_contained": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Comment", + "value": "@variables('CommentObjVar')" + }, + "description": "Append to string variable comment if host is not contained by playbook" + }, + "Set_variable_comment_variable_not_contained": { + "type": "SetVariable", + "inputs": { + "name": "CommentObjVar", + "value": { + "action": "The playbook sucessfully contained the host", + "device_id": "@{body('Parse_JSON_device_information_response')?['resources']?['device_id']}", + "external_ip": "@{body('Parse_JSON_device_information_response')?['resources']?['external_ip']}", + "first_seen": "@{body('Parse_JSON_device_information_response')?['resources']?['first_seen']}", + "hostname": "@{body('Parse_JSON_device_information_response')?['resources']?['hostname']}", + "hoststatus": "Not contained/Normal", + "last_seen": "@{body('Parse_JSON_device_information_response')?['resources']?['last_seen']}", + "local_ip": "@{body('Parse_JSON_device_information_response')?['resources']?['local_ip']}", + "mac_address": "@{body('Parse_JSON_device_information_response')?['resources']?['mac_address']}", + "machine_domain": "@{body('Parse_JSON_device_information_response')?['resources']?['machine_domain']}" + } + } + }, + "Set_variable_success_from_crowdstrike_in_case_of_failure": { + "runAfter": { + "Append_to_string_variable_comment_if_host_is_not_contained_by_playbook": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Successfromcrowdstike", + "value": "Failure" + }, + "description": "This sets variable success from crowdstirke in case of Failure" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_-_Contain_a_host')['statusCode']", + 202 + ] + } + ] + }, + "type": "If", + "description": "condition to check if contain a host is success or failure" + }, + "HTTP_-_Contain_a_host": { + "type": "Http", + "inputs": { + "body": { + "action_parameters": [ + { + "name": "contain" + } + ], + "ids": [ + "@{body('Parse_JSON_Get_device_id_response')?['resources']?[0]}" + ] + }, + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base')?['AccessToken']}", + "Content-Type": "application/json" + }, + "method": "POST", + "uri": "@{body('CrowdStrike_Base')?['FalconHost']}/devices/entities/devices-actions/v2?action_name=contain" + }, + "description": "This will contain a host in crowdstrike" + } + } + } + }, + "expression": "@body('Parse_JSON_device_information_response')?['resources']?[0]?['status']", + "type": "Switch", + "description": "This checks on the device status" + } + }, + "runAfter": { + "Parse_JSON_Get_device_id_response": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_string_variable_comment_if_no_device_exist": { + "runAfter": { + "Set_variable_comment_if_no_device_exist": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Comment", + "value": "@variables('CommentObjVar')" + } + }, + "Set_variable_comment_if_no_device_exist": { + "type": "SetVariable", + "inputs": { + "name": "CommentObjVar", + "value": { + "action": "There is no device present in Crowdstrike", + "device_id": "[variables('__empty-value')]", + "external_ip": "[variables('__empty-value')]", + "first_seen": "[variables('__empty-value')]", + "hostname": "[variables('__empty-value')]", + "hoststatus": "[variables('__empty-value')]", + "last_seen": "[variables('__empty-value')]", + "local_ip": "[variables('__empty-value')]", + "mac_address": "[variables('__empty-value')]", + "machine_domain": "[variables('__empty-value')]", + "os_version": "[variables('__empty-value')]" + } + } + }, + "Set_variable_success_from_crowdstrike": { + "runAfter": { + "Append_to_string_variable_comment_if_no_device_exist": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Successfromcrowdstike", + "value": "Success" + }, + "description": "This sets the variable success in case of no device info found" + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_JSON_Get_device_id_response')?['resources']?[0]", + "@null" + ] + } + } + ] + }, + "type": "If", + "description": "This checks if device is present in crowdstrike or not" + }, + "HTTP_-_Get_device_id": { + "type": "Http", + "inputs": { + "headers": { + "Accept": "application/json", + "Authorization": "@{body('CrowdStrike_Base')?['AccessToken']}", + "Content-Type": "application/json" + }, + "method": "GET", + "uri": "@{body('CrowdStrike_Base')?['FalconHost']}/devices/queries/devices/v1?filter=hostname:'@{items('For_each_hosts')?['Hostname']}'" + }, + "description": "This gets the device id from crowdstrike by filtering on hostname" + }, + "Parse_JSON_Get_device_id_response": { + "runAfter": { + "HTTP_-_Get_device_id": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Get_device_id')", + "schema": { + "meta": { + "pagination": { + "limit": 100, + "offset": 1, + "total": 1 + }, + "powered_by": "device-api", + "query_time": 0.005041315, + "trace_id": "aa7b84f5-3e81-4980-ad9f-c14b6d8ca577" + }, + "resources": [ + "cdc977a72a8c49528bb82f89dde2c2e9" + ] + } + }, + "description": "prepare json message for the device id response" + } + }, + "runAfter": { + "CrowdStrike_Base": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Result": { + "runAfter": { + "Compose_image_to_add_in_the_incident": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@{outputs('Compose_image_to_add_in_the_incident')}CrowdStrike_ContainHost playbook run results:\n\n@{body('Create_HTML_table')}" + } + }, + "runAfter": { + "Initialize_variable_for_Comment_variable": [ + "Succeeded" + ] + }, + "type": "Scope" + } + }, + "outputs": {} + }, + "parameters": {} + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2021-03-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]", + "properties": { + "contentId": "[variables('_sourceId')]", + "version": "1.0.9", + "kind": "Solution", + "parentId": "[variables('_sourceId')]", + "source": { + "kind": "Solution", + "name": "CrowdStrike Falcon Endpoint Protection Solution", + "sourceId": "[variables('_sourceId')]" + }, + "author": { + "name": "Microsoft Corporation", + "email": "v-eliforbes@microsoft.com" + }, + "firstPublishDate": "2021-05-06", + "lastPublishDate": "2021-10-08", + "providers": [ "Crowdstrike" ], + "categories": { + "domains": [ "Security - Threat Protection" ] + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_CrowdStrikeFalconEndpointProtection')]", + "version": "1.0.9" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_CrowdStrikeFalconDataReplicator')]", + "version": "1.0.9" + }, + { + "kind": "Parser", + "contentId": "[variables('_CrowdStrikeFalconEventStream')]", + "version": "1.0.9" + }, + { + "kind": "Parser", + "contentId": "[variables('_CrowdStrikeReplicator')]", + "version": "1.0.9" + }, + { + "kind": "Workbook", + "contentId": "[variables('_CrowdStrikeFalconEndpointProtection')]", + "version": "1.0.9" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_CrowdStrikeHighSeverity')]", + "version": "1.0.9" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_CrowdStrikeCriticalSeverity')]", + "version": "1.0.9" + }, + { + "kind": "Playbook", + "contentId": "[variables('_CrowdStrike_Base')]", + "version": "1.0.9" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Crowdstrike_ContainHost')]", + "version": "1.0.9" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Crowdstrike_Enrichment_GetDeviceInformation')]", + "version": "1.0.9" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Crowdstrike-ResponsefromTeams')]", + "version": "1.0.9" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Crowdstrike-Remediation-Host')]", + "version": "1.0.9" + } + ] + } + } + } + ], + "outputs": { + } +} \ No newline at end of file diff --git a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level1FoundationalPosture.yaml b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level1FoundationalPosture.yaml new file mode 100644 index 0000000000..c3bba1859c --- /dev/null +++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level1FoundationalPosture.yaml @@ -0,0 +1,34 @@ +id: fb127436-e5c4-4e31-85a8-d3507128dd09 +name: (Preview) CMMC 2.0 Level 1 (Foundational) Readiness Posture +description: | + 'CMMC 2.0 Level 1 (Foundational) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days.' +severity: Medium +requiredDataConnectors: [] +queryFrequency: 7d +queryPeriod: 7d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Discovery +relevantTechniques: + - T1082 +query: | + SecurityRegulatoryCompliance + | where ComplianceStandard == "NIST-SP-800-171-R2" + | extend Level=iff(ComplianceControl in ("3.1.1","3.1.2","3.1.20","3.1.22","3.4.1","3.5.2","3.5.2","3.8.3","3.13.1","3.13.5","3.14.1","3.14.2","3.14.4","3.14.5"), "Level 1: Foundational","Level 2: Advanced") + | where Level == "Level 1: Foundational" + | summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId, Level + | summarize Failed=countif(State=="Failed"),Passed=countif(State=="Passed"),Total=countif(State=="Passed" or State == "Failed") by Level + |extend PassedControlsPercentage = (Passed/todouble(Total))*100 + | where PassedControlsPercentage < 70 + //Adjust Either Passed Thresholds within Organizational Needs + | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22') + | project Level, Total, PassedControlsPercentage, Passed, Failed, RemediationLink, LastObserved=now() + | extend URLCustomEntity = RemediationLink +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URLCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level2AdvancedPosture.yaml b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level2AdvancedPosture.yaml new file mode 100644 index 0000000000..244454d910 --- /dev/null +++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Analytic Rules/CMMC2.0Level2AdvancedPosture.yaml @@ -0,0 +1,34 @@ +id: 7bfe573b-3069-4e81-98fe-9a4cffbcbc24 +name: (Preview) CMMC 2.0 Level 2 (Advanced) Readiness Posture +description: | + 'CMMC 2.0 Level 2 (Advanced) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days.' +severity: Medium +requiredDataConnectors: [] +queryFrequency: 7d +queryPeriod: 7d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Discovery +relevantTechniques: + - T1082 +query: | + SecurityRegulatoryCompliance + | where ComplianceStandard == "NIST-SP-800-171-R2" + | extend Level=iff(ComplianceControl in ("3.1.1","3.1.2","3.1.20","3.1.22","3.4.1","3.5.2","3.5.2","3.8.3","3.13.1","3.13.5","3.14.1","3.14.2","3.14.4","3.14.5"), "Level 1: Foundational","Level 2: Advanced") + | where Level == "Level 2: Advanced" + | summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId, Level + |summarize Failed=countif(State=="Failed"),Passed=countif(State=="Passed"),Total=countif(State=="Passed" or State == "Failed") by Level + |extend PassedControlsPercentage = (Passed/todouble(Total))*100 + | where PassedControlsPercentage < 70 + //Adjust Either Passed Thresholds within Organizational Needs + | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22') + | project Level, Total, PassedControlsPercentage, Passed, Failed, RemediationLink, LastObserved=now() + | extend URLCustomEntity = RemediationLink +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URLCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Playbooks/Notify_GovernanceComplianceTeam.json b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Playbooks/Notify_GovernanceComplianceTeam.json new file mode 100644 index 0000000000..6099f0ada9 --- /dev/null +++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Playbooks/Notify_GovernanceComplianceTeam.json @@ -0,0 +1,202 @@ +{ + "parameters": { + "PlaybookName": { + "defaultValue": "Notify-GovernanceComplianceTeam", + "type": "string"}, + "Email": { + "defaultValue": "GovernanceComplianceTeam@example.com", + "type": "string"}, + "TeamschannelId": { + "defaultValue": "GovernanceComplianceTeam", + "type": "string"}, + "TeamsgroupId": { + "defaultValue": "GovernanceComplianceTeam", + "type": "string"} + + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": { + }, + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "For_each": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "Post_message_in_a_chat_or_channel": { + "runAfter": { + }, + "type": "ApiConnection", + "inputs": { + "body": { + "messageBody": "\u003cp\u003eGovernance \u0026amp; Compliance Team,\u003cbr\u003e\n\u003cbr\u003e\nThe security posture of a workload has changed per the alerting details below:\u003cbr\u003e\n\u003cbr\u003e\nSeverity of Alert: @{items('For_each')?['properties']?['severity']}\u003cbr\u003e\n\u003cbr\u003e\n\u003cu\u003e\u003cstrong\u003eAzure Sentinel Incident\u003c/strong\u003e\u003c/u\u003e\u003cbr\u003e\nTItle: @{triggerBody()?['object']?['properties']?['title']}\u003cbr\u003e\nStatus: @{triggerBody()?['object']?['properties']?['status']}\u003cbr\u003e\nNumber: @{triggerBody()?['object']?['properties']?['incidentNumber']}\u003cbr\u003e\nCreated Time (UTC): @{triggerBody()?['object']?['properties']?['createdTimeUtc']}\u003cbr\u003e\nIncident Link: \u0026nbsp;@{triggerBody()?['object']?['properties']?['incidentUrl']}\u003cbr\u003e\n\u003cbr\u003e\n\u003cu\u003e\u003cstrong\u003eAlert Details\u003c/strong\u003e\u003c/u\u003e\u003cbr\u003e\nAlert Display Name: @{items('For_each')?['properties']?['alertDisplayName']}\u003cbr\u003e\nAlert Type: @{items('For_each')?['properties']?['alertType']}\u003cbr\u003e\nSubscription ID: @{triggerBody()?['workspaceInfo']?['SubscriptionId']}\u003cbr\u003e\nProvider Alert ID: @{items('For_each')?['properties']?['providerAlertId']}\u003cbr\u003e\nAlert Link: @{items('For_each')?['properties']?['alertLink']}\u003c/p\u003e", + "recipient": { + "channelId": "[parameters('TeamschannelId')]", + "groupId": "[parameters('TeamsgroupId')]" + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "method": "post", + "path": "/beta/teams/conversation/message/poster/Flow bot/location/@{encodeURIComponent('Channel')}" + } + }, + "Send_an_email_(V2)_2": { + "runAfter": { + "Post_message_in_a_chat_or_channel": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "\u003cp\u003eGovernance \u0026amp; Compliance Team,\u003cbr\u003e\n\u003cbr\u003e\nThe security posture of a workload has changed per the alerting details below:\u003cbr\u003e\n\u003cbr\u003e\n\u003cbr\u003e\n\u003cu\u003e\u003cstrong\u003eAzure Sentinel Incident\u003c/strong\u003e\u003c/u\u003e\u003cbr\u003e\nTItle: @{triggerBody()?['object']?['properties']?['title']}\u003cbr\u003e\nStatus: @{triggerBody()?['object']?['properties']?['status']}\u003cbr\u003e\nNumber: @{triggerBody()?['object']?['properties']?['incidentNumber']}\u003cbr\u003e\nIncident Severity: @{triggerBody()?['object']?['properties']?['severity']}\u003cbr\u003e\nCreated Time (UTC): @{triggerBody()?['object']?['properties']?['createdTimeUtc']}\u003cbr\u003e\nIncident Link: \u0026nbsp;@{triggerBody()?['object']?['properties']?['incidentUrl']}\u003cbr\u003e\n\u003cbr\u003e\n\u003cu\u003e\u003cstrong\u003eAlert Details\u003c/strong\u003e\u003c/u\u003e\u003cbr\u003e\nAlert Display Name: @{items('For_each')?['properties']?['alertDisplayName']}\u003cbr\u003e\nAlert Product Name: @{items('For_each')?['properties']?['productName']}\u003cbr\u003e\nAlert Severity: @{items('For_each')?['properties']?['severity']}\u003cbr\u003e\nAlert Type: @{items('For_each')?['properties']?['alertType']}\u003cbr\u003e\nSubscription ID: @{triggerBody()?['workspaceInfo']?['SubscriptionId']}\u003cbr\u003e\nProvider Alert ID: @{items('For_each')?['properties']?['providerAlertId']}\u003cbr\u003e\nAlert Link: @{items('For_each')?['properties']?['alertLink']}\u003c/p\u003e", + "Subject": "CMMC: Security Posture Change Alert", + "To": "[parameters('Email')]" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + }, + "type": "Foreach" + } + }, + "outputs": { + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionName": "[variables('azuresentinelConnectionName')]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('azuresentinelConnectionName'))]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionName": "[variables('office365ConnectionName')]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]" + }, + "teams": { + "connectionName": "[variables('teamsConnectionName')]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('teamsConnectionName'))]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Notify-GovernanceComplianceTeam", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('azuresentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('teamsConnectionName'))]" + ] + }, + { + "name": "[variables('azuresentinelConnectionName')]", + "properties": { + "parameterValueType": "Alternative", + "displayName": "[variables('azuresentinelConnectionName')]", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + }, + "customParameterValues": { + } + }, + "type": "Microsoft.Web/connections", + "kind": "V1", + "apiVersion": "2016-06-01", + "location": "[resourceGroup().location]" + }, + { + "name": "[variables('office365ConnectionName')]", + "properties": { + "displayName": "[variables('office365ConnectionName')]", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]" + }, + "customParameterValues": { + } + }, + "type": "Microsoft.Web/connections", + "kind": "V1", + "apiVersion": "2016-06-01", + "location": "[resourceGroup().location]" + }, + { + "name": "[variables('teamsConnectionName')]", + "properties": { + "displayName": "[variables('teamsConnectionName')]", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]" + }, + "customParameterValues": { + } + }, + "type": "Microsoft.Web/connections", + "kind": "V1", + "apiVersion": "2016-06-01", + "location": "[resourceGroup().location]" + } + ], + "contentVersion": "1.0.0.0", + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "variables": { + "teamsConnectionName": "[concat('teams-', parameters('PlaybookName'))]", + "azuresentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", + "office365ConnectionName": "[concat('office365-', parameters('PlaybookName'))]" + } +} diff --git a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Playbooks/Open_DevOpsTaskRecommendation.json b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Playbooks/Open_DevOpsTaskRecommendation.json new file mode 100644 index 0000000000..89d0153a3d --- /dev/null +++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Playbooks/Open_DevOpsTaskRecommendation.json @@ -0,0 +1,170 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Create-AzureDevOpsTask", + "description": "This playbook will create the Azure DevOps task filled with the Azure Sentinel incident details.", + "prerequisites": "", + "lastUpdateTime": "2021-07-14T00:00:00.000Z", + "entities": [], + "tags": ["Sync"], + "support": { + "tier": "Community" + }, + "author": { + "name": "Nicholas DiCola" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Create-AzureDevOpsTask", + "type": "string" + } + }, + "variables": { + "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", + "AzureDevOpsConnectionName": "[concat('azuredevops-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureDevOpsConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[variables('AzureDevOpsConnectionName')]", + "customParameterValues": { + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/visualstudioteamservices')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Create-AzureDevOpsTask", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureDevOpsConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Azure DevOps Task created: @{body('Create_a_work_item')?['url']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Create_a_work_item": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Create_a_work_item": { + "inputs": { + "body": { + "description": "Incident Description: @{triggerBody()?['object']?['properties']?['description']}\nIncident Severity: @{triggerBody()?['object']?['properties']?['severity']}\nIncident URL: @{triggerBody()?['object']?['properties']?['incidentUrl']}\n", + "title": "New Azure Sentinel Incident: @{triggerBody()?['object']?['properties']?['title']}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['visualstudioteamservices']['connectionId']" + } + }, + "method": "patch", + "path": "/@{encodeURIComponent('test')}/_apis/wit/workitems/$@{encodeURIComponent('Task')}", + "queries": { + "account": "test" + } + }, + "runAfter": {}, + "type": "ApiConnection" + } + }, + "contentVersion": "1.0.0.0", + "outputs": {}, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "visualstudioteamservices": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureDevOpsConnectionName'))]", + "connectionName": "[variables('AzureDevOpsConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/visualstudioteamservices')]" + } + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Playbooks/Open_JIRATicketRecommendation.json b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Playbooks/Open_JIRATicketRecommendation.json new file mode 100644 index 0000000000..8eb05e8cae --- /dev/null +++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Playbooks/Open_JIRATicketRecommendation.json @@ -0,0 +1,158 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Create Jira Issue", + "description": "This playbook will open a Jira Issue when a new incident is opened in Azure Sentinel.", + "prerequisites": ["1. Jira instance (ex. xyz.atlassian.net)", + "2. Jira API", + "3. Username."], + "lastUpdateTime": "2021-07-14T00:00:00.000Z", + "entities": [], + "tags": [ "Sync" ], + "support": { + "tier": "community" + }, + "author": { + "name": "Yaniv Shasha and Benjamin Kovacevic" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "CreateJiraIssue", + "type": "string", + "metadata": { + "description": "Incident trigger" + } + } + }, + "variables": { + "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", + "JiraConnectionName": "[concat('jira-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[variables('AzureSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('jiraConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[variables('jiraConnectionName')]", + "customParameterValues": { + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/jira')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "CreateJiraIssue-Incident", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('JiraConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Create_a_new_issue": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "fields": { + "description": "Incident description: @{triggerBody()?['object']?['properties']?['description']};\nSeverity: @{triggerBody()?['object']?['properties']?['severity']};\nIncident URL: @{triggerBody()?['object']?['properties']?['incidentUrl']}", + "issuetype": { + "id": "10007" + }, + "summary": "@triggerBody()?['object']?['properties']?['title']" + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['Jira']['connectionId']" + } + }, + "method": "post", + "path": "/issue", + "queries": { + "projectKey": "SOC" + } + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "Jira": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('jiraConnectionName'))]", + "connectionName": "[variables('jiraConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/jira')]" + } + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/SolutionMetadata.json b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/SolutionMetadata.json new file mode 100644 index 0000000000..2f09534755 --- /dev/null +++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/SolutionMetadata.json @@ -0,0 +1,15 @@ +{ + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-cybersecuritymaturitymodel", + "firstPublishDate": "2021-10-20", + "providers": ["Microsoft"], + "categories": { + "domains" : ["Compliance"] + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } +} \ No newline at end of file diff --git a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/CybersecurityMaturityModelCertification(CMMC)2.0.json b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/CybersecurityMaturityModelCertification(CMMC)2.0.json new file mode 100644 index 0000000000..09d3e0739c --- /dev/null +++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/CybersecurityMaturityModelCertification(CMMC)2.0.json @@ -0,0 +1,25020 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "d7afa921-907e-4c42-87ca-e67aecd47310", + "version": "KqlParameterItem/1.0", + "name": "Help", + "label": "🔎 Getting Started", + "type": 10, + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [] + }, + "jsonData": "[\r\n {\"value\": \"Yes\", \"label\": \"Yes\", \"selected\":true},\r\n {\"value\": \"No\", \"label\": \"No\"}\r\n]", + "value": "No" + }, + { + "version": "KqlParameterItem/1.0", + "name": "DefaultSubscription_Internal", + "type": 1, + "isRequired": true, + "query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId", + "isHiddenWhenLocked": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "id": "43d364e3-978a-4385-8840-9e079d957863" + }, + { + "id": "e6ded9a1-a83c-4762-938d-5bf8ff3d3d38", + "version": "KqlParameterItem/1.0", + "name": "Subscription", + "type": 6, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)", + "crossComponentResources": [ + "value::selected" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": [ + "value::all" + ] + }, + { + "id": "e3225ed0-6210-40a1-b2d0-66e42ffa71d6", + "version": "KqlParameterItem/1.0", + "name": "Workspace", + "type": 5, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| order by name asc\r\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\r\n| mvexpand All limit 100\r\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)", + "crossComponentResources": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": [ + "value::all" + ] + }, + { + "id": "15b2c181-7397-43c1-900a-28e175ae8a6f", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "label": "⏱️ Time Range", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 2592000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "timeContextFromParameter": "TimeRange" + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "Parameter Selectors" + }, + { + "type": 1, + "content": { + "json": "  Please take time to answer a quick survey,\r\n[ click here. ](https://forms.office.com/r/hK7zcBDNp8)" + }, + "name": "Survey" + }, + { + "type": 1, + "content": { + "json": "# Cybersecurity Maturity Model Certification (CMMC) 2.0 \n---\n\nWelcome to the Microsoft Sentinel: Cybersecurity Maturity Model Certification (CMMC) 2.0 Solution. CMMC model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and Department of Defense (DoD stakeholders. \"CMMC 2.0 is the next iteration of the Department’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.\" For more information, see the💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html).\n\nThe Microsoft Sentinel CMMC 2.0 Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. The workbook outlines controls across Levels 1-2. All accreditation requirements and decisions are governed by the 💡 [CMMC Accreditation Body](https://www.cmmcab.org/c3pao-lp). This solution provides visibility and situational awareness for control requirements delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations and query modification for operation. Recommendations should be considered a starting point for planning full or partial coverage of respective control requirements. \n" + }, + "customWidth": "79", + "name": "Workbook Overview" + }, + { + "type": 1, + "content": { + "json": "![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) " + }, + "customWidth": "20", + "name": "Microsoft Sentinel Logo" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n\\t{ \\\"Section\\\": \\\"Access Control\\\", \\\"tab\\\": \\\"AC\\\" },\\r\\n\\t{ \\\"Section\\\": \\\"Awareness & Training\\\", \\\"tab\\\": \\\"AT\\\" },\\r\\n\\t{ \\\"Section\\\": \\\"Audit & Accountability\\\", \\\"tab\\\": \\\"AU\\\" },\\r\\n { \\\"Section\\\": \\\"Configuration Management\\\", \\\"tab\\\": \\\"CM\\\" },\\r\\n\\t{ \\\"Section\\\": \\\"Identification & Authentication\\\", \\\"tab\\\": \\\"IA\\\" },\\r\\n\\t{ \\\"Section\\\": \\\"Incident Response\\\", \\\"tab\\\": \\\"IR\\\" },\\r\\n\\t{ \\\"Section\\\": \\\"Maintenance\\\", \\\"tab\\\": \\\"MA\\\" }\\r\\n]\",\"transformers\":null}", + "size": 3, + "title": "Control Family ", + "exportMultipleValues": true, + "exportedParameters": [ + { + "fieldName": "tab", + "parameterName": "Tab", + "parameterType": 1 + } + ], + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "tab", + "formatter": 5 + } + ] + } + }, + "customWidth": "30", + "name": "Control Family ", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "7b682fc9-cb6b-4475-a24c-41dcb43d0cef", + "version": "KqlParameterItem/1.0", + "name": "isACVisible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "AC", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "c01e6494-1f74-4194-88b3-c98bbabdf84f", + "version": "KqlParameterItem/1.0", + "name": "isAUVisible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "AU", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "696bf441-12c0-45db-918c-215a1170f18e", + "version": "KqlParameterItem/1.0", + "name": "isATVisible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "AT", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "isCMVisible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "CM", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "02596750-83d0-48ad-b9e0-2897e262ab29" + }, + { + "id": "a932ee8a-1039-4482-9fc8-ed79fe6f2ebb", + "version": "KqlParameterItem/1.0", + "name": "isIAVisible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "IA", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "2822f61e-a9f8-4419-87b6-f7b06a032cc2", + "version": "KqlParameterItem/1.0", + "name": "isIRVisible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "IR", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "bf0d48ca-a190-4545-a5db-0ba94598632b", + "version": "KqlParameterItem/1.0", + "name": "isMAVisible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "MA", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "5", + "name": "Hidden Parameters Selectors" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n\\t{ \\\"Section\\\": \\\"Media Protection\\\", \\\"tab\\\": \\\"MP\\\" },\\r\\n\\t{ \\\"Section\\\": \\\"Personnel Security\\\", \\\"tab\\\": \\\"PS\\\" },\\r\\n\\t{ \\\"Section\\\": \\\"Physical Protection\\\", \\\"tab\\\": \\\"PE\\\" },\\r\\n\\t{ \\\"Section\\\": \\\"Risk Assessment\\\", \\\"tab\\\": \\\"RM\\\" },\\r\\n\\t{ \\\"Section\\\": \\\"Security Assessment\\\", \\\"tab\\\": \\\"CA\\\" },\\r\\n\\t{ \\\"Section\\\": \\\"System & Communications Protection\\\", \\\"tab\\\": \\\"SC\\\" },\\r\\n\\t{ \\\"Section\\\": \\\"System & Information Integrity\\\", \\\"tab\\\": \\\"SI\\\" }\\r\\n]\",\"transformers\":null}", + "size": 3, + "exportMultipleValues": true, + "exportedParameters": [ + { + "fieldName": "tab", + "parameterName": "Tab", + "parameterType": 1 + } + ], + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "tab", + "formatter": 5 + } + ] + } + }, + "customWidth": "30", + "name": "Control Family - Copy", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "308bde5a-386f-4674-a712-26e31436b12e", + "version": "KqlParameterItem/1.0", + "name": "isMPVisible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "MP", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "e18bc9ef-6479-4eda-807a-b47f58f5f2f1", + "version": "KqlParameterItem/1.0", + "name": "isPSVisible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "PS", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "401a85db-1c90-45b4-86d2-3e5439784818", + "version": "KqlParameterItem/1.0", + "name": "isPEVisible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "PE", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "isRMVisible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "RM", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "0af0cea9-8f28-4850-b48e-93a195efa02b" + }, + { + "id": "e9fdb883-980a-4147-b494-43f7137f7131", + "version": "KqlParameterItem/1.0", + "name": "isCAVisible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "CA", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "c16d4f92-ce1a-4ff0-9576-23b39836e95d", + "version": "KqlParameterItem/1.0", + "name": "isSCVisible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "SC", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "isSIVisible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "SI", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "9637281c-861a-4ba6-90cd-6650f187f00c" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "5", + "name": "Hidden Parameters Selectors - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n\\t{ \\\"Section\\\": \\\"Assessment\\\", \\\"tab\\\": \\\"AS\\\" },\\r\\n\\t{ \\\"Section\\\": \\\"Level 1: Foundational\\\", \\\"tab\\\": \\\"ML1\\\" },\\r\\n\\t{ \\\"Section\\\": \\\"Level 2: Advanced\\\", \\\"tab\\\": \\\"ML2\\\" }\\r\\n]\",\"transformers\":null}", + "size": 3, + "title": "Level", + "exportMultipleValues": true, + "exportedParameters": [ + { + "fieldName": "tab", + "parameterName": "Tab", + "parameterType": 1 + } + ], + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "tab", + "formatter": 5 + } + ] + } + }, + "customWidth": "25", + "name": "Level", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "43dec56c-837a-448a-883c-7fb77d265ae0", + "version": "KqlParameterItem/1.0", + "name": "isASVisible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "AS", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "0f8e02ef-c3db-4938-80ac-238929482156", + "version": "KqlParameterItem/1.0", + "name": "isML1Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "ML1", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "isML2Visible", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Tab", + "operator": "contains", + "rightValType": "static", + "rightVal": "ML2", + "resultValType": "static", + "resultVal": "true" + } + }, + { + "criteriaContext": { + "operator": "Default", + "rightValType": "param", + "resultValType": "static", + "resultVal": "false" + } + } + ], + "timeContext": { + "durationMs": 86400000 + }, + "id": "0b94fcd8-d50f-4d94-a6d0-978630b1a05c" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "5", + "name": "Hidden Parameters Selectors for ML" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Getting Started\r\nThis solution is designed to augment staffing through automation, query/alerting generation, and visualizations, and alerting. This solution leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with Cybersecurity Maturity Model Certification 2.0 control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and maturity level. This offering telemetry from 50+ Microsoft Security products, while only Microsoft Sentinel/Microsoft Defender for Cloud are required to get started, each offering provides additional enrichment for aligning with control requirements. Each CMMC control includes a Control Card detailing an overiew of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads.
\r\n💡 [Planning: Review Microsoft Product Placemat for CMMC 2.0](https://aka.ms/cmmc/productplacemat)
\r\n💡 [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)
\r\n💡 [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)
\r\n💡 [Add the Microsoft Defender for Cloud: NIST SP 800 171 R2 Assessment to Your Dashboard](https://docs.microsoft.com/azure/security-center/update-regulatory-compliance-packages#add-a-regulatory-standard-to-your-dashboard)
\r\n💡 [Continuously Export Security Center Data to Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/continuous-export)
\r\n💡 [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)
", + "style": "info" + }, + "name": "Help" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "customWidth": "66", + "name": "group - 30" + }, + { + "type": 1, + "content": { + "json": "![Image Name](https://www.acq.osd.mil/cmmc/imgs/cmmc2-levels-st.png) \r\nFor more information, see the💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html)" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "customWidth": "33", + "name": "text - 29" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Assessment\r\n---\r\n\r\nThe Assessment section provides a mechanism to find, fix, and resolve CMMC recommendations aligned to NIST SP 800-171. A selector provides capability to filter by all, specific, or groups of control ids. Upon selection, subordinate panels will summarize CMMC recommendations by control family, status over time, recommendations, and resources identified. These panels are helpful for identifying the CMMC control areas of interest, status over time, and which resources are most impacted by these vulnerabilties. The CMMC Recommendation details provides a mechanism to identify specific recommendation details with deep-links to pivot to Microsoft Defender for Cloud: Regulatory Compliance for remediation." + }, + "customWidth": "49", + "name": "NS Guide" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 11" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "99a47f97-1aa4-4840-91ee-119aad6d6217", + "version": "KqlParameterItem/1.0", + "name": "Level", + "label": "CMMC 2.0 Level", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "SecurityRegulatoryCompliance\r\n| where ComplianceStandard == \"NIST-SP-800-171-R2\"\r\n| extend Level=iff(ComplianceControl in (\"3.1.1\",\"3.1.2\",\"3.1.20\",\"3.1.22\",\"3.4.1\",\"3.5.2\",\"3.5.2\",\"3.8.3\",\"3.13.1\",\"3.13.5\",\"3.14.1\",\"3.14.2\",\"3.14.4\",\"3.14.5\"), \"Level 1: Foundational\",\"Level 2: Advanced\")\r\n| summarize count() by Level\r\n| project-away count_\r\n| sort by Level asc", + "crossComponentResources": [ + "{Workspace}" + ], + "value": [ + "Level 1: Foundational" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "40", + "name": "parameters - 26" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRegulatoryCompliance\r\n| where ComplianceStandard == \"NIST-SP-800-171-R2\"\r\n| extend Level=iff(ComplianceControl in (\"3.1.1\",\"3.1.2\",\"3.1.20\",\"3.1.22\",\"3.4.1\",\"3.5.2\",\"3.5.2\",\"3.8.3\",\"3.13.1\",\"3.13.5\",\"3.14.1\",\"3.14.2\",\"3.14.4\",\"3.14.5\"), \"Level 1: Foundational\",\"Level 2: Advanced\")\r\n| where Level in ({Level})\r\n| summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId, Level\r\n| summarize Failed = countif(State == \"Failed\"), Passed = countif(State == \"Passed\"), Total = countif(State == \"Passed\" or State == \"Failed\") by Level\r\n| extend PassedControls = (Passed/todouble(Total))*100\r\n| project Level, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "🔀 Recommendations by Level", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "[\"Passed\"]/[\"Total\"]", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "useGrouping": true, + "minimumIntegerDigits": 2, + "minimumFractionDigits": 2, + "maximumFractionDigits": 2, + "minimumSignificantDigits": 2, + "maximumSignificantDigits": 4 + } + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "total_controls_curr", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "[\"Passed\"]/[\"Failed\"]", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRegulatoryCompliance\r\n| where ComplianceStandard == \"NIST-SP-800-171-R2\"\r\n| extend Level=iff(ComplianceControl in (\"3.1.1\",\"3.1.2\",\"3.1.20\",\"3.1.22\",\"3.4.1\",\"3.5.2\",\"3.5.2\",\"3.8.3\",\"3.13.1\",\"3.13.5\",\"3.14.1\",\"3.14.2\",\"3.14.4\",\"3.14.5\"), \"Level 1: Foundational\",\"Level 2: Advanced\")\r\n| where Level in ({Level})\r\n| summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId\r\n| summarize Failed = countif(State == \"Failed\"), Passed = countif(State == \"Passed\"), Total = countif(State == \"Passed\" or State == \"Failed\") by RecommendationName\r\n| extend PassedControls = (Passed/todouble(Total))*100\r\n| project RecommendationName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "🔀 Recommendations by Count", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "[\"Passed\"]/[\"Total\"]", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "useGrouping": true, + "minimumIntegerDigits": 2, + "minimumFractionDigits": 2, + "maximumFractionDigits": 2, + "minimumSignificantDigits": 2, + "maximumSignificantDigits": 4 + } + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "total_controls_curr", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "[\"Passed\"]/[\"Failed\"]", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + } + ], + "filter": true + }, + "sortBy": [] + }, + "customWidth": "50", + "name": "query - 6 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRegulatoryCompliance\r\n| where ComplianceStandard == \"NIST-SP-800-171-R2\"\r\n| extend Level=iff(ComplianceControl in (\"3.1.1\",\"3.1.2\",\"3.1.20\",\"3.1.22\",\"3.4.1\",\"3.5.2\",\"3.5.2\",\"3.8.3\",\"3.13.1\",\"3.13.5\",\"3.14.1\",\"3.14.2\",\"3.14.4\",\"3.14.5\"), \"Level 1: Foundational\",\"Level 2: Advanced\")\r\n| where Level in ({Level})\r\n| join kind=inner(SecurityRecommendation) on RecommendationName\r\n| extend ResourceID=tolower(AssessedResourceId1)\r\n| summarize arg_max(TimeGenerated, *) by RecommendationName, ResourceID\r\n| where State == \"Failed\"\r\n| summarize count() by ResourceID\r\n| sort by count_ desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": " 🔀 Recommendations by Asset", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "warning", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "State", + "formatter": 1 + }, + { + "columnMatch": "ControlID", + "formatter": 1 + }, + { + "columnMatch": "Recommendation", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Recommendation >" + } + } + ], + "filter": true + }, + "sortBy": [] + }, + "customWidth": "50", + "name": "query - 8" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRegulatoryCompliance\r\n| where ComplianceStandard == \"NIST-SP-800-171-R2\"\r\n| extend Level=iff(ComplianceControl in (\"3.1.1\",\"3.1.2\",\"3.1.20\",\"3.1.22\",\"3.4.1\",\"3.5.2\",\"3.5.2\",\"3.8.3\",\"3.13.1\",\"3.13.5\",\"3.14.1\",\"3.14.2\",\"3.14.4\",\"3.14.5\"), \"Level 1: Foundational\",\"Level 2: Advanced\")\r\n| where Level in ({Level})\r\n| where State == \"Failed\"\r\n| make-series count() default=0 on TimeGenerated from startofday({TimeRange:start}) to startofday({TimeRange:end}) step 1d by Level\r\n| render timechart", + "size": 0, + "showAnalytics": true, + "title": "🔀 Posture over Time", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "warning", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "State", + "formatter": 1 + }, + { + "columnMatch": "ControlID", + "formatter": 1 + }, + { + "columnMatch": "Recommendation", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Recommendation >" + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 7" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRegulatoryCompliance\r\n| where ComplianceStandard == \"NIST-SP-800-171-R2\"\r\n| extend Level=iff(ComplianceControl in (\"3.1.1\",\"3.1.2\",\"3.1.20\",\"3.1.22\",\"3.4.1\",\"3.5.2\",\"3.5.2\",\"3.8.3\",\"3.13.1\",\"3.13.5\",\"3.14.1\",\"3.14.2\",\"3.14.4\",\"3.14.5\"), \"Level 1: Foundational\",\"Level 2: Advanced\")\r\n| where Level in ({Level})\r\n| join kind=inner(SecurityRecommendation) on RecommendationName\r\n| extend ResourceID=tolower(AssessedResourceId1)\r\n| summarize arg_max(TimeGenerated, *) by RecommendationName, ResourceID\r\n| extend RemediationLink = RecommendationLink\r\n| where State == \"Failed\"\r\n| project RecommendationDisplayName, Level, ResourceID, State, RecommendationSeverity, RemediationLink, FirstEvaluationDate, TimeGenerated\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": " 🔀 Recommendation Details", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "warning", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "State", + "formatter": 1 + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RemediationLink", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Quick Fix >>" + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "ControlID", + "formatter": 1 + }, + { + "columnMatch": "Recommendation", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Recommendation >" + } + } + ], + "filter": true + } + }, + "name": "query - 9" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isASVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Assessment" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Access Control \r\n---\r\nAccess Control is the process of authorizing users, groups, and computers to access objects on a network, asset, and/or cloud. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. For more information, see the 💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html)" + }, + "customWidth": "50", + "name": "text - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 1: Foundational", + "items": [ + { + "type": 1, + "content": { + "json": "The Department views Level 1 (“Foundational”) as an opportunity to engage its contractors in developing and strengthening their approach to cybersecurity. Because Level 1 does not involve sensitive national security information, DoD intends for this Level to allow companies to assess their own cybersecurity and begin adopting practices that will thwart cyber-attacks. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 2" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "AC.L1-3.1.1", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L1-3.1.1) Authorized Access Control", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "cca4d1e8-e1e2-4b1d-9b8a-698e6496924c", + "cellValue": "AC.L1-3.1.2", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L1-3.1.2) Transaction & Function Control", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "f7074cad-e2ec-4a2c-84d1-7b33b14d4c04", + "cellValue": "AC.L1-3.1.20", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L1-3.1.20) External Connections", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "35bfb771-67e1-480a-ac96-0a59f2c8dbc2", + "cellValue": "AC.L1-3.1.22", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L1-3.1.22) Control Public Information", + "preText": "", + "postText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML1 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(AC.L1-3.1.1) Authorized Access Control](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#limit-information-system-access-to-authorized-users-processes-acting-on-behalf-of-authorized-users-and-devices-including-other-information-systems)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️[Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n✳️ [Customer Lockbox](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview) 🔀[Customer Lockbox](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview)
\r\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\r\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage)
\r\n\r\n## Recommended Logs \r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.1](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) \r\n## NIST SP 800-53 R4 Mapping\r\n[AC-2, AC-3, AC-17](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)\r\n" + }, + "customWidth": "50", + "name": "text - 2", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserId)\r\n| where ResultType == 0\r\n| summarize count() by UserPrincipalName, UserProfile\r\n| project UserPrincipalName, count_, UserProfile\r\n| sort by count_ desc\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "AAD User Profiles", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to User Profile >" + } + }, + { + "columnMatch": "UserRoles", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Roles >" + } + }, + { + "columnMatch": "AdminRoles", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to AdminRoles >" + } + }, + { + "columnMatch": "Groups", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Groups >" + } + }, + { + "columnMatch": "Applications", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Apps >" + } + }, + { + "columnMatch": "Licenses", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Licenses >" + } + }, + { + "columnMatch": "Devices", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Devices >" + } + }, + { + "columnMatch": "AzureRoles", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to AzureRoles >" + } + }, + { + "columnMatch": "SignIns", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to SignIns >" + } + }, + { + "columnMatch": "AuditLogs", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to AuditLogs >" + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "AzureActiveDirectoryProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to AAD Profile >" + } + }, + { + "columnMatch": "IncidentCount", + "formatter": 8, + "formatOptions": { + "palette": "redBright" + } + }, + { + "columnMatch": "AlertCount", + "formatter": 8, + "formatOptions": { + "palette": "orange" + } + }, + { + "columnMatch": "AnomalyCount", + "formatter": 8, + "formatOptions": { + "palette": "yellow" + } + } + ], + "rowLimit": 1000, + "filter": true + }, + "sortBy": [], + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "latitude": "SourceIPLocation", + "longitude": "SourceIPLocation", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark" + } + ] + } + } + }, + "customWidth": "50", + "name": "query - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L1-3.1.1", + "styleSettings": { + "margin": "3", + "padding": "3", + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(AC.L1-3.1.2) Transaction & Function Control)](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#limit-information-system-access-to-the-types-of-transactions-and-functions-that-authorized-users-are-permitted-to-execute)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\r\n\r\n## Secondary Services\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login)
\r\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) \r\n## NIST SP 800-53 R4 Mapping\r\n[AC-2, AC-3, AC-17](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AuditLogs\r\n| extend UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserPrincipalName)\r\n| summarize Runs = count(), Success = countif(Result == 'success'), Fails = countif(Result != 'success') by UserPrincipalName, OperationName, UserProfile // Summarize the total, successful and failed operations by name\r\n| extend SuccessRate = (Success * 100 / Runs) // Calculate the percentage of succesful operations against the total\r\n| summarize count() by UserPrincipalName, UserProfile, OperationName, Runs, SuccessRate, Fails\r\n| where UserPrincipalName <> \"\"\r\n| sort by Runs desc\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "User Actions", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Globe", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go To: AAD User Profile >" + } + }, + { + "columnMatch": "OperationName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Runs", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "SuccessRate", + "formatter": 8, + "formatOptions": { + "palette": "green" + } + }, + { + "columnMatch": "Fails", + "formatter": 8, + "formatOptions": { + "palette": "red" + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "UserId", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "resource", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "OfficeWorkload", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "resource", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + }, + "sortBy": [] + }, + "customWidth": "50", + "name": "query - 4" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L1-3.1.2", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(AC.L1-3.1.20) External Connections](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#verify-and-controllimit-connections-to-and-use-of-external-information-systems)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.20](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) \r\n## NIST SP 800-53 R4 Mapping\r\n[AC-20, AC-20(1)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where Location <> \"\"\r\n| where ResultType == 0\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserId)\r\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\r\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\r\n| extend City = tostring(LocationDetails.city)\r\n| summarize count() by UserPrincipalName, City, Location, UserProfile\r\n| sort by count_ desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "User Sign-In Location Details", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "City", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Globe", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Location", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Globe", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go To AAD User Profile >" + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + }, + "mapSettings": { + "locInfo": "LatLong", + "locInfoColumn": "Location", + "latitude": "latitude_", + "longitude": "longitude_", + "sizeSettings": "city_", + "sizeAggregation": "Count", + "labelSettings": "city_", + "legendMetric": "city_", + "numberOfMetrics": 100, + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "state_", + "colorAggregation": "Count", + "type": "heatmap", + "heatmapPalette": "coldHot" + } + } + }, + "customWidth": "50", + "name": "query - 4 - Copy" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where Location <> \"\"\r\n| where ResultType == 0\r\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\r\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\r\n| extend city_ = tostring(LocationDetails.city)\r\n", + "size": 2, + "title": "User Sign-Ins by Geolocation", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "map", + "mapSettings": { + "locInfo": "LatLong", + "locInfoColumn": "Location", + "latitude": "latitude_", + "longitude": "longitude_", + "sizeSettings": "city_", + "sizeAggregation": "Count", + "labelSettings": "city_", + "legendMetric": "city_", + "numberOfMetrics": 12, + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "state_", + "colorAggregation": "Count", + "type": "heatmap", + "heatmapPalette": "coldHot", + "heatmapMax": 100 + }, + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal", + "useGrouping": false + } + } + } + }, + "name": "query - 4" + } + ] + }, + "name": "AC.L1-3.1.20", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AC.L1-3.1.22) Control Public Information\r\n\r\n## Primary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n\r\n## Recommended Logs\r\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\r\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.22](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) \r\n## NIST SP 800-53 R4 Mapping\r\n[AC-22](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InformationProtectionLogs_CL\r\n| distinct UserId_s, LabelName_s, ApplicationName_s_s, Operation_s_s, Protected_b_s, Platform_s_s, Activity_s_s, ProtectionOwner_s, TimeGenerated_s\r\n| sort by TimeGenerated_s desc\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Azure Information Protection Details", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserId_s", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "3", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ProductName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertLink", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Alert >" + } + }, + { + "columnMatch": "UPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Incident >" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "city_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "state_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "latitude": "SourceIPLocation", + "longitude": "SourceIPLocation", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark" + } + ] + } + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityAlert\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n| extend UserPrincipalName = UPN\r\n| distinct UserPrincipalName, AlertName, ProductName, Status, AlertLink, Tactics, TimeGenerated\r\n| where AlertName contains \"sensitive\" or AlertName contains \"data\" or AlertName contains \"leak\" or Tactics contains \"exfil\" or AlertName contains \"theft\" or AlertName contains \"steal\" or AlertName contains \"PII\" or AlertName contains \"intellectual\" or AlertName contains \"confidential\" or AlertName contains \"spill\"\r\n| sort by TimeGenerated desc\r\n| limit 250", + "size": 0, + "title": "Sensitive Data Leaks Alert Details", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-S", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "3", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ProductName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertLink", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "" + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Incident >" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "city_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "state_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "latitude": "SourceIPLocation", + "longitude": "SourceIPLocation", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark" + } + ] + } + } + }, + "name": "query - 3" + } + ] + }, + "name": "AC.L1-3.1.22", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML1Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 1: Foundational" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 2: Advanced", + "items": [ + { + "type": 1, + "content": { + "json": "A subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments. Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "AC.L2-3.1.3", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.3) Control CUI Flow", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "cca4d1e8-e1e2-4b1d-9b8a-698e6496924c", + "cellValue": "AC.L2-3.1.4", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.4) Separation of Duties", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "f7074cad-e2ec-4a2c-84d1-7b33b14d4c04", + "cellValue": "AC.L2-3.1.5", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.5) Least Privilege", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "35bfb771-67e1-480a-ac96-0a59f2c8dbc2", + "cellValue": "AC.L2-3.1.6", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.6) Non-Privileged Account Use", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "4d1f48b7-288c-45e0-a5ae-c97f985f70df", + "cellValue": "AC.L2-3.1.7", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.7) Privileged Functions", + "preText": "", + "style": "link" + }, + { + "id": "0e930a4d-5f98-482e-8f40-1a6d7fe76624", + "cellValue": "AC.L2-3.1.8", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.8) Unsuccessful Logon Attempts", + "preText": "", + "style": "link" + }, + { + "id": "6b993013-ec61-4240-9ff3-9b40202600a5", + "cellValue": "AC.L2-3.1.9", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.9) Privacy & Security Notices", + "preText": "", + "style": "link" + }, + { + "id": "746b1e32-83d7-43f1-a5d0-736dc395da72", + "cellValue": "AC.L2-3.1.10", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.10) Session Lock", + "preText": "", + "style": "link" + }, + { + "id": "63abaa8d-ff61-466d-a7b2-831c762f815f", + "cellValue": "AC.L2-3.1.11", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.11) Session Termination", + "preText": "", + "style": "link" + }, + { + "id": "821f90c8-c8b9-4e44-8c36-6ef941067414", + "cellValue": "AC.L2-3.1.12", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.12) Control Remote Access", + "preText": "", + "style": "link" + }, + { + "id": "fadab5cc-f1af-4e14-9b12-5f89d0f9019d", + "cellValue": "AC.L2-3.1.13", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.13) Remote Access Confidentiality", + "preText": "", + "style": "link" + }, + { + "id": "f7457ace-577b-431d-96ff-e20f1ccc96d2", + "cellValue": "AC.L2-3.1.14", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.14) Remote Access Routing", + "preText": "", + "style": "link" + }, + { + "id": "6692d0f2-780b-49eb-bb36-820d2deba69b", + "cellValue": "AC.L2-3.1.15", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.15) Privileged Remote Access", + "preText": "", + "style": "link" + }, + { + "id": "0cfbbeec-14fd-46fb-b0f9-ecd9684fff55", + "cellValue": "AC.L2-3.1.16", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.16) Wireless Access Authorization", + "preText": "", + "style": "link" + }, + { + "id": "383e7847-f3c0-4eb1-83ae-b543e0d6517a", + "cellValue": "AC.L2-3.1.17", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.17) Wireless Access Protection", + "preText": "", + "style": "link" + }, + { + "id": "3aa3e366-4e87-43c5-a659-d57efa973982", + "cellValue": "AC.L2-3.1.18", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.18) Mobile Device Connection", + "preText": "", + "style": "link" + }, + { + "id": "a43a2e61-68f8-4def-8d3c-876c02cecbf4", + "cellValue": "AC.L2-3.1.19", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.19) Encrypt CUI on Mobile", + "preText": "", + "style": "link" + }, + { + "id": "8e98f555-d83c-482d-8976-80336dacc81e", + "cellValue": "AC.L2-3.1.21", + "linkTarget": "step", + "linkLabel": "✳️ (AC.L2-3.1.21) Portable Storage Use", + "preText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML2 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(AC.L2-3.1.3) Control CUI Flow](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#control-the-flow-of-cui-in-accordance-with-approved-authorizations)\r\n\r\n## Primary Services\r\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)
\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n✳️ [Microsoft Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Microsoft 365 Compliance Manager](https://compliance.microsoft.com/informationprotection)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Secondary Services\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://portal.atp.azure.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.3](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) \r\n## NIST SP 800-53 R4 Mapping\r\n[AC-4](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)\r\n" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InformationProtectionLogs_CL\r\n| limit 250\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Azure Information Protection Details", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserId_s", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "3", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ProductName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertLink", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Alert >" + } + }, + { + "columnMatch": "UPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Incident >" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "city_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "state_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "latitude": "SourceIPLocation", + "longitude": "SourceIPLocation", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark" + } + ] + } + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.3", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(AC.L2-3.1.4) Separation of Duties](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#separate-the-duties-of-individuals-to-reduce-the-risk-of-malevolent-activity-without-collusion)\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Secondary Services\r\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.4](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AC-5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"member\" or RecommendationDisplayName contains \"owner\" or RecommendationDisplayName contains \"group\"\r\n| where RecommendationDisplayName !contains \"security group\"\r\n| where RecommendationDisplayName !contains \"Email\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(AC.L2-3.1.5) Least Privilege](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#employ-the-principle-of-least-privilege-including-for-specific-security-functions-and-privileged-accounts)\r\n\r\n## Primary Services\r\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login)
\r\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.5](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) \r\n## NIST SP 800-53 R4 Mapping\r\n[AC-6, AC-6(1), AC-6(5)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)\r\n" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AuditLogs\r\n| where OperationName contains \"PIM\"\r\n| distinct OperationName, Identity, AADOperationType, TimeGenerated\r\n| sort by TimeGenerated desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Privileged Identity Management (PIM) Actions", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "GrantedTo", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go To: AAD Profile >" + } + }, + { + "columnMatch": "OperationName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "pending", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.5", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(AC.L2-3.1.6) Non-Privileged Account Use](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#use-non-privileged-accounts-or-roles-when-accessing-nonsecurity-functions)\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Secondary Services\r\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\r\n\r\n## Recommended Logs\r\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.6](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) \r\n## NIST SP 800-53 R4 Mapping\r\n[AC-6(2)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)\r\n" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"user\" or RecommendationDisplayName contains \"account\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.6", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(AC.L2-3.1.7) Privileged Functions](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#prevent-non-privileged-users-from-executing-privileged-functions-and-capture-the-execution-of-such-functions-in-audit-logs)\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Secondary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage)
\r\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.7](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AC-6(9), AC-6(10)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"audit\" or RecommendationDisplayName contains \"priv\" or RecommendationDisplayName contains \"log\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.7", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AC.L2-3.1.8) Unsuccessful Logon Attempts\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://portal.atp.azure.com/)
✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n\r\n\r\n\r\n## Secondary Services\r\n✳️ [Password Protection for Azure AD](https://docs.microsoft.com/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy) 🔀[Azure AD Password Protection](https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade)
\r\n\r\n## Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.8](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) \r\n## NIST SP 800-53 R4 Mapping\r\n[AC-7](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = SigninLogs\r\n|where AppDisplayName in ('*') or '*' in ('*')\r\n|where UserDisplayName in ('*') or '*' in ('*')\r\n|extend errorCode = Status.errorCode\r\n|extend SigninStatus = case(errorCode == 0, \"Success\", errorCode == 50058, \"Pending user action\",errorCode == 50140, \"Pending user action\", errorCode == 51006, \"Pending user action\", errorCode == 50059, \"Pending user action\",errorCode == 65001, \"Pending user action\", errorCode == 52004, \"Pending user action\", errorCode == 50055, \"Pending user action\", errorCode == 50144, \"Pending user action\", errorCode == 50072, \"Pending user action\", errorCode == 50074, \"Pending user action\", errorCode == 16000, \"Pending user action\", errorCode == 16001, \"Pending user action\", errorCode == 16003, \"Pending user action\", errorCode == 50127, \"Pending user action\", errorCode == 50125, \"Pending user action\", errorCode == 50129, \"Pending user action\", errorCode == 50143, \"Pending user action\", errorCode == 81010, \"Pending user action\", errorCode == 81014, \"Pending user action\", errorCode == 81012 ,\"Pending user action\", \"Failure\");\r\ndata\r\n| summarize Count = count() by SigninStatus\r\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\r\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\r\n| join kind = inner (data\r\n| make-series Trend = count() default = 0 on TimeGenerated from ago(14d) to now() step 6h by SigninStatus)\r\n    on SigninStatus\r\n| project-away SigninStatus1, TimeGenerated\r\n| extend Status = SigninStatus\r\n| union (\r\n    data \r\n| summarize Count = count() \r\n| extend jkey = 1\r\n| join kind=inner (data\r\n| make-series Trend = count() default = 0 on TimeGenerated from ago(14d) to now() step 6h\r\n| extend jkey = 1) on jkey\r\n| extend SigninStatus = 'All Sign-ins', Status = '*'    \r\n)\r\n| order by Count desc", + "size": 0, + "showAnalytics": true, + "title": "Login Status Codes by Count", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + } + }, + "customWidth": "50", + "name": "query - 1", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityAlert\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n| extend Alert_Link = tostring(parse_json(ExtendedLinks)[1].Href)\r\n| extend UserPrincipalName = UPN\r\n| distinct Name, AlertName, ProductName, Status, Alert_Link, Tactics, TimeGenerated\r\n| where AlertName contains \"brute\"\r\n| sort by TimeGenerated desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Sign-In: Brute Force Alerts", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Name", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "is Empty", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "3", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ProductName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Alert_Link", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "" + } + }, + { + "columnMatch": "AlertLink", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "" + } + }, + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Incident >" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "city_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "state_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "latitude": "SourceIPLocation", + "longitude": "SourceIPLocation", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark" + } + ] + } + } + }, + "name": "query - 3" + } + ] + }, + "name": "AC.L2-3.1.8", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AC.L2-3.1.9) Privacy & Security Notices\r\n\r\n## Primary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n\r\n## Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Recommended Configuration\r\n💡 [Add Terms of Use](https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use#add-terms-of-use)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.9](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) \r\n## NIST SP 800-53 R4 Mapping\r\n[AC-8](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Configure Azure Active Direcotry Terms of Use: https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use#add-terms-of-use\r\nlet nonInteractive = AADNonInteractiveUserSignInLogs\r\n| extend LocationDetails = parse_json(LocationDetails)\r\n| extend Status = parse_json(Status)\r\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\r\nlet data = \r\nunion SigninLogs,nonInteractive\r\n|extend CAStatus = case(ConditionalAccessStatus == \"failure\", \"Failed\", \r\n ConditionalAccessStatus == \"notApplied\", \"Not applied\", \r\n isempty(ConditionalAccessStatus), \"Not applied\", \r\n \"Disabled\")\r\n|mvexpand ConditionalAccessPolicies\r\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\r\n|extend CAGrantControl = case(CAGrantControlName contains \"Terms of Use\", \"Require Terms of Use\", \r\n CAGrantControlName contains \"Privacy\", \"Require Privacy Statement\",\r\n \"Other\");\r\ndata\r\n| where CAGrantControlName <> \"\"\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserPrincipalName)\r\n| summarize count() by UserPrincipalName, UserProfile, AppDisplayName, CAGrantControlName, ConditionalAccessStatus\r\n| where CAGrantControlName contains \"Privacy\" or CAGrantControlName contains \"Term\"\r\n| sort by count_ desc\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "User Terms of Use and/or Privacy Statements (Not Applied) to Sign-In", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go To: AAD User Profile >" + } + }, + { + "columnMatch": "ConditionalAccessStatus", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "redBright" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.9", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AC.L2-3.1.10) Session Lock\r\n\r\n## Primary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Recommended Configuration\r\n💡 [Configure screen lock settings using Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience)
\r\n💡 [Grant access to resources if devices are marked as compliant](https://docs.microsoft.com/azure/active-directory/conditional-access/require-managed-devices#require-device-to-be-marked-as-compliant)
\r\n💡 [Conceal Passwords with Password Box](https://docs.microsoft.com/windows/uwp/design/controls-and-patterns/password-box)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.10](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) \r\n## NIST SP 800-53 R4 Mapping\r\n[AC-11, AC-11(1)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)\r\n" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where DeviceDetail.isCompliant <> \"true\"\r\n| where DeviceDetail.isManaged == \"true\"\r\n| extend isCompliant = tostring(DeviceDetail.isCompliant)\r\n| extend isManaged = tostring(DeviceDetail.isManaged)\r\n| extend deviceId = tostring(DeviceDetail.deviceId)\r\n| extend trustType = tostring(DeviceDetail.trustType)\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserPrincipalName)\r\n| summarize count() by UserPrincipalName, UserProfile, isCompliant, isManaged, deviceId, trustType\r\n| sort by count_ desc\r\n\r\n\r\n\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Configure Screen Lock and Monitor Managed Device Compliance", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go To: AAD User Profile >" + } + }, + { + "columnMatch": "ConditionalAccessStatus", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "redBright" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.10", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AC.L2-3.1.11) Session Termination\r\n\r\n## Primary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\r\n\r\n## Secondary Services\r\n✳️ [Application Gateway](https://azure.microsoft.com/services/application-gateway/) 🔀 [Application Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\r\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts)
\r\n\r\n## Recommended Logs\r\n🔷 [AADUserRiskEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/aaduserriskevents) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.11](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AC-12](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AADUserRiskEvents\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserId)\r\n| extend countryOrRegion_ = tostring(Location.countryOrRegion)\r\n| extend city_ = tostring(Location.city)\r\n| extend state_ = tostring(Location.state)\r\n| extend latitude_ = tostring(parse_json(tostring(Location.geoCoordinates)).latitude)\r\n| extend longitude_ = tostring(parse_json(tostring(Location.geoCoordinates)).longitude)\r\n| summarize count() by UserPrincipalName, UserProfile, RiskLevel, RiskEventType, city_, countryOrRegion_, state_, latitude_, longitude_, IpAddress\r\n| sort by count_ desc\r\n| limit 250", + "size": 3, + "showAnalytics": true, + "title": "AAD Identity Protection: Sign-in Risk by Geolocation", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "map", + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "warning", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UncommonActionVolume", + "formatter": 4, + "formatOptions": { + "palette": "redBright" + } + }, + { + "columnMatch": "UncommonAction", + "formatter": 4, + "formatOptions": { + "palette": "green" + } + }, + { + "columnMatch": "FirstTimeUserAction", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "FirstTimeDeviceLogon", + "formatter": 4, + "formatOptions": { + "palette": "yellow" + } + }, + { + "columnMatch": "IncidentCount", + "formatter": 8, + "formatOptions": { + "palette": "redBright" + } + }, + { + "columnMatch": "AlertCount", + "formatter": 8, + "formatOptions": { + "palette": "orange" + } + }, + { + "columnMatch": "AnomalyCount", + "formatter": 8, + "formatOptions": { + "palette": "yellow" + } + } + ] + }, + "sortBy": [], + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "countryOrRegion_", + "latitude": "latitude_", + "longitude": "longitude_", + "sizeSettings": "countryOrRegion_", + "sizeAggregation": "Count", + "labelSettings": "city_", + "legendMetric": "countryOrRegion_", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "countryOrRegion_", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "redBright" + } + ] + } + } + }, + "customWidth": "50", + "name": "query - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AADUserRiskEvents\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserId)\r\n| extend countryOrRegion_ = tostring(Location.countryOrRegion)\r\n| extend city_ = tostring(Location.city)\r\n| extend state_ = tostring(Location.state)\r\n| extend latitude_ = tostring(parse_json(tostring(Location.geoCoordinates)).latitude)\r\n| extend longitude_ = tostring(parse_json(tostring(Location.geoCoordinates)).longitude)\r\n| summarize count() by UserPrincipalName, UserProfile, RiskLevel, RiskEventType, city_, countryOrRegion_, state_, latitude_, longitude_, IpAddress\r\n| sort by count_ desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "AAD Identity Protection: User Sign-in Risk Details", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to AAD User Profile >" + } + }, + { + "columnMatch": "RiskLevel", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "high", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "city_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Globe", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "countryOrRegion_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Globe", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "state_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Globe", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "purpleDark" + } + } + ], + "filter": true + } + }, + "name": "query - 14" + } + ] + }, + "name": "AC.L2-3.1.11", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(AC.L2-3.1.12) Control Remote Access](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#monitor-and-control-remote-access-sessions)\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n✳️ [Azure ExpressRoute]( https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)
\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage)
\r\n\r\n## Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.12](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) \r\n## NIST SP 800-53 R4 Mapping\r\n[AC-17(1)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)\r\n" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where Location <> \"\"\r\n| where ResultType == 0\r\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\r\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\r\n| extend city_ = tostring(LocationDetails.city)\r\n", + "size": 3, + "showAnalytics": true, + "title": "User Sign-Ins by Geolocation", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "map", + "mapSettings": { + "locInfo": "LatLong", + "locInfoColumn": "Location", + "latitude": "latitude_", + "longitude": "longitude_", + "sizeSettings": "city_", + "sizeAggregation": "Count", + "labelSettings": "city_", + "legendMetric": "city_", + "numberOfMetrics": 10, + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "state_", + "colorAggregation": "Count", + "type": "heatmap", + "heatmapPalette": "coldHot" + }, + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal" + } + } + } + }, + "customWidth": "50", + "name": "query - 4" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AC.L2-3.1.13) Remote Access Confidentiality\r\n\r\n## Primary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n\r\n## Secondary Services\r\n✳️ [Multi-Factor Authentication](https://azure.microsoft.com/services/active-directory/) 🔀[Multi-Factor Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted)
\r\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\r\n\r\n\r\n## Recommended Logs\r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)
\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.13](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AC-17(2)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"crypt\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.13", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(AC.L2-3.1.14) Privileged Remote Access](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#route-remote-access-via-managed-access-control-points)\r\n\r\n## Primary Services\r\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts)
\r\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Secondary Services\r\n✳️ [Azure ExpressRoute]( https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)
\r\n✳️ [Named Locations](https://docs.microsoft.com/azure/active-directory/conditional-access/location-condition) 🔀[Azure AD Named Locations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/NamedNetworksWithCountryBlade)
\r\n✳️ [Azure Front Door](https://azure.microsoft.com/services/frontdoor/) 🔀[Front Doors](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/frontdoors)
\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)
\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)
\r\n\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.14](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) \r\n## NIST SP 800-53 R4 Mapping\r\n[AC-17(3)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)\r\n" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "where type contains \"network\" \r\n| project id,type,resourceGroup\r\n| order by type asc\r\n", + "size": 0, + "showAnalytics": true, + "title": "Network Assets", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. ", + "showExportToExcel": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Rule", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "warning", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "yellowOrangeRed" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 4", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.14", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(AC.L2-3.1.15) Privileged Remote Access](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#authorize-remote-execution-of-privileged-commands-and-remote-access-to-security-relevant-information)\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Secondary Services\r\n✳️ [Named Locations](https://docs.microsoft.com/azure/active-directory/conditional-access/location-condition) 🔀[Azure AD Named Locations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/NamedNetworksWithCountryBlade)
\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Logs\r\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo)🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.15](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AC-17(4)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IdentityInfo\r\n| extend Roles = strcat(AssignedRoles)\r\n| extend Groups = strcat(GroupMembership)\r\n| where Roles contains \"security\" or Groups contains \"security\" or Roles contains \"admin\" or Groups contains \"admin\"\r\n| extend UserPrincipalName = MailAddress\r\n| join (SigninLogs) on UserPrincipalName\r\n// where Location <> \"US\" // Exempt Non Remote Locations\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserPrincipalName)\r\n| distinct UserPrincipalName, UserProfile, Roles, Groups, UserType, Location, TimeGenerated\r\n| sort by TimeGenerated desc\r\n| limit 250\r\n\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Security/Admin Users by Location", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go To: AAD User Profile > " + } + }, + { + "columnMatch": "Location", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Globe", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.15", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AC.L2-3.1.16) Wireless Access Authorization\r\n\r\n## Primary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Recommended Configuration\r\n💡 [Network Access Control (NAC)](https://docs.microsoft.com/mem/intune/protect/network-access-control-integrate)
\r\n💡 [Grant access to resources if devices are marked as compliant](https://docs.microsoft.com/azure/active-directory/conditional-access/)
\r\n💡 [Conditional Access with Intune](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.16](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) \r\n## NIST SP 800-53 R4 Mapping\r\n[AC-18](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where DeviceDetail.isCompliant <> \"true\"\r\n| where DeviceDetail.isManaged == \"true\"\r\n| extend isCompliant = tostring(DeviceDetail.isCompliant)\r\n| extend isManaged = tostring(DeviceDetail.isManaged)\r\n| extend deviceId = tostring(DeviceDetail.deviceId)\r\n| extend trustType = tostring(DeviceDetail.trustType)\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserPrincipalName)\r\n| summarize count() by UserPrincipalName, UserProfile, isCompliant, isManaged, deviceId, trustType\r\n| sort by count_ desc\r\n\r\n\r\n\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Configure Network Access Control and Monitor Managed Device Compliance", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go To: AAD User Profile >" + } + }, + { + "columnMatch": "ConditionalAccessStatus", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "redBright" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.16", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AC.L2-3.1.17) Wireless Access Protection\r\n\r\n## Primary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Recommended Configuration\r\n💡 [Use a Custom Device Profile to Create a WiFi Profile with a Pre-Shared Key in Intune](https://docs.microsoft.com/mem/intune/configuration/wi-fi-profile-shared-key)
\r\n💡 [Using NAC with Conditional Access & Intune](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.17](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) \r\n## NIST SP 800-53 R4 Mapping\r\n[AC-18(1)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where DeviceDetail.isCompliant <> \"true\"\r\n| where DeviceDetail.isManaged == \"true\"\r\n| extend isCompliant = tostring(DeviceDetail.isCompliant)\r\n| extend isManaged = tostring(DeviceDetail.isManaged)\r\n| extend deviceId = tostring(DeviceDetail.deviceId)\r\n| extend trustType = tostring(DeviceDetail.trustType)\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserPrincipalName)\r\n| summarize count() by UserPrincipalName, UserProfile, isCompliant, isManaged, deviceId, trustType\r\n| sort by count_ desc\r\n\r\n\r\n\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Configure Network Access Control and Monitor Managed Device Compliance", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go To: AAD User Profile >" + } + }, + { + "columnMatch": "ConditionalAccessStatus", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "redBright" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.17", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AC.L2-3.1.18) Mobile Device Connection\r\n\r\n## Primary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n\r\n## Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.18](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AC-19](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| extend OperatingSystem = tostring(DeviceDetail.operatingSystem)\r\n| extend Browser = tostring(DeviceDetail.browser)\r\n| where OperatingSystem contains \"Android\" or OperatingSystem contains \"iOS\"\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserPrincipalName)\r\n| summarize count() by UserPrincipalName, UserProfile, OperatingSystem, Browser, AppDisplayName, IPAddress, Location\r\n| sort by count_ desc", + "size": 0, + "showAnalytics": true, + "title": "Mobile Device Access", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go To: AAD User Profile > " + } + }, + { + "columnMatch": "Location", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.18", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AC.L2-3.1.19) Encrypt CUI on Mobile\r\n\r\n## Primary Services\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Recommended Configurations\r\n💡 [How to Create and Assign App Protection Policies](https://docs.microsoft.com/mem/intune/apps/app-protection-policies)
\r\n💡 [App Protection Policies Overview](https://docs.microsoft.com/mem/intune/apps/app-protection-policy)
\r\n💡 [Microsoft Intune Protected Apps](https://docs.microsoft.com/mem/intune/apps/apps-supported-intune-apps)
\r\n💡 [Data Protection Framework Using App Protection Policies](https://docs.microsoft.com/mem/intune/apps/app-protection-framework)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.19](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AC-19(5)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Configure Azure Active Direcotry Terms of Use: https://docs.microsoft.com/azure/active-directory/conditional-access/terms-of-use#add-terms-of-use\r\nlet nonInteractive = AADNonInteractiveUserSignInLogs\r\n| extend LocationDetails = parse_json(LocationDetails)\r\n| extend Status = parse_json(Status)\r\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\r\nlet data = \r\nunion SigninLogs,nonInteractive\r\n|extend CAStatus = case(ConditionalAccessStatus == \"failure\", \"Failed\", \r\n ConditionalAccessStatus == \"notApplied\", \"Not applied\", \r\n isempty(ConditionalAccessStatus), \"Not applied\", \r\n \"Disabled\")\r\n|mvexpand ConditionalAccessPolicies\r\n| extend Conditional_AccessPolicies = strcat(ConditionalAccessPolicies.displayName)\r\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0]);\r\ndata\r\n| where CAGrantControlName <> \"\"\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserPrincipalName)\r\n| summarize count() by UserPrincipalName, UserProfile, AppDisplayName, Conditional_AccessPolicies, ConditionalAccessStatus\r\n| sort by count_ desc\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "Configure App Protection Policy and Monitor Conditional Access Policies", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go To: AAD User Profile >" + } + }, + { + "columnMatch": "ConditionalAccessStatus", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "redBright" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.19", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AC.L2-3.1.21) Portable Storage Use\r\n\r\n## Primary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Named Locations](https://docs.microsoft.com/azure/active-directory/conditional-access/location-condition) 🔀[Azure AD Named Locations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/NamedNetworksWithCountryBlade)
\r\n\r\n## Recommended Configuration\r\n💡 [How to Control USB Devices and Other Removable Media Using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.1.21](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) \r\n## NIST SP 800-53 R4 Mapping\r\n[AC-20(2)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "margin": "2", + "padding": "2", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DeviceEvents\r\n| where InitiatingProcessFolderPath <> \"\" \r\n| where InitiatingProcessFolderPath !contains \"c:\" or ActionType contains \"usb\"\r\n| summarize count() by DeviceName, ActionType, AccountName, InitiatingProcessFolderPath\r\n| sort by count_ desc\r\n| limit 250\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Monitor Portable Storage Devices", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "DeviceName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "resource", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AccountName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "is Empty", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "yellow" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 3", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AC.L2-3.1.21", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 2: Advanced" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isACVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Access Control Group", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Awareness & Training\r\n---\r\nAwareness & Training is focused on controlling human access to systems, networks, and assets. Personnel Security includes considerations for screening individuals with access to Controlled Unclassified Information (CUI) and protection of such data after personnel actions such as terminations or transfers. For more information, see the 💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html)" + }, + "customWidth": "50", + "name": "text - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 2: Advanced", + "items": [ + { + "type": 1, + "content": { + "json": "A subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments. Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security." + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "AT.2.056 > AT.3.058", + "linkTarget": "step", + "linkLabel": "✳️ (AT.L2-3.2.1) Role-Based Risk Awareness", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "3e97829b-9622-49ce-8991-efc8e4d0ce47", + "cellValue": "AT.2.056 > AT.3.058", + "linkTarget": "step", + "linkLabel": "✳️ (AT.L2-3.2.2) Role-Based Training", + "preText": "", + "style": "link" + }, + { + "id": "68d97a98-0320-42d5-93c0-2746fd2848c4", + "cellValue": "AT.2.056 > AT.3.058", + "linkTarget": "step", + "linkLabel": "✳️ (AT.L2-3.2.3) Insider Threat Awareness", + "preText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML2 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## (AT.L2-3.2.1) Role-Based Risk Awareness
\r\n## (AT.L2-3.2.2) Role-Based Training
\r\n## (AT.L2-3.2.3) Insider Threat Awareness
\r\n\r\n## Recommended Resources\r\n💡 [Microsoft Certified: Security Operations Analyst Associate](https://docs.microsoft.com/learn/certifications/security-operations-analyst)
\r\n💡 [Learn Microsoft Sentinel on Microsoft Learn](https://techcommunity.microsoft.com/t5/itops-talk-blog/learn-azure-sentinel-on-microsoft-learn/ba-p/2006346)
\r\n💡 [Microsoft Sentinel Ninja Training Knowledge Check](https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-ninja-training-knowledge-check/ba-p/2677696)
\r\n💡 [Manage Insider Risk](https://docs.microsoft.com/learn/modules/m365-compliance-insider-manage-insider-risk/)
\r\n💡 [Get Started Using Attack Simulation Training](https://docs.microsoft.com/microsoft-365/security/office-365-security/attack-simulation-training-get-started)
\r\n💡 [SimuLand: Understand adversary tradecraft and improve detection strategies](https://www.microsoft.com/security/blog/2021/05/20/simuland-understand-adversary-tradecraft-and-improve-detection-strategies/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)
\r\n## NIST SP 800-171 Mapping\r\n[3.2.1, 3.2.2, 3.2.3](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AT-2, AT-2(2), AT-3](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 1, + "content": { + "json": "### Leverage Microsoft Learn for Role-Based Training for Security Professionals \r\n![Image Name](https://docs.microsoft.com/media/learn/home/hero_background_light.svg?branch=main) \r\n[Go To: Microsoft Learn >](https://docs.microsoft.com/learn/)" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AT.L2-3.2.1", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 2: Advanced" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isATVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Awareness & Training Group", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Audit & Accountability\r\n---\r\nAudit & Accountability involves the evaluation of configurable security and logging options to help identify gaps in security policies and mechanisms. For more information, see the 💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html)" + }, + "customWidth": "50", + "name": "text - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 2: Advanced", + "items": [ + { + "type": 1, + "content": { + "json": "A subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments. Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "AU.L2-3.3.1", + "linkTarget": "step", + "linkLabel": "✳️ (AU.L2-3.3.1) System Auditing", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "cca4d1e8-e1e2-4b1d-9b8a-698e6496924c", + "cellValue": "AU.L2-3.3.2", + "linkTarget": "step", + "linkLabel": "✳️ (AU.L2-3.3.2) User Accountability", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "f7074cad-e2ec-4a2c-84d1-7b33b14d4c04", + "cellValue": "AU.L2-3.3.3", + "linkTarget": "step", + "linkLabel": " ✳️ (AU.L2-3.3.3) Event Review", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "2330d01a-9cdd-4486-a148-156a24d62535", + "cellValue": "AU.L2-3.3.4", + "linkTarget": "step", + "linkLabel": "✳️ (AU.L2-3.3.4) Audit Failure Alerting", + "preText": "", + "style": "link" + }, + { + "id": "a1cb27d3-1fc8-45be-8a67-d253368869cb", + "cellValue": "AU.L2-3.3.5", + "linkTarget": "step", + "linkLabel": "✳️ (AU.L2-3.3.5) Audit Correlation", + "preText": "", + "style": "link" + }, + { + "id": "58ab732e-ca0f-4f13-875b-a7ea41eaf347", + "cellValue": "AU.L2-3.3.6", + "linkTarget": "step", + "linkLabel": "✳️ (AU.L2-3.3.6) Reduction & Reporting", + "preText": "", + "style": "link" + }, + { + "id": "d67fe4ab-25ad-43d8-89db-aeafe0ea81a9", + "cellValue": "AU.L2-3.3.7", + "linkTarget": "step", + "linkLabel": "✳️ (AU.L2-3.3.7) Authoritative Time Source", + "preText": "", + "style": "link" + }, + { + "id": "86b54b81-210b-4f01-8cec-929d1b3615e0", + "cellValue": "AU.L2-3.3.8", + "linkTarget": "step", + "linkLabel": "✳️ (AU.L2-3.3.8) Audit Protection", + "preText": "", + "style": "link" + }, + { + "id": "a669d2e2-de0b-40c5-8d93-e521c8191510", + "cellValue": "AU.L2-3.3.9", + "linkTarget": "step", + "linkLabel": "✳️ (AU.L2-3.3.9) Audit Management", + "preText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML2 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(AU.L2-3.3.1) System Auditing](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#create-and-retain-system-audit-logs-and-records-to-the-extent-needed-to-enable-the-monitoring-analysis-investigation-and-reporting-of-unlawful-or-unauthorized-system-activity)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)
\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)
\r\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage)
\r\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login)
\r\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [Datatable](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatableoperator?pivots=azuremonitor) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.3.1](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union withsource=_TableName *\r\n| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff(\"second\",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by _TableName, _IsBillable\r\n| project ['Table Name'] = _TableName, ['Table Size'] = Size, ['Table Entries'] = Entries,\r\n ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable\r\n| order by ['Table Size'] desc", + "size": 0, + "showAnalytics": true, + "title": "Log Table Management", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Microsoft Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Microsoft Defender for Cloud Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Table Name", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Table Size", + "formatter": 8, + "formatOptions": { + "palette": "purple" + }, + "numberFormat": { + "unit": 2, + "options": { + "style": "decimal", + "useGrouping": false + } + } + }, + { + "columnMatch": "Table Entries", + "formatter": 8, + "formatOptions": { + "palette": "turquoise" + }, + "numberFormat": { + "unit": 2, + "options": { + "style": "decimal", + "useGrouping": false + } + } + }, + { + "columnMatch": "Size per Entry", + "formatter": 8, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 2, + "options": { + "style": "decimal", + "useGrouping": false + } + } + }, + { + "columnMatch": "IsBillable", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "True", + "representation": "2", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "False", + "representation": "success", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Important", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true, + "sortBy": [ + { + "itemKey": "$gen_thresholds_IsBillable_4", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "$gen_thresholds_IsBillable_4", + "sortOrder": 2 + } + ], + "tileSettings": { + "titleContent": { + "columnMatch": "DataType", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "showBorder": false + } + }, + "customWidth": "50", + "name": "query - 3 - Copy - Copy", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AU.L2-3.3.1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(AU.L2-3.3.2) User Accountability](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#ensure-that-the-actions-of-individual-system-users-can-be-uniquely-traced-to-those-users-so-they-can-be-held-accountable-for-their-actions)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n\r\n## Secondary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.3.2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AzureActivity\r\n| where Caller <> \"\"\r\n| extend UserPrincipalName = Caller\r\n| join (SigninLogs) on UserPrincipalName\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserId)\r\n| summarize count() by UserPrincipalName, UserProfile\r\n| sort by count_ desc\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "Azure User Activity by Action Count", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go To: AAD User Profile >" + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AU.L2-3.3.2", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AU.L2-3.3.3) Event Review\r\n\r\n## Primary Services\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/)
\r\n\r\n## Recommended Configurations\r\n💡 [Connect Data Sources](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.3.3](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AU-2(3)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Usage\r\n| summarize count() by DataType\r\n| sort by count_ desc\r\n| limit 100", + "size": 0, + "showAnalytics": true, + "title": "Log Events Count by Log Type", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "gridSettings": { + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "DataType", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "showBorder": false + } + }, + "customWidth": "50", + "name": "query - 3", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AU.L2-3.3.3", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(AU.L2-3.3.4) Audit Failure Alerting](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#alert-in-the-event-of-an-audit-logging-process-failure)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Logs\r\n🔷 [Datatable](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatableoperator?pivots=azuremonitor) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.3.4](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AU-5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union withsource = _TableName *\r\n| summarize last_log = datetime_diff(\"second\",now(), max(TimeGenerated)) by _TableName\r\n| where last_log > 0\r\n| project ['Table Name'] = _TableName, ['Last Record Received'] = last_log\r\n| order by ['Last Record Received'] desc", + "size": 0, + "showAnalytics": true, + "title": "Monitor Log Source Health ", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. • Confirm Log Source is Onboarded to Microsoft Sentinel Workspace • Adjust Query Time Thresholds for a Larger Data-Set", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Last Record Received", + "formatter": 8, + "formatOptions": { + "palette": "orangeRed" + }, + "numberFormat": { + "unit": 24, + "options": { + "style": "decimal" + } + } + } + ], + "filter": true, + "labelSettings": [ + { + "columnId": "Table Name", + "label": "Table name" + }, + { + "columnId": "Last Record Received", + "label": "Last record recieved", + "comment": "When did the last record arrive?" + } + ] + } + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AU.L2-3.3.4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AU.L2-3.3.5) Audit Correlation\r\n\r\n## Primary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n\r\n\r\n## Secondary Services\r\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)
\r\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/)
\r\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://portal.atp.azure.com/)
\r\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Recommended Logs\r\n🔷 [BehaviorAnalytics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/behavioranalytics) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.3.5](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AU-6(3)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let AnomalousSigninActivity = BehaviorAnalytics\r\n | where ActionType == \"Sign-in\"\r\n | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\r\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\r\n or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\r\n | join (\r\n SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \"none\"\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//witdstomstl\r\nlet AnomalousRoleAssignment = AuditLogs\r\n | where TimeGenerated > ago(28d)\r\n | where OperationName == \"Add member to role\"\r\n | mv-expand TargetResources\r\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n | where isnotempty(RoleId) and RoleId in (critical, high)\r\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n | where isnotempty(RoleName)\r\n | extend TargetId = tostring(TargetResources.id)\r\n | extend Target = tostring(TargetResources.userPrincipalName)\r\n | join kind=inner (\r\n BehaviorAnalytics\r\n | where ActionType == \"Add member to role\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n )\r\n on $left._ItemId == $right.SourceRecordId\r\n | extend AnomalyName = \"Anomalous Role Assignemt\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, RoleName, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; let LogOns=materialize(\r\n BehaviorAnalytics\r\n | where ActivityType == \"LogOn\");\r\nlet AnomalousResourceAccess = LogOns\r\n | where ActionType == \"ResourceAccess\"\r\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n | extend AnomalyName = \"Anomalous Resource Access\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousRDPActivity = LogOns\r\n | where ActionType == \"RemoteInteractiveLogon\"\r\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n | extend AnomalyName = \"Anomalous RDP Activity\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousLogintoDevices = LogOns\r\n | where ActionType == \"InteractiveLogon\"\r\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\r\n | extend AnomalyName = \"Anomalous Login To Devices\",\r\n Tactic = \"Privilege Escalation\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousPasswordReset = BehaviorAnalytics\r\n | where ActionType == \"Reset user password\"\r\n | where ActivityInsights.FirstTimeUserPerformedAction == \"True\"\r\n | join (\r\n AuditLogs\r\n | where OperationName == \"Reset user password\"\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | mv-expand TargetResources\r\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(TargetResources.userPrincipalName, \"#\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Password Reset\",\r\n Tactic = \"Impact\",\r\n Technique = \"Account Access Removal\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority\r\n | sort by TimeGenerated desc;\r\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\r\n | where ActionType == \"Sign-in\"\r\n | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\r\n | join (\r\n SigninLogs\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Initial Access\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousFailedLogon = BehaviorAnalytics\r\n | where ActivityType == \"LogOn\"\r\n | where UsersInsights.BlastRadius == \"High\"\r\n | join (\r\n SigninLogs \r\n | where Status.errorCode == 50126\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Failed Logon\",\r\n Tactic = \"Credential Access\",\r\n Technique = \"Brute Force\",\r\n SubTechnique = \"Password Guessing\",\r\n Description = \"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousAADAccountManipulation = AuditLogs\r\n | where OperationName == \"Update user\"\r\n | mv-expand AdditionalDetails\r\n | where AdditionalDetails.key == \"UserPrincipalName\"\r\n | mv-expand TargetResources\r\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n | where isnotempty(RoleId) and RoleId in (critical, high)\r\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n | where isnotempty(RoleName)\r\n | extend TargetId = tostring(TargetResources.id)\r\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(TargetResources.userPrincipalName, \"#\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\r\n | join kind=inner ( \r\n BehaviorAnalytics\r\n | where ActionType == \"Update user\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n )\r\n on $left._ItemId == $right.SourceRecordId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName) \r\n | extend AnomalyName = \"Anomalous Account Manipulation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, RoleName, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\r\n | where ActionType == \"Add user\"\r\n | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\r\n | join(\r\n AuditLogs\r\n | where OperationName == \"Add user\"\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | mv-expand TargetResources\r\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(TargetResources.userPrincipalName, \"#\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\r\n | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\r\n UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Account Creation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Create Account\",\r\n SubTechnique = \"Cloud Account\",\r\n Description = \"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\"\t\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority\r\n | sort by TimeGenerated desc;\r\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\r\nlet TopUsersByAnomalies = AnomalyTable\r\n | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\r\n | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\r\n | sort by AnomalyCount desc;\r\nlet TopUsersByIncidents = SecurityIncident\r\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n | where Status == \"New\" or Status == \"Active\"\r\n | mv-expand AlertIds\r\n | extend AlertId = tostring(AlertIds)\r\n | join kind= innerunique ( \r\n SecurityAlert \r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n | union TopUsersByAnomalies\r\n | extend \r\n AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\r\n SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\r\n UPNExists = iff(isempty(UPN), false, true),\r\n NameExists = iff(isempty(Name), false, true),\r\n SidExists = iff(isempty(Sid), false, true),\r\n AADExists = iff(isempty(AadUserId), false, true)\r\n | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\r\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\r\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\r\n | project [\"UserName\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\"AadUserId\"]=AadAnchor, [\"OnPremSid\"]=SidAnchor, [\"UserPrincipalName\"]=UPNAnchor;\r\nTopUsersByIncidents\r\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\r\n| where UserPrincipalName !contains \"[\"\r\n| where UserPrincipalName <> \"\"\r\n| sort by IncidentCount desc\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "User Entity Behavior Analytics Alerts", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentCount", + "formatter": 8, + "formatOptions": { + "palette": "redBright" + } + }, + { + "columnMatch": "AlertCount", + "formatter": 8, + "formatOptions": { + "palette": "orange" + } + }, + { + "columnMatch": "AnomalyCount", + "formatter": 8, + "formatOptions": { + "palette": "yellow" + } + } + ], + "filter": true, + "sortBy": [ + { + "itemKey": "$gen_heatmap_IncidentCount_1", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "$gen_heatmap_IncidentCount_1", + "sortOrder": 2 + } + ] + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AU.L2-3.3.5", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AU.L2-3.3.6) Reduction & Reporting\r\n\r\n## Primary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)
\r\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/)
\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.3.6](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AU-7](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityIncident\r\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n | mv-expand AlertIds\r\n | extend AlertId = tostring(AlertIds)\r\n | join kind= innerunique ( \r\n SecurityAlert \r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n| where UPN <> \"\"\r\n| extend Workspace = tostring(parse_json(tostring(parse_json(ExtendedProperties).[\"Data Sources\"]))[0])\r\n| extend IncidentURL = strcat(\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/\",WorkspaceSubscriptionId,\"/resourceGroups/\",WorkspaceResourceGroup,\"/providers/Microsoft.OperationalInsights/workspaces/\",Workspace,\"/providers/Microsoft.SecurityInsights/Incidents/\",IncidentName)\r\n| where IncidentURL !contains \"//resourceGroups\"\r\n| distinct UPN, IncidentNumber, Title, Severity, ProductName, IncidentURL, TimeGenerated\r\n| sort by TimeGenerated desc\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "User Security Incidents: Go-To >", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "is Empty", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "PersonWithFriend", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Title", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "error", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ProductName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentURL", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Incident >" + } + }, + { + "columnMatch": "AlertName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "3", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertLink", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "" + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Incident >" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "resource", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "city_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "state_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "latitude": "SourceIPLocation", + "longitude": "SourceIPLocation", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark" + } + ] + } + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AU.L2-3.3.6", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AU.L2-3.3.7) Authoritative Time Source\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Recommended Configurations\r\n💡 [Time sync for Windows VMs in Azure](https://docs.microsoft.com/azure/virtual-machines/windows/time-sync)\r\n\r\n## Recommended Logs\r\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.3.7](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AU-8, AU-8(1)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityBaseline\r\n| where Description contains \"NTP\" or Description contains \"clock\" or Description contains \"time\" or Description contains \"sync\"\r\n| summarize arg_max(TimeGenerated, *) by Description, _ResourceId\r\n| summarize\r\n Failed = countif(AnalyzeResult == \"Failed\"),\r\n Passed = countif(AnalyzeResult == \"Passed\"),\r\n Total = countif(AnalyzeResult == \"Failed\" or AnalyzeResult == \"Passed\")\r\n by Description\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project Description, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Security Baselines for Time Synchronization", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "Caller", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "DataType" + }, + "showBorder": false + } + }, + "customWidth": "50", + "name": "query - 1 - Copy" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AU.L2-3.3.7", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(AU.L2-3.3.8) Audit Protection](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#protect-audit-information-and-audit-logging-tools-from-unauthorized-access-modification-and-deletion)\r\n\r\n## Primary Services\r\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)
\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/)
\r\n\r\n## Secondary Services\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n\r\n## Recommended Logs\r\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.3.8](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AU-6(7), AU-9](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AzureActivity\r\n| where OperationName contains \"Delete\" or OperationName contains \"Remove\"\r\n| summarize count() by OperationName, Caller\r\n| sort by count_ desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Monitor Activity (Delete/Remove) Actions", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "OperationName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Caller", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "redBright" + } + }, + { + "columnMatch": "Last Record Received", + "formatter": 8, + "formatOptions": { + "palette": "orangeRed" + }, + "numberFormat": { + "unit": 24, + "options": { + "style": "decimal" + } + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AU.L2-3.3.8", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (AU.L2-3.3.9) Audit Management\r\n\r\n## Primary Services\r\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)
\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n\r\n## Secondary Services\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.3.9](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AU-6(7), AU-9](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AzureActivity\r\n| where CategoryValue == \"Administrative\"\r\n| where Resource contains \"security\"\r\n| where OperationName !contains \"license\"\r\n| summarize count() by OperationName, ResourceProvider, Caller\r\n| sort by count_ desc\r\n\r\n\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Security Administrative Actions", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Caller", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "resource", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "city_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "state_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "latitude": "SourceIPLocation", + "longitude": "SourceIPLocation", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark" + } + ] + } + } + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "AU.L2-3.3.9", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "group - 1" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isAUVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Audit and Accountability Group", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Configuration Management\r\n---\r\nConfiguration Management establishes security baselines and measuresdeviations provides the basis for tracking the security posture of cloud assets. For more information, see the 💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html)" + }, + "customWidth": "50", + "name": "text - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 2: Advanced", + "items": [ + { + "type": 1, + "content": { + "json": "A subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments. Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "CM.L2-3.4.1", + "linkTarget": "step", + "linkLabel": "✳️ (CM.L2-3.4.1) System Baselining", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "cca4d1e8-e1e2-4b1d-9b8a-698e6496924c", + "cellValue": "CM.L2-3.4.2", + "linkTarget": "step", + "linkLabel": "✳️ (CM.L2-3.4.2) Security Configuration Enforcement", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "f7074cad-e2ec-4a2c-84d1-7b33b14d4c04", + "cellValue": "CM.L2-3.4.3", + "linkTarget": "step", + "linkLabel": "✳️ (CM.L2-3.4.3) System Change Management", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "35bfb771-67e1-480a-ac96-0a59f2c8dbc2", + "cellValue": "CM.L2-3.4.4", + "linkTarget": "step", + "linkLabel": "✳️ (CM.L2-3.4.4) Security Impact Analysis", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "b8324480-bbbc-43bc-891e-c957307c1d7c", + "cellValue": "CM.L2-3.4.5", + "linkTarget": "step", + "linkLabel": "✳️ (CM.L2-3.4.5) Access Restrictions for Change", + "preText": "", + "style": "link" + }, + { + "id": "cf958461-40d8-450c-bc8a-a868de00f93a", + "cellValue": "CM.L2-3.4.6", + "linkTarget": "step", + "linkLabel": "✳️ (CM.L2-3.4.6) Least Functionality", + "preText": "", + "style": "link" + }, + { + "id": "a4366ffc-ae2c-4df0-b78f-1bf7bd744095", + "cellValue": "CM.L2-3.4.7", + "linkTarget": "step", + "linkLabel": "✳️ (CM.L2-3.4.7) Nonessential Functionality", + "preText": "", + "style": "link" + }, + { + "id": "1648bde4-99eb-41c6-a0d1-fa70da74005c", + "cellValue": "CM.L2-3.4.8", + "linkTarget": "step", + "linkLabel": "✳️ (CM.L2-3.4.8) Application Execution Policy", + "preText": "", + "style": "link" + }, + { + "id": "9a09f656-022c-4e0f-8479-7633fd98054a", + "cellValue": "CM.L2-3.4.9", + "linkTarget": "step", + "linkLabel": "✳️ (CM.L2-3.4.9) User-Installed Software", + "preText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML2 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(CM.L2-3.4.1) System Baselining](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#establish-and-maintain-baseline-configurations-and-inventories-of-organizational-systems-including-hardware-software-firmware-and-documentation-throughout-the-respective-system-development-life-cycles)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login)
\r\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/)
\r\n\r\n## Secondary Services\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n\r\n## Recommended Logs\r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)
\r\n🔷 [DeviceEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceevents) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.4.1](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[CM-2, CM-6, CM-8, CM-8(1)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources\r\n| project id,type,location,resourceGroup\r\n| order by location asc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Asset Inventory", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "showExportToExcel": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "InitiatingProcessFileName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Diagnostics", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "State", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Healthy", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Unhealthy", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Environment", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Azure", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Direct Agent", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "SCOM Agent", + "representation": "turquoise", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "SCOM Management Server", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "Heartbeat Trend", + "formatter": 10, + "formatOptions": { + "palette": "redGreen" + } + }, + { + "columnMatch": "Details", + "formatter": 5 + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 3", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DeviceEvents\r\n| where InitiatingProcessFileName <> \"\"\r\n| summarize count() by InitiatingProcessFileName\r\n| sort by count_ desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Software Baselines", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "InitiatingProcessFileName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Diagnostics", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "State", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Healthy", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Unhealthy", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Environment", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Azure", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Direct Agent", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "SCOM Agent", + "representation": "turquoise", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "SCOM Management Server", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "Heartbeat Trend", + "formatter": 10, + "formatOptions": { + "palette": "redGreen" + } + }, + { + "columnMatch": "Details", + "formatter": 5 + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 65", + "styleSettings": { + "maxWidth": "50" + } + } + ] + }, + "name": "CM.L2-3.4.1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(CM.L2-3.4.2) Security Configuration Enforcement](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#establish-and-enforce-security-configuration-settings-for-information-technology-products-employed-in-organizational-systems)\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.4.2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[CM-2, CM-6,CM-8,CM-8(1)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"config\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "CM.L2-3.4.2", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(CM.L2-3.4.3) System Change Management](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#track-review-approve-or-disapprove-and-log-changes-to-organizational-systems)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login)
\r\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)
\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Recommended Configurations\r\n💡 [Enable Change Tracking and Inventory From an Automation Account](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-automation-account)\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.4.3](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[CM-3](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"log\" or RecommendationDisplayName contains \"audit\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "CM.L2-3.4.3", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (CM.L2-3.4.4) Security Impact Analysis\r\n\r\n## Primary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login)
\r\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)
\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Logs\r\n🔷 [ConfigurationChange](https://docs.microsoft.com/azure/azure-monitor/reference/tables/configurationchange) ✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.4.4](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[CM-4](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationState == \"Unhealthy\"\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationSeverity\r\n| render areachart ", + "size": 0, + "showAnalytics": true, + "title": "Review Secure Score for Assessing/Monitoring Security Impacts", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "ConfigChangeType", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Files", + "representation": "File", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Registry", + "representation": "Gear", + "text": "{0}{1}" + }, + { + "operator": "==", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "CM.L2-3.4.4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (CM.L2-3.4.5) Access Restrictions for Change\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login)
\r\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.4.5](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[CM-5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IdentityInfo\r\n| extend AssignedRoles = strcat(AssignedRoles)\r\n| distinct AccountUPN, AssignedRoles\r\n| project AccountUPN, AssignedRoles\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "User Assigned Roles", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "PercentageOfPassedRules", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "green", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "CriticalFailedRules", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "redBright", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "WarningFailedRules", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "orange", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "State", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Healthy", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Unhealthy", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Environment", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Azure", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Direct Agent", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "SCOM Agent", + "representation": "turquoise", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "SCOM Management Server", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "Heartbeat Trend", + "formatter": 10, + "formatOptions": { + "palette": "redGreen" + } + }, + { + "columnMatch": "Details", + "formatter": 5 + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 65", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "CM.L2-3.4.5", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(CM.L2-3.4.5) Least Functionality](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#employ-the-principle-of-least-functionality-by-configuring-organizational-systems-to-provide-only-essential-capabilities)\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.4.6](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[CM-7](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"priv\" or RecommendationDisplayName contains \"access\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "CM.L2-3.4.6", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(CM.L2-3.4.6) Nonessential Functionality](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#restrict-disable-or-prevent-the-use-of-nonessential-programs-functions-ports-protocols-and-services)\r\n\r\n## Primary Services\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\r\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.4.7](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[CM-7(1), CM-7(2)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"port\" or RecommendationDisplayName contains \"disable\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "CM.L2-3.4.7", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(CM.L2-3.4.8) Application Execution Policy](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#apply-deny-by-exception-blacklisting-policy-to-prevent-the-use-of-unauthorized-software-or-deny-all-permit-by-exception-whitelisting-policy-to-allow-the-execution-of-authorized-software)\r\n\r\n## Primary Services\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)
\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login)
\r\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.4.8](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[CM-7(4), CM-7(5)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityAlert \r\n| where AlertName contains \"app\" or AlertName contains \"tool\" or AlertName contains \"malware\" or AlertName contains \"hack\" or AlertName contains \"program\"\r\n| summarize count() by ProductName, AlertName\r\n| sort by count_ desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Security Alerts for Suspicious Software", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "ProductName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "View", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "redBright" + } + }, + { + "columnMatch": "PercentageOfPassedRules", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "green", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "CriticalFailedRules", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "redBright", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "WarningFailedRules", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "orange", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "State", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Healthy", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Unhealthy", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Environment", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Azure", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Direct Agent", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "SCOM Agent", + "representation": "turquoise", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "SCOM Management Server", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "Heartbeat Trend", + "formatter": 10, + "formatOptions": { + "palette": "redGreen" + } + }, + { + "columnMatch": "Details", + "formatter": 5 + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "CM.L2-3.4.8", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(CM.L2-3.4.9) User-Installed Software](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#control-and-monitor-user-installed-software)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://portal.atp.azure.com/)
\r\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login)
\r\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.4.9](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[CM-11](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"application\" or RecommendationDisplayName contains \"software\" \r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "CM.L2-3.4.9", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 2: Advanced" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isCMVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Configuration Management", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Identification & Authentication \r\n---\r\nIdentification & Authentication Management is the process of managing user, system, asset identities and controlling access to authorized resources. For more information, see the💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html)" + }, + "customWidth": "50", + "name": "text - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 1: Foundational", + "items": [ + { + "type": 1, + "content": { + "json": "The Department views Level 1 (“Foundational”) as an opportunity to engage its contractors in developing and strengthening their approach to cybersecurity. Because Level 1 does not involve sensitive national security information, DoD intends for this Level to allow companies to assess their own cybersecurity and begin adopting practices that will thwart cyber-attacks." + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 2" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "IA.L1-3.5.1", + "linkTarget": "step", + "linkLabel": "✳️ (IA.L1-3.5.1) Identification", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "cca4d1e8-e1e2-4b1d-9b8a-698e6496924c", + "cellValue": "IA.L1-3.5.2", + "linkTarget": "step", + "linkLabel": "✳️ (IA.L1-3.5.2) Authentication", + "preText": "", + "postText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML1 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (IA.L1-3.5.1) Identification\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n✳️ [Azure AD Identity Governance](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) 🔀[Identity Governance](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/GettingStarted)
\r\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\r\n\r\n## Recommended Logs\r\n🔷 [AADManagedIdentitySignInLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/aadmanagedidentitysigninlogs) 🔷 [AADServicePrincipalSignInLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.5.1](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[IA-2, IA-3, IA-5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AADManagedIdentitySignInLogs\r\n| summarize count() by ServicePrincipalName, ResourceGroup\r\n| sort by count_ desc", + "size": 0, + "showAnalytics": true, + "title": "Managed Identity Actions", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "ServicePrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + }, + "sortBy": [] + }, + "customWidth": "50", + "name": "Managed Identity Actions", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AADServicePrincipalSignInLogs \r\n| summarize count() by ServicePrincipalName, ResourceGroup\r\n| sort by count_ desc", + "size": 0, + "showAnalytics": true, + "title": "Service Principal Actions", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "ServicePrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + }, + "sortBy": [] + }, + "customWidth": "50", + "name": "Service Principal Actions", + "styleSettings": { + "maxWidth": "50" + } + } + ] + }, + "name": "IA.L1-3.5.1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(IA.L1-3.5.2) Authentication](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#authenticate-or-verify-the-identities-of-those-users-processes-or-devices-as-a-prerequisite-to-allowing-access-to-organizational-information-systems)\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Multi-Factor Authentication](https://azure.microsoft.com/services/active-directory/) 🔀[Multi-Factor Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted)
\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Customer Lockbox](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview) 🔀[Customer Lockbox](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview)
\r\n\r\n\r\n## Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.5.2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[IA-2, IA-3, IA-5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 2", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let nonInteractive = AADNonInteractiveUserSignInLogs\r\n| extend LocationDetails = parse_json(LocationDetails)\r\n| extend Status = parse_json(Status);\r\nlet data = \r\nunion SigninLogs,nonInteractive\r\n|extend errorCode = Status.errorCode\r\n|extend SigninStatus = case(errorCode == 0, \"Success\", errorCode == 50058, \"Pending user action\",errorCode == 50140, \"Pending user action\", errorCode == 51006, \"Pending user action\", errorCode == 50059, \"Pending user action\",errorCode == 65001, \"Pending user action\", errorCode == 52004, \"Pending user action\", errorCode == 50055, \"Pending user action\", errorCode == 50144, \"Pending user action\", errorCode == 50072, \"Pending user action\", errorCode == 50074, \"Pending user action\", errorCode == 16000, \"Pending user action\", errorCode == 16001, \"Pending user action\", errorCode == 16003, \"Pending user action\", errorCode == 50127, \"Pending user action\", errorCode == 50125, \"Pending user action\", errorCode == 50129, \"Pending user action\", errorCode == 50143, \"Pending user action\", errorCode == 81010, \"Pending user action\", errorCode == 81014, \"Pending user action\", errorCode == 81012 ,\"Pending user action\", \"Failure\");\r\ndata\r\n| where IsInteractive == true\r\n| summarize Count = count() by SigninStatus\r\n| join kind = fullouter (datatable(SigninStatus:string)['Success', 'Pending action (Interrupts)', 'Failure']) on SigninStatus\r\n| project SigninStatus = iff(SigninStatus == '', SigninStatus1, SigninStatus), Count = iff(SigninStatus == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SigninStatus)\r\n on SigninStatus\r\n| project-away SigninStatus1, TimeGenerated\r\n| extend Status = SigninStatus\r\n| union (\r\n data \r\n | summarize Count = count()\r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend SigninStatus = 'All Sign-ins', Status = '*' \r\n)\r\n| where SigninStatus <> \"All Sign-ins\"\r\n", + "size": 0, + "showAnalytics": true, + "title": "User Authentication Details", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "gridSettings": { + "formatters": [ + { + "columnMatch": "User", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "info", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Activities", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + } + ] + }, + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "LatLong", + "locInfoColumn": "Location", + "latitude": "latitude_", + "longitude": "longitude_", + "sizeSettings": "city_", + "sizeAggregation": "Count", + "labelSettings": "city_", + "legendMetric": "city_", + "numberOfMetrics": 100, + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "state_", + "colorAggregation": "Count", + "type": "heatmap", + "heatmapPalette": "coldHot" + } + } + }, + "customWidth": "50", + "name": "query - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let nonInteractive = AADNonInteractiveUserSignInLogs\r\n| extend LocationDetails = parse_json(LocationDetails)\r\n| extend Status = parse_json(Status)\r\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\r\nlet data = \r\nunion SigninLogs,nonInteractive\r\n|extend CAStatus = case(ConditionalAccessStatus ==\"success\",\"Successful\",\r\n ConditionalAccessStatus == \"failure\", \"Failed\", \r\n ConditionalAccessStatus == \"notApplied\", \"Not applied\", \r\n isempty(ConditionalAccessStatus), \"Not applied\", \r\n \"Disabled\")\r\n|mvexpand ConditionalAccessPolicies\r\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\r\n|extend CAGrantControl = case(CAGrantControlName contains \"MFA\", \"Require MFA\", \r\n CAGrantControlName contains \"Terms of Use\", \"Require Terms of Use\", \r\n CAGrantControlName contains \"Privacy\", \"Require Privacy Statement\", \r\n CAGrantControlName contains \"Device\", \"Require Device Compliant\", \r\n CAGrantControlName contains \"Azure AD Joined\", \"Require Hybird Azure AD Joined Device\", \r\n CAGrantControlName contains \"Apps\", \"Require Approved Apps\",\r\n \"Other\");\r\ndata\r\n| summarize Count = dcount(Id) by CAStatus\r\n| join kind = inner (data\r\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus\r\n ) on CAStatus\r\n| project-away CAStatus1, TimeGenerated\r\n| order by Count desc", + "size": 4, + "showAnalytics": true, + "title": "Conditional Access Status ", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "CAStatus", + "formatter": 1 + }, + "subtitleContent": { + "columnMatch": "Category" + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "blue" + } + }, + "showBorder": false + } + }, + "customWidth": "50", + "name": "Conditional Access Status " + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SigninLogs\r\n| where ResultType == 0 and AppDisplayName != \"\"\r\n| summarize count() by AppDisplayName\r\n| join (\r\nSigninLogs\r\n| make-series TrendList = count() on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, 4h) by AppDisplayName \r\n) on AppDisplayName\r\n| top 10 by count_ desc", + "size": 4, + "showAnalytics": true, + "title": "User Sign-Ins By Application", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "gridSettings": { + "formatters": [ + { + "columnMatch": "User", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "info", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Activities", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + } + ] + }, + "tileSettings": { + "titleContent": { + "columnMatch": "AppDisplayName", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "TrendList", + "formatter": 9, + "formatOptions": { + "palette": "blue" + } + }, + "showBorder": false + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "AppDisplayName", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "count_", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "mapSettings": { + "locInfo": "LatLong", + "locInfoColumn": "Location", + "latitude": "latitude_", + "longitude": "longitude_", + "sizeSettings": "city_", + "sizeAggregation": "Count", + "labelSettings": "city_", + "legendMetric": "city_", + "numberOfMetrics": 100, + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "state_", + "colorAggregation": "Count", + "type": "heatmap", + "heatmapPalette": "coldHot" + } + } + }, + "customWidth": "50", + "name": "query - 4" + } + ] + }, + "name": "IA.L1-3.5.2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML1Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 1: Foundational" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 2: Advanced", + "items": [ + { + "type": 1, + "content": { + "json": "A subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments. Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "IA.L2-3.5.3", + "linkTarget": "step", + "linkLabel": "✳️ (IA.L2-3.5.3) Multifactor Authentication", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "cca4d1e8-e1e2-4b1d-9b8a-698e6496924c", + "cellValue": "IA.L2-3.5.4", + "linkTarget": "step", + "linkLabel": "✳️ (IA.L2-3.5.4) Replay-Resistant Authentication", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "f7074cad-e2ec-4a2c-84d1-7b33b14d4c04", + "cellValue": "IA.L2-3.5.5", + "linkTarget": "step", + "linkLabel": "✳️ (IA.L2-3.5.5) Identifier Reuse", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "35bfb771-67e1-480a-ac96-0a59f2c8dbc2", + "cellValue": "IA.L2-3.5.6", + "linkTarget": "step", + "linkLabel": "✳️ (IA.L2-3.5.6) Identifier Handling", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "b8324480-bbbc-43bc-891e-c957307c1d7c", + "cellValue": "IA.L2-3.5.7", + "linkTarget": "step", + "linkLabel": "✳️ (IA.L2-3.5.7) Password Complexity", + "preText": "", + "style": "link" + }, + { + "id": "9521f4a0-f7db-4ea9-aea6-4aed53e33082", + "cellValue": "IA.L2-3.5.8", + "linkTarget": "step", + "linkLabel": "✳️ (IA.L2-3.5.8) Pasword Reuse", + "preText": "", + "style": "link" + }, + { + "id": "9bf27466-8d4a-45b5-8c02-38a4e7c06948", + "cellValue": "IA.L2-3.5.9", + "linkTarget": "step", + "linkLabel": "✳️ (IA.L2-3.5.9) Temporary Passwords", + "preText": "", + "style": "link" + }, + { + "id": "df83fe53-c44b-4c47-9d2b-21780d7ee4cf", + "cellValue": "IA.L2-3.5.10", + "linkTarget": "step", + "linkLabel": "✳️ (IA.L2-3.5.10) Cryptographically-Protected Passwords", + "preText": "", + "style": "link" + }, + { + "id": "c6e6f1f1-17de-46f9-9dd6-75b3c37506c2", + "cellValue": "IA.L2-3.5.11", + "linkTarget": "step", + "linkLabel": "✳️ (IA.L2-3.5.11) Obscure Feedback", + "preText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML2 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(IA.L2-3.5.3) Multifactor Authentication](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#use-multifactor-authentication-for-local-and-network-access-to-privileged-accounts-and-for-network-access-to-non-privileged-accounts)\r\n\r\n## Primary Services\r\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)
\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Multi-Factor Authentication](https://azure.microsoft.com/services/active-directory/) 🔀[Multi-Factor Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts)
\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\r\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login)
\r\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.5.3](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[IA-2(1), IA-2(2), IA-2(3)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let nonInteractive = AADNonInteractiveUserSignInLogs\r\n| extend LocationDetails = parse_json(LocationDetails)\r\n| extend Status = parse_json(Status)\r\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\r\nlet data = \r\nunion SigninLogs,nonInteractive \r\n|extend errorCode = toint(Status.errorCode)\r\n|extend Reason = tostring(Status.failureReason)\r\n|extend CAStatus = case(ConditionalAccessStatus ==0,\"✔️ Success\", \r\n ConditionalAccessStatus == 1, \"❌ Failure\", \r\n ConditionalAccessStatus == 2, \"⚠️ Not Applied\", \r\n ConditionalAccessStatus == \"\", \"⚠️ Not Applied\", \r\n \"🚫 Disabled\")\r\n|mvexpand ConditionalAccessPolicies\r\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\r\n|extend CAGrantControl = case(CAGrantControlName contains \"MFA\", \"Require MFA\", \r\n CAGrantControlName contains \"Terms of Use\", \"Require Terms of Use\", \r\n CAGrantControlName contains \"Privacy\", \"Require Privacy Statement\", \r\n CAGrantControlName contains \"Device\", \"Require Device Compliant\", \r\n CAGrantControlName contains \"Azure AD Joined\", \"Require Hybird Azure AD Joined Device\", \r\n CAGrantControlName contains \"Apps\", \"Require Approved Apps\",\"Other\");\r\ndata\r\n| summarize Count = dcount(Id) by CAStatus, CAGrantControl\r\n| project Id = strcat(CAStatus, '/', CAGrantControl), Name = CAGrantControl, Parent = CAStatus, Count, Type = 'CAGrantControl'\r\n| join kind = inner (data\r\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus, CAGrantControl\r\n | project Id = strcat(CAStatus, '/', CAGrantControl), Trend\r\n ) on Id\r\n| project-away Id1\r\n| union (data\r\n | summarize Count = dcount(Id) by CAStatus\r\n | project Id = CAStatus, Name = CAStatus, Parent = '', Count, Type = 'CAStatus'\r\n | join kind = inner (data\r\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by CAStatus\r\n | project Id = CAStatus, Trend\r\n ) on Id\r\n | project-away Id1)\r\n| order by Count desc", + "size": 0, + "showAnalytics": true, + "title": "MFA: Conditional Access Status", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Id", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Parent", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Count", + "formatter": 8, + "formatOptions": { + "min": 0, + "palette": "blue", + "showIcon": true + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "Type", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "min": 0, + "palette": "blue", + "showIcon": true + } + } + ], + "hierarchySettings": { + "idColumn": "Id", + "parentColumn": "Parent", + "treeType": 0, + "expanderColumn": "Name", + "expandTopLevel": true + } + } + }, + "customWidth": "50", + "name": "query - 10", + "styleSettings": { + "margin": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"MFA\" or RecommendationDisplayName contains \"factor\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + } + ] + }, + "name": "IA.L2-3.5.3", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(IA.L2-3.5.4) Replay-Resistant Authentication](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#employ-replay-resistant-authentication-mechanisms-for-network-access-to-privileged-and-nonprivileged-accounts)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Multi-Factor Authentication](https://azure.microsoft.com/services/active-directory/) 🔀[Multi-Factor Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Logs \r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.5.4](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[IA-2(8),IA-2(9)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"accessible\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "IA.L2-3.5.4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (IA.L2-3.5.5) Identifier Reuse\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n\r\n## Secondary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/)
\r\n\r\n## Recommended Configurations\r\n💡 [Restore or Remove a Recently Deleted User Using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-restore)\r\n\r\n## Recommended Logs\r\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.5.5](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[IA-4](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityBaseline\r\n| where Description contains \"reuse\" or Description contains \"without password\" or Description contains \"unneccessary account\" or Description contains \"blank password\"\r\n| summarize arg_max(TimeGenerated, *) by Description, _ResourceId\r\n| summarize\r\n Failed = countif(AnalyzeResult == \"Failed\"),\r\n Passed = countif(AnalyzeResult == \"Passed\"),\r\n Total = countif(AnalyzeResult == \"Failed\" or AnalyzeResult == \"Passed\")\r\n by Description\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project Description, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Security Baselines for Identifier Reuse", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + }, + "sortBy": [] + }, + "customWidth": "50", + "name": "query - 1 - Copy" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "IA.L2-3.5.5", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (IA.L2-3.5.6) Identifier Handling\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://portal.atp.azure.com/)
\r\n\r\n## Recommended Configurations\r\n💡 [Report on Azure AD Stale Users](https://gallery.technet.microsoft.com/scriptcenter/Report-on-Azure-AD-Stale-8e64c1c5)\r\n\r\n## Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.5.6](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[IA-4)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let CurrentUsers = SigninLogs\r\n| where ResultType == \"0\"\r\n| where TimeGenerated > ago(30d)\r\n| summarize HistoricUsers = makeset(UserPrincipalName);\r\nSigninLogs\r\n| where ResultType == \"0\"\r\n| where TimeGenerated between (ago(90d)..ago(30d))\r\n| where UserPrincipalName !in (CurrentUsers)\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserId)\r\n| summarize count() by UserPrincipalName, UserProfile\r\n| sort by count_ desc\r\n| extend SignInsBeforeInactive = count_\r\n| project UserPrincipalName, UserProfile, SignInsBeforeInactive\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "Inactive AAD Accounts (Last Month)", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go To: AAD User Profile >" + } + }, + { + "columnMatch": "SignInsBeforeInactive", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "IA.L2-3.5.6", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(IA.L2-3.5.7) Password Complexity](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#enforce-a-minimum-password-complexity-and-change-of-characters-when-new-passwords-are-created)\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n\r\n## Secondary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Azure AD Password Protection](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) 🔀[Azure AD Password Protection](https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.5.7](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[IA-5(1)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"password\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "IA.L2-3.5.7", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(IA.L2-3.5.8) Password Reuse](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#prohibit-password-reuse-for-a-specified-number-of-generations)\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n\r\n## Secondary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Azure AD Password Protection](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) 🔀[Azure AD Password Protection](https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordProtectionBlade)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.5.8](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[IA-5(1)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityBaseline\r\n| where Description contains \"reuse\" or Description contains \"password\" \r\n| summarize arg_max(TimeGenerated, *) by Description, _ResourceId\r\n| summarize\r\n Failed = countif(AnalyzeResult == \"Failed\"),\r\n Passed = countif(AnalyzeResult == \"Passed\"),\r\n Total = countif(AnalyzeResult == \"Failed\" or AnalyzeResult == \"Passed\")\r\n by Description\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project Description, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Security Baselines for Password Reuse", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1 - Copy" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "IA.L2-3.5.8", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (IA.L2-3.5.9) Temporary Passwords\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n\r\n## Recommended Configurations\r\n💡 [Reset a User's Password Using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-reset-password-azure-portal)\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.5.9](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[IA-5(1)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AuditLogs\r\n| where OperationName contains \"reset\"\r\n| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n| extend PasswordResetUser = tostring(TargetResources[0].userPrincipalName)\r\n| summarize count() by InitiatedBy, OperationName, PasswordResetUser \r\n| sort by count_ desc\r\n| limit 250 ", + "size": 0, + "showAnalytics": true, + "title": "Enforce Temporary Passwords & Monitor Resets", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "InitiatedBy", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "pending", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "OperationName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "PasswordResetUser", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "IA.L2-3.5.9", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(IA.L2-3.5.10) Cryptographically-Protected Passwords](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#store-and-transmit-only-cryptographically-protected-passwords)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) 🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.5.10](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[IA-5(1)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityBaseline\r\n| where Description contains \"hash\" or Description contains \"sha\"\r\n| where Description !contains \"network\"\r\n| summarize arg_max(TimeGenerated, *) by Description, _ResourceId\r\n| summarize\r\n Failed = countif(AnalyzeResult == \"Failed\"),\r\n Passed = countif(AnalyzeResult == \"Passed\"),\r\n Total = countif(AnalyzeResult == \"Failed\" or AnalyzeResult == \"Passed\")\r\n by Description\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project Description, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Security Baselines for Cryptographically Protected Password Configs", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1 - Copy" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"pass\" or RecommendationDisplayName contains \"hash\" or RecommendationDisplayName contains \"sha\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + } + ] + }, + "name": "IA.L2-3.5.10", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (IA.L2-3.5.11) Obscure Feedback\r\n\r\n## Primary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts)
\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.5.11](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[IA-6](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityBaseline\r\n| where Description contains \"reveal\"\r\n| summarize arg_max(TimeGenerated, *) by _ResourceId\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "Monitor Password Obfuscation Policies with Security Baselines", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "AnalyzeResult", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "contains", + "thresholdValue": "Passed", + "representation": "success", + "text": "{0}{1}" + }, + { + "operator": "contains", + "thresholdValue": "Failed", + "representation": "failed", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "IA.L2-3.5.11", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 2: Advanced" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isIAVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Identification & Authentication Group", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Incident Response\r\n---\r\nIncident Response is the process of responding to cybersecurity incidents and events. Incident Response includes preparation, identification, containment, eradication, recovery, and lessons learned phases. For more information, see the 💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html)" + }, + "customWidth": "50", + "name": "text - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 2: Advanced", + "items": [ + { + "type": 1, + "content": { + "json": "A subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments. Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "IR.L2-3.6.1", + "linkTarget": "step", + "linkLabel": "✳️ (IR.L2-3.6.1) Incident Handling", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "1dd155a5-dfbc-40db-bbd2-b50a8aa54fda", + "cellValue": "IR.L2-3.6.2", + "linkTarget": "step", + "linkLabel": "✳️ (IR.L2-3.6.2) Incident Reporting", + "preText": "", + "style": "link" + }, + { + "id": "ad7ae5fb-0027-434d-8d04-bee75b0832f4", + "cellValue": "IR.L2-3.6.3", + "linkTarget": "step", + "linkLabel": "✳️ (IR.L2-3.6.3) Incident Response Testing", + "preText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML2 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(IR.L2-3.6.1) Incident Handling](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3#establish-an-operational-incident-handling-capability-for-organizational-systems-that-includes-preparation-detection-analysis-containment-recovery-and-user-response-activities)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) \r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.6.1](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[IA-2](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": " Incidents Summary", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityIncident\n| where Status == \"New\" or Status == \"Active\"\n| where Severity == \"High\"\n| summarize kwSum=count(TenantId)\n\n\n\n", + "size": 3, + "title": "CRITICAL", + "noDataMessage": "No unauthorized devices making config changes", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Description", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true, + "customColumnWidthSetting": "60%" + } + }, + { + "columnMatch": "name", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "5%" + } + }, + { + "columnMatch": "severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Critical", + "representation": "critical", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Major", + "representation": "2", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": null, + "text": "{0}{1}" + } + ], + "customColumnWidthSetting": "5" + } + }, + { + "columnMatch": "message", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true, + "customColumnWidthSetting": "70%" + } + } + ] + }, + "sortBy": [], + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "kwSum", + "formatter": 12, + "formatOptions": { + "palette": "hotCold" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": false, + "size": "auto" + } + }, + "customWidth": "24", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityIncident\n| where Status == \"New\" or Status == \"Active\"\n| summarize kwSum=count(TenantId)\n\n\n\n", + "size": 0, + "title": "OPEN", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Description", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true, + "customColumnWidthSetting": "60%" + } + }, + { + "columnMatch": "name", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "5%" + } + }, + { + "columnMatch": "severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Critical", + "representation": "critical", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Major", + "representation": "2", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": null, + "text": "{0}{1}" + } + ], + "customColumnWidthSetting": "5" + } + }, + { + "columnMatch": "message", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true, + "customColumnWidthSetting": "70%" + } + } + ] + }, + "sortBy": [], + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "kwSum", + "formatter": 12, + "formatOptions": { + "palette": "hotCold" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": false, + "size": "auto" + } + }, + "customWidth": "25", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityIncident\n| where Status == \"Closed\"\n| summarize kwSum=count(TenantId)\n\n\n\n", + "size": 0, + "title": "CLOSED", + "noDataMessage": "No unauthorized devices making config changes", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Description", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true, + "customColumnWidthSetting": "60%" + } + }, + { + "columnMatch": "name", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "5%" + } + }, + { + "columnMatch": "severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Critical", + "representation": "critical", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Major", + "representation": "2", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": null, + "text": "{0}{1}" + } + ], + "customColumnWidthSetting": "5" + } + }, + { + "columnMatch": "message", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true, + "customColumnWidthSetting": "70%" + } + } + ] + }, + "sortBy": [], + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "kwSum", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": false, + "size": "auto" + } + }, + "customWidth": "24", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityIncident\n| where TimeGenerated > ago(1d)\n| where Status == \"New\" or Status == \"Active\"\n| distinct IncidentNumber\n| summarize count()\n\n\n\n\n", + "size": 0, + "title": "NEW TODAY", + "noDataMessage": "No unauthorized devices making config changes", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Description", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true, + "customColumnWidthSetting": "60%" + } + }, + { + "columnMatch": "name", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "5%" + } + }, + { + "columnMatch": "severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Critical", + "representation": "critical", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Major", + "representation": "2", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": null, + "text": "{0}{1}" + } + ], + "customColumnWidthSetting": "5" + } + }, + { + "columnMatch": "message", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true, + "customColumnWidthSetting": "70%" + } + } + ] + }, + "sortBy": [], + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": false, + "size": "auto" + } + }, + "customWidth": "24", + "name": "query - 10" + } + ] + }, + "customWidth": "50", + "name": "group - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityIncident\r\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n | mv-expand AlertIds\r\n | extend AlertId = tostring(AlertIds)\r\n | join kind= innerunique ( \r\n SecurityAlert \r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"])\r\n | extend UserPrincipalName = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n| extend Workspace = tostring(parse_json(tostring(parse_json(ExtendedProperties).[\"Data Sources\"]))[0])\r\n| extend IncidentURL = strcat(\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/\",WorkspaceSubscriptionId,\"/resourceGroups/\",WorkspaceResourceGroup,\"/providers/Microsoft.OperationalInsights/workspaces/\",Workspace,\"/providers/Microsoft.SecurityInsights/Incidents/\",IncidentName)\r\n| where IncidentURL !contains \"//resourceGroups\"\r\n| distinct UserPrincipalName, IncidentNumber, Title, Severity, ProductName, IncidentURL, TimeGenerated\r\n| sort by TimeGenerated desc\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "Security Incidents: Go-To >", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "is Empty", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Title", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "error", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ProductName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentURL", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Incident >" + } + }, + { + "columnMatch": "UPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "PersonWithFriend", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "3", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertLink", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "" + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Incident >" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "city_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "state_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "latitude": "SourceIPLocation", + "longitude": "SourceIPLocation", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark" + } + ] + } + } + }, + "name": "query - 3" + } + ] + }, + "name": "IR.L2-3.6.1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (IR.L2-3.6.2) Incident Reporting\r\n\r\n## Primary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n\r\n## Secondary Services\r\n✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.6.2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[IR-2, IR-4, IR-5, IR-6, IR-7](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityIncident \r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Severity\r\n| render areachart \r\n", + "size": 0, + "showAnalytics": true, + "title": "Security Incidents over Time", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "IR.L2-3.6.2", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (IR.L2-3.6.3) Incident Response Testing\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n\r\n## Recommended Resources\r\n💡 [SimuLand: Understand adversary tradecraft and improve detection strategies](https://www.microsoft.com/security/blog/2021/05/20/simuland-understand-adversary-tradecraft-and-improve-detection-strategies/)
\r\n💡 [Microsoft Sentinel - SOC Process Framework Workbook](https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-soc-process-framework-workbook/ba-p/2339315)
\r\n💡 [Sentinel ATT&CK](https://github.com/BlueTeamLabs/sentinel-attack)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.6.3](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[IR-3](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityAlert\r\n| where AlertName contains \"test\"\r\n| distinct AlertName, AlertSeverity, ProductName, Status, Tactics, AlertLink, TimeGenerated\r\n| sort by TimeGenerated desc\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "Review & Test Security Alerts for Incident Response Readiness (Alerts Labeled Test)", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "AlertName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "3", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ProductName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertLink", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "" + } + }, + { + "columnMatch": "UPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Incident >" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "city_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "state_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "latitude": "SourceIPLocation", + "longitude": "SourceIPLocation", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark" + } + ] + } + } + }, + "customWidth": "50", + "name": "query - 4" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "IR.L2-3.6.3", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 2: Advanced" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isIRVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Incident Response Group", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Maintenance\r\n---\r\nMaintenance includes processes such as system updates, patching, and configuration changes which are required for the overall functionality of the information system. For more information, see the 💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html)" + }, + "customWidth": "50", + "name": "text - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 2: Advanced", + "items": [ + { + "type": 1, + "content": { + "json": "A subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments. Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "MA.L2-3.7.1", + "linkTarget": "step", + "linkLabel": "✳️ (MA.L2-3.7.1) Perform Maintenance", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "cca4d1e8-e1e2-4b1d-9b8a-698e6496924c", + "cellValue": "MA.L2-3.7.2", + "linkTarget": "step", + "linkLabel": "✳️ (MA.L2-3.7.2) System Maintenance Control", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "f7074cad-e2ec-4a2c-84d1-7b33b14d4c04", + "cellValue": "MA.L2-3.7.3", + "linkTarget": "step", + "linkLabel": "✳️ (MA.L2-3.7.3) Equipment Sanitization", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "35bfb771-67e1-480a-ac96-0a59f2c8dbc2", + "cellValue": "MA.L2-3.7.4", + "linkTarget": "step", + "linkLabel": "✳️ (MA.L2-3.7.4) Media Inspection", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "48a6c5e0-cbe1-41c4-be23-d98ae6e95c7e", + "cellValue": "MA.L2-3.7.5", + "linkTarget": "step", + "linkLabel": "✳️ (MA.L2-3.7.5) Nonlocal Maintenance", + "preText": "", + "style": "link" + }, + { + "id": "5c8ca431-016c-4808-b939-406665e97237", + "cellValue": "MA.L2-3.7.6", + "linkTarget": "step", + "linkLabel": "✳️ (MA.L2-3.7.6) Maintenance Personnel", + "preText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML2 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (MA.L2-3.7.1) Perform Maintenance\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Recommended Resources\r\n💡 [Handling Planned Maintenance Notifications Using the Azure Portal](https://docs.microsoft.com/azure/virtual-machines/maintenance-notifications-portal)
\r\n💡 [Managing Platform Updates with Maintenance Control](https://docs.microsoft.com/azure/virtual-machines/maintenance-control)
\r\n💡 [Scheduling Maintenance Updates with Maintenance Control and Azure Functions](https://github.com/Azure/azure-docs-powershell-samples/tree/master/maintenance-auto-scheduler)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.7.1](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[MA-2, MA-3, MA-3(1), MA-3(2)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "// Regulatory compliance CSV report query for standard \"Azure Security Benchmark\" \r\n// Change the 'complianceStandardId' column condition to select a different standard\r\n securityresources\r\n | where type == \"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments\"\r\n | extend complianceStandardId = replace( \"-\", \" \", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\r\n | extend failedResources = toint(properties.failedResources), passedResources = toint(properties.passedResources),skippedResources = toint(properties.skippedResources)\r\n | where failedResources + passedResources + skippedResources > 0\r\n | join kind = leftouter(\r\n securityresources\r\n | where type == \"microsoft.security/assessments\") on subscriptionId, name\r\n | extend complianceState = properties.state\r\n | extend resourceSource = tolower(tostring(properties1.resourceDetails.Source))\r\n | extend recommendationId = id1\r\n | extend resourceId = trim(' ', tolower(tostring(case(resourceSource =~ 'azure', properties1.resourceDetails.Id,\r\n resourceSource =~ 'gcp', properties1.resourceDetails.GcpResourceId,\r\n resourceSource =~ 'aws', properties1.resourceDetails.AwsResourceId,\r\n extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,recommendationId)))))\r\n | extend regexResourceId = extract_all(@\"/providers/[^/]+(?:/([^/]+)/[^/]+(?:/[^/]+/[^/]+)?)?/([^/]+)/([^/]+)$\", resourceId)[0]\r\n | extend resourceType = iff(regexResourceId[1] != \"\", regexResourceId[1], iff(regexResourceId[0] != \"\", regexResourceId[0], \"subscriptions\"))\r\n | extend resourceName = regexResourceId[2]\r\n | extend recommendationName = name\r\n | extend RecommendationDisplayName = properties1.displayName\r\n | extend description = properties1.metadata.description\r\n | extend remediationSteps = properties1.metadata.remediationDescription\r\n | extend severity = properties1.metadata.severity\r\n | extend state = properties1.status.code\r\n | extend notApplicableReason = properties1.status.cause\r\n | extend azurePortalRecommendationLink = properties1.links.azurePortal\r\n | extend complianceStandardId = replace( \"-\", \" \", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\r\n | extend complianceControlId = extract(@\"/regulatoryComplianceControls/([^/]*)\", 1, id)\r\n | join kind = leftouter (securityresources\r\n | where type == \"microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols\"\r\n | extend complianceStandardId = replace( \"-\", \" \", extract(@'/regulatoryComplianceStandards/([^/]*)', 1, id))\r\n | extend controlName = tostring(properties.description)\r\n | project controlId = name, controlName\r\n | distinct *) on $right.controlId == $left.complianceControlId\r\n\t| where RecommendationDisplayName contains \"update\" or RecommendationDisplayName contains \"upgrade\"\r\n | where state == \"Unhealthy\"\r\n | extend Recommendation = strcat(\"https://\",azurePortalRecommendationLink), ResourceID = resourceId, ResourceType = resourceType, ResourceGroup = resourceGroup1, Severity = severity, State = state, ControlID = controlId\r\n | project RecommendationDisplayName, ResourceID, ResourceType, ResourceGroup, Severity, State, complianceStandardId, ControlID, Recommendation", + "size": 0, + "showAnalytics": true, + "title": "Microsoft Defender for Cloud Assessments: Update Recommendations", + "noDataMessage": "No Current Recommendations in this Area. Confirm Assessments are Enabled in Microsoft Defender for Cloud: Regulatory Compliance Blade.", + "showExportToExcel": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "warning", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "State", + "formatter": 1 + }, + { + "columnMatch": "ControlID", + "formatter": 1 + }, + { + "columnMatch": "Recommendation", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Recommendation >" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "MA.L2-3.7.1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (MA.L2-3.7.2) System Maintenance Control\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Resources\r\n💡 [Privileged Access Workstations](https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations)\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.7.2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[MA-2, MA-3, MA-3(1), MA-3(2)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources\r\n| where type contains \"identity\" or type contains \"networksecuritygroups\" or type contains \"bastion\" or type contains \"lock\" or type contains \"endpoint\"\r\n| project id,type,location,resourceGroup\r\n| order by location asc", + "size": 0, + "showAnalytics": true, + "title": "Recommended Primary & Secondary Service Assets", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. ", + "showExportToExcel": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "filter": true + } + }, + "customWidth": "50", + "name": "query - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "MA.L2-3.7.2", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (MA.L2-3.7.3) Equipment Sanitization\r\n\r\n## Secondary Services\r\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\r\n\r\n## Recommended Logs\r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/)
\r\n\r\n## Recommended Resources\r\n💡 [Data destruction in Microsoft 365](https://docs.microsoft.com/compliance/assurance/assurance-data-destruction)
\r\n💡 [Azure customer data protection](https://docs.microsoft.com/azure/security/fundamentals/protection-customer-data)
\r\n💡 [Configure encryption with customer-managed keys stored in Azure Key Vault](https://docs.microsoft.com/azure/storage/common/customer-managed-keys-configure-key-vault)
\r\n💡 [NIST SP 800-88: Guidelines for Media Sanitization](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.7.3](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[MA-2](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources\r\n| where type contains \"key\"\r\n| project id,type,location,resourceGroup\r\n| order by location asc", + "size": 0, + "showAnalytics": true, + "title": "Leverage Key Vaults for Cryptographic Erasure", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. ", + "showExportToExcel": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "MA.L2-3.7.3", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (MA.L2-3.7.4) Media Inspection \r\n\r\n## Secondary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)
\r\n\r\n## Recommended Resources\r\n💡 [Use Microsoft Endpoint Configuration Manager to Run a Scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus#use-microsoft-endpoint-configuration-manager-to-run-a-scan)
\r\n💡 [Custom Scan a USB Drive](https://gallery.technet.microsoft.com/Custom-scan-a-USB-drive-17b9be2a)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.7.4](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[MA-3(2)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityAlert\r\n| where ProviderName == \"MDATP\"\r\n| where AlertName contains \"hack\" or AlertName contains \"mal\" or AlertName contains \"software\" or AlertName contains \"virus\" or AlertName contains \"trojan\" or AlertName contains \"c2\" or AlertName contains \"beacon\"\r\n| distinct AlertName, AlertSeverity, ProductName, AlertLink, TimeGenerated\r\n| sort by TimeGenerated desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Scan Removeable Media with Microsoft Defender for Endpoint ", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "AlertName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "3", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ProductName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertLink", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "" + } + }, + { + "columnMatch": "UPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Incident >" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "resource", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "city_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "state_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "latitude": "SourceIPLocation", + "longitude": "SourceIPLocation", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark" + } + ] + } + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "MA.L2-3.7.4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (MA.L2-3.7.5) Nonlocal Maintenance\r\n\r\n## Primary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Multi-Factor Authentication](https://azure.microsoft.com/services/active-directory/) 🔀[Multi-Factor Authentication](https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted)
\r\n\r\n## Secondary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.7.5](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[MA-4](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let nonInteractive = AADNonInteractiveUserSignInLogs\r\n| extend LocationDetails = parse_json(LocationDetails)\r\n| extend Status = parse_json(Status)\r\n| extend ConditionalAccessPolicies = parse_json(ConditionalAccessPolicies);\r\nlet data = \r\nunion SigninLogs,nonInteractive \r\n|extend errorCode = toint(Status.errorCode)\r\n|extend Reason = tostring(Status.failureReason)\r\n|extend CAStatus = case(ConditionalAccessStatus ==0,\"✔️ Success\", \r\n ConditionalAccessStatus == 1, \"❌ Failure\", \r\n ConditionalAccessStatus == 2, \"⚠️ Not Applied\", \r\n ConditionalAccessStatus == \"\", \"⚠️ Not Applied\", \r\n \"🚫 Disabled\")\r\n|mvexpand ConditionalAccessPolicies\r\n|extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\r\n|extend CAGrantControl = case(CAGrantControlName contains \"MFA\", \"Require MFA\", \r\n CAGrantControlName contains \"Terms of Use\", \"Require Terms of Use\", \r\n CAGrantControlName contains \"Privacy\", \"Require Privacy Statement\", \r\n CAGrantControlName contains \"Device\", \"Require Device Compliant\", \r\n CAGrantControlName contains \"Azure AD Joined\", \"Require Hybird Azure AD Joined Device\", \r\n CAGrantControlName contains \"Apps\", \"Require Approved Apps\",\"Other\");\r\ndata\r\n| where CAGrantControl contains \"MFA\"\r\n| extend Result = tostring(ConditionalAccessPolicies.result)\r\n| extend UserProfile = strcat(\"https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/\",UserId)\r\n| where Result == \"notApplied\"\r\n| summarize count() by UserPrincipalName, UserProfile, CAGrantControl, Result\r\n| sort by count_ desc\r\n| project UserPrincipalName, UserProfile, CAGrantControl, Result, count_\r\n| limit 250\r\n\r\n\r\n\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Users Authenticating Without MFA", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UserProfile", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go To: AAD User Profile >" + } + }, + { + "columnMatch": "Result", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "4", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "redBright" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "MA.L2-3.7.5", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (MA.L2-3.7.6) Maintenance Personnel\r\n\r\n## Secondary Services\r\n✳️ [Customer Lockbox](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview) 🔀[Customer Lockbox](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview)
\r\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\r\n\r\n## Recommended Logs\r\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.7.6](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[MA-5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AuditLogs\r\n| where OperationName contains \"PIM\"\r\n| distinct OperationName, Identity, AADOperationType, TimeGenerated\r\n| sort by TimeGenerated desc\r\n| project OperationName, AADOperationType, Identity, TimeGenerated\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Implement/Monitor Privileged Identity Management for Maintenance", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "OperationName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Identity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "MA.L2-3.7.6", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 2: Advanced" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isMAVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Maintenance", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Media Protection\r\n---\r\nMedia protection includes physical, logical, and administrative controls over sensitive data. For more information, see the 💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html)" + }, + "customWidth": "50", + "name": "text - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 1: Foundational", + "items": [ + { + "type": 1, + "content": { + "json": "The Department views Level 1 (“Foundational”) as an opportunity to engage its contractors in developing and strengthening their approach to cybersecurity. Because Level 1 does not involve sensitive national security information, DoD intends for this Level to allow companies to assess their own cybersecurity and begin adopting practices that will thwart cyber-attacks. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 2" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "MP.1.118", + "linkTarget": "step", + "linkLabel": "✳️ (MP.L1-3.8.3) Media Disposal", + "preText": "", + "postText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML1 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (MP.L1-3.8.3) Media Disposal\r\n\r\n## Primary Services\r\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n\r\n\r\n## Recommended Logs\r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/)
\r\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\r\n\r\n## Recommended Resources\r\n💡 [Data destruction in Microsoft 365](https://docs.microsoft.com/compliance/assurance/assurance-data-destruction)
\r\n💡 [NIST SP 800-88: Guidelines for Media Sanitization](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf)
\r\n💡 [Purge Process](https://docs.microsoft.com/azure/data-explorer/kusto/concepts/data-purge#purge-process)
\r\n💡 [Configure encryption with customer-managed keys stored in Azure Key Vault](https://docs.microsoft.com/azure/storage/common/customer-managed-keys-configure-key-vault)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.8.3](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[MP-2, MP-4, MP-6](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InformationProtectionLogs_CL\r\n| limit 250\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Scan/Monitor for Sensitive Data with Azure Information Protection", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserId_s", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "3", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ProductName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertLink", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Alert >" + } + }, + { + "columnMatch": "UPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Incident >" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "city_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "state_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "latitude": "SourceIPLocation", + "longitude": "SourceIPLocation", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark" + } + ] + } + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources\r\n| where type contains \"key\"\r\n| project id,type,location,resourceGroup\r\n| order by location asc", + "size": 0, + "showAnalytics": true, + "title": "Leverage Key Vaults for Cryptographic Erasure", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. ", + "showExportToExcel": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + } + ] + }, + "name": "MP.L1-3.8.3", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML1Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 1: Foundational" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 2: Advanced", + "items": [ + { + "type": 1, + "content": { + "json": "A subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments. Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security." + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "MP.L2-3.8.1", + "linkTarget": "step", + "linkLabel": "✳️ (MP.L2-3.8.1) Media Disposal", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "cca4d1e8-e1e2-4b1d-9b8a-698e6496924c", + "cellValue": "MP.L2-3.8.2", + "linkTarget": "step", + "linkLabel": "✳️ (MP.L2-3.8.2) Media Access", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "f7074cad-e2ec-4a2c-84d1-7b33b14d4c04", + "cellValue": "MP.L2-3.8.4", + "linkTarget": "step", + "linkLabel": "✳️ (MP.L2-3.8.4) Media Markings", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "047b340d-7610-48fb-bc6d-a545dfa5c509", + "cellValue": "MP.L2-3.8.5", + "linkTarget": "step", + "linkLabel": "✳️ (MP.L2-3.8.5) Media Accountability", + "preText": "", + "style": "link" + }, + { + "id": "680851a1-60e5-4c20-8559-68e9c6d042c4", + "cellValue": "MP.L2-3.8.6", + "linkTarget": "step", + "linkLabel": "✳️ (MP.L2-3.8.6) Portable Storage Encryption", + "preText": "", + "style": "link" + }, + { + "id": "fc5ad94b-1331-45ad-bf87-602925d83b8a", + "cellValue": "MP.L2-3.8.7", + "linkTarget": "step", + "linkLabel": "✳️ (MP.L2-3.8.7) Removable Storage Encryption", + "preText": "", + "style": "link" + }, + { + "id": "f90ba8af-20bb-47be-88ec-ca41e618fc7f", + "cellValue": "MP.L2-3.8.8", + "linkTarget": "step", + "linkLabel": "✳️ (MP.L2-3.8.8) Shared Media", + "preText": "", + "style": "link" + }, + { + "id": "5ab363c8-664f-4757-8e3d-96f53c62f020", + "cellValue": "MP.L2-3.8.9", + "linkTarget": "step", + "linkLabel": "✳️ (MP.L2-3.8.9) Protect Backups", + "preText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML2 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (MP.L2-3.8.1) Media Protection \r\n\r\n## Primary Services\r\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n\r\n## Recommended Resources\r\n💡 [Physical Security](https://docs.microsoft.com/azure/security/fundamentals/physical-security)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.8.1](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[MP-2, MP-4, MP-6](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 1, + "content": { + "json": "### Azure Datacenters: Physically Protect CUI Data in a Secure Location\r\n![Image Name](https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4q5jn?ver=25d1&q=90&m=6&h=431&w=767&b=%23FFFFFFFF&l=f&o=t&aim=true  \"Physical Security Controls\") 
\r\n[Go To: Physical Security Controls >](https://docs.microsoft.com/azure/security/fundamentals/physical-security)
" + }, + "customWidth": "50", + "name": "text - 2", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "MP.L2-3.8.1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (MP.L2-3.8.2) Media Access\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n\r\n## Recommended Logs\r\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.8.2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[MP-2, MP-4, MP-6](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InformationProtectionLogs_CL\r\n| limit 250\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Label/Control Sensitive Data with Azure Information Protection", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserId_s", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "3", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ProductName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertLink", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Alert >" + } + }, + { + "columnMatch": "UPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Incident >" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "city_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "state_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "latitude": "SourceIPLocation", + "longitude": "SourceIPLocation", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark" + } + ] + } + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "MP.L2-3.8.2", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (MP.L2-3.8.4) Media Markings\r\n\r\n## Primary Services\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n\r\n## Recommended Logs\r\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.8.4](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[MP-3](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InformationProtectionLogs_CL\r\n| where LabelName_s <> \"\"\r\n| summarize count() by LabelName_s\r\n| sort by count_ desc\r\n\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Label/Control Sensitive Data with Azure Information Protection", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "UserId_s", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "3", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ProductName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertLink", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Alert >" + } + }, + { + "columnMatch": "UPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Incident >" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "city_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "state_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "chartSettings": { + "showLegend": true + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "latitude": "SourceIPLocation", + "longitude": "SourceIPLocation", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark" + } + ] + } + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "MP.L2-3.8.4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (MP.L2-3.8.5) Media Accountability\r\n\r\n## Primary Services\r\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.8.5](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[MP-5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 1, + "content": { + "json": "### Leverage Azure Information Protection to Classify/Protect CUI at Rest and In-Transit\r\n![Image Name](https://docs.microsoft.com/azure/information-protection/media/info-protect-protection-bar-configured.png  \"AIP Configuration\")
\r\n[Go To: Microsoft Information Protection (Label Policies) >](https://compliance.microsoft.com/informationprotection?viewid=sensitivitylabelpolicies)
\r\n[Go To: Azure Information Protection (Label Policies) >](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/scopedpoliciesBlade)
" + }, + "customWidth": "50", + "name": "text - 1", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "MP.L2-3.8.5", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (MP.L2-3.8.6) Portable Storage Encryption\r\n\r\n## Primary Services\r\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.8.6](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[MP-5(4)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"crypt\" or RecommendationDisplayName contains \"transit\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "MP.L2-3.8.6", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (MP.L2-3.8.7) Removable Media\r\n\r\n## Primary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n\r\n## Recommended Logs\r\n🔷 [DeviceEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/deviceevents) ✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.8.7](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[MP-7](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DeviceEvents\r\n| where InitiatingProcessFolderPath <> \"\" \r\n| where InitiatingProcessFolderPath !contains \"c:\" or ActionType contains \"usb\"\r\n| summarize count() by DeviceName, ActionType, AccountName, InitiatingProcessFolderPath\r\n| sort by count_ desc\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "Monitor/Control Removeable Media Devices", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "DeviceName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "resource", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ActionType", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AccountName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "MP.L2-3.8.7", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (MP.L2-3.8.8) Shared Media\r\n\r\n## Primary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.8.8](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[MP-7(1)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 1, + "content": { + "json": "### Leverage Microsoft Defender for Endpoint & Microsoft Intune to Prohibit Rogue USB Devices\r\n![Image Name](https://docs.microsoft.com/windows/security/threat-protection/device-control/images/baselines.png  \"Rogue USB\") 
\r\n[Go To: Intune/Microsoft Endpoint Manager (Endpoint Security: Attack Surface Reduction) >](https://endpoint.microsoft.com/#blade/Microsoft_Intune_Workflows/SecurityManagementMenu/asr)" + }, + "customWidth": "45", + "name": "text - 1", + "styleSettings": { + "maxWidth": "45" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "MP.L2-3.8.8", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (MP.L2-3.8.9) Protect Backups\r\n\r\n## Primary Services\r\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.8.6](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[CP-9](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"backup\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "MP.L2-3.8.9", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 2: Advanced" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isMPVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Media Protection", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Personnel Security\r\n---\r\nPersonnel Security is focused on controlling human access to systems, networks, and assets. Personnel Security includes considerations for screening individuals with access to Controlled Unclassified Information (CUI) and protection of such data after personnel actions such as terminations or transfers. For more information, see the 💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html)" + }, + "customWidth": "50", + "name": "text - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 2: Advanced", + "items": [ + { + "type": 1, + "content": { + "json": "A subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments. Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "PS.L2-3.9.1", + "linkTarget": "step", + "linkLabel": "✳️ (PS.L2-3.9.1) Screen Individuals", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "a931a632-d4cf-4b7a-8d07-59f5a52ceb24", + "cellValue": "PS.L2-3.9.2", + "linkTarget": "step", + "linkLabel": "✳️ (PS.L2-3.9.2) Personnel Actions", + "preText": "", + "postText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML2 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (PS.L2-3.9.1) Screen Individuals\r\n\r\n## Implementation Statement\r\nPersonnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.\r\nYou can ensure all employees who need access to CUI undergo organization-defined screening before being granted access based on the types of screening requirements for a given position and role. Clearly define positions and roles within your organization. Implement roles using 💡 [Azure RBAC](https://docs.microsoft.com/azure/role-based-access-control). For example, administrators with access to CUI and specific roles with permissions to view CUI should follow an organizationally defined screening process. \r\n\r\n## Customer Responsibility\r\n Screening individuals prior to authorizing access to customer-deployed resources.\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.9.1](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[PS-3, PS-4, PS-5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "45", + "name": "text - 0", + "styleSettings": { + "maxWidth": "45" + } + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 2" + }, + { + "type": 1, + "content": { + "json": "### Azure Role Based Access Control\r\n![Image Name](https://azurecomcdn.azureedge.net/cvt-f83fd647d6f366492554e3c84c6972956ea0fa343f1f12abc9590dd97f777e9e/images/page/overview/trusted-cloud/index/ill-1.png) \r\n[Go To: Azure Active Directory (Roles & Administrators) >](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators)\r\n\r\n" + }, + "customWidth": "40", + "name": "text - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "PS.L2-3.9.1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (PS.L2-3.9.2) Personnel Actions\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Microsoft 365 Compliance: Insider Risk Management](https://www.microsoft.com/microsoft-365/business/compliance-solutions) 🔀[Insider Risk Management](https://compliance.microsoft.com/insiderriskmgmt?viewid=overview)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft 365 Compliance: Insider Risk Management](https://www.microsoft.com/microsoft-365/business/compliance-solutions)
\r\n\r\n## Recommended Configurations\r\n💡 [Insider Risk Management: Setup a Connector to import HR Data & Track Last Working Dates](https://docs.microsoft.com/microsoft-365/compliance/import-hr-data)\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.9.2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[PS-3, PS-4, PS-5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityAlert\r\n| where ProductName == \"Microsoft 365 Insider Risk Management\"\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n| extend UserPrincipalName = UPN\r\n| distinct AlertName, ProductName, Status, AlertLink, UserPrincipalName, Tactics, TimeGenerated\r\n| sort by TimeGenerated desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Enable the HR Connector & Monitor Microsoft 365: Insider Risk Management Alert Details", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "AlertName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "3", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ProductName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertLink", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Alert >" + } + }, + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Incident >" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "city_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "state_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "latitude": "SourceIPLocation", + "longitude": "SourceIPLocation", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark" + } + ] + } + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "PS.L2-3.9.2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 2: Advanced" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isPSVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Personnel Security", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Physical Protection\r\n---\r\nPhysical Protections are focused on protecting direct access to systems, networks, and assets. Physical protection includes considerations for limiting physical access, escorting visitors, maintaining visit audit logs, monitoring infrastructure, and protecting Controlled Unclassified Information (CUI). For more information, see the 💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html)" + }, + "customWidth": "50", + "name": "text - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 1: Foundational", + "items": [ + { + "type": 1, + "content": { + "json": "The Department views Level 1 (“Foundational”) as an opportunity to engage its contractors in developing and strengthening their approach to cybersecurity. Because Level 1 does not involve sensitive national security information, DoD intends for this Level to allow companies to assess their own cybersecurity and begin adopting practices that will thwart cyber-attacks. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 2" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "PE.L1-3.10.1-PE.L1-3.10.5", + "linkTarget": "step", + "linkLabel": "✳️ (PE.L1-3.10.1) Limit Physical Access", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "4c0bfeef-f67e-4d83-846e-0b72742c6648", + "cellValue": "PE.L1-3.10.1-PE.L1-3.10.5", + "linkTarget": "step", + "linkLabel": "✳️ (PE.L1-3.10.3) Escort Visitors", + "preText": "", + "style": "link" + }, + { + "id": "24dd9388-43f3-4e00-b712-06cb10be7afe", + "cellValue": "PE.L1-3.10.1-PE.L1-3.10.5", + "linkTarget": "step", + "linkLabel": "✳️ (PE.L1-3.10.4) Physical Access Logs", + "preText": "", + "style": "link" + }, + { + "id": "dfa2d3dc-b48f-4aee-8368-b6d6388b74c4", + "cellValue": "PE.L1-3.10.1-PE.L1-3.10.5", + "linkTarget": "step", + "linkLabel": "✳️ (PE.L1-3.10.5) Manage Physical Access", + "preText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML1 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (PE.L1-3.10.1) Limit Physical Access\r\n# (PE.L1-3.10.3) Escort Visitors\r\n# (PE.L1-3.10.4) Physical Access Logs\r\n# (PE.L1-3.10.5) Manage Physical Access\r\n \r\n## Recommended References\r\n💡 [Datacenter physical access security](https://docs.microsoft.com/compliance/assurance/assurance-datacenter-physical-access-security)
\r\n💡 [Azure Facilities, Premises, and Physical Security](https://docs.microsoft.com/azure/security/fundamentals/physical-security)
\r\n💡 [Management and Operation of the Azure Production Network](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-operations)
\r\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.10.1, 3.10.3, 3.10.4, 3.10.5](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[PE-2, PE-3, PE-6](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "45", + "name": "text - 4" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 2" + }, + { + "type": 1, + "content": { + "json": "### Azure Datacenters: Physical Security\r\n![Image Name](https://stp-api-cdn-prod.azureedge.net/api/Images/e5724a10-491a-11e8-9fe5-75d16dd56b03?hash=7AC632B242A298BFB2E2CFF3968117CFDA3A33AB0A50B1FCBD565C0F6D1DBCB6  \"Physical Security Controls\")[Go To: Azure Physical Security >](https://docs.microsoft.com/azure/security/fundamentals/physical-security) \r\n" + }, + "customWidth": "45", + "name": "text - 2", + "styleSettings": { + "maxWidth": "45" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "PE.L1-3.10.1-PE.L1-3.10.5", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML1Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 1: Foundational" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 2: Advanced", + "items": [ + { + "type": 1, + "content": { + "json": "A subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments. Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "PE.L2-3.10.2", + "linkTarget": "step", + "linkLabel": "✳️ (PE.L2-3.10.2) Monitor Facility", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "18c9d473-00f2-47af-bb02-cf0da80e34d1", + "cellValue": "PE.L2-3.10.6", + "linkTarget": "step", + "linkLabel": "✳️ (PE.L2-3.10.6) Alternate Work Sites", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML3 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (PE.L2-3.10.2) Monitor Facility\r\n\r\n## Recommended References\r\n💡 [Datacenter physical access security](https://docs.microsoft.com/compliance/assurance/assurance-datacenter-physical-access-security)
\r\n💡 [Azure Facilities, Premises, and Physical Security](https://docs.microsoft.com/azure/security/fundamentals/physical-security)
\r\n💡 [Management and Operation of the Azure Production Network](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-operations)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.10.2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[PE-6](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "45", + "name": "text - 0" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 2" + }, + { + "type": 1, + "content": { + "json": "### Azure Datacenters: Physical Security\r\n![Image Name](https://www.microsoft.com/security/blog/wp-content/uploads/2019/10/4-principals-for-an-effective-security-operations-center-SOCIAL-1200x600.png  \"Physical Security Controls\")[Go To: Azure Physical Security >](https://docs.microsoft.com/azure/security/fundamentals/physical-security) \r\n" + }, + "customWidth": "45", + "name": "text - 2", + "styleSettings": { + "maxWidth": "45" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "PE.L2-3.10.2", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (PE.L2-3.10.6) Alternate Work Sites\r\n\r\n## Primary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Azure Global Infrastructure](https://azure.microsoft.com/global-infrastructure/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n\r\n## Secondary Services\r\n✳️ [Named Locations](https://docs.microsoft.com/azure/active-directory/conditional-access/location-condition) 🔀[Azure AD Named Locations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/NamedNetworksWithCountryBlade)
\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n\r\n## Recommended Logs\r\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.10.6](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[PE-17](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InformationProtectionLogs_CL\r\n| extend UserPrincipalName = UserId_s\r\n| where LabelName_s <> \"\"\r\n| join (SigninLogs) on UserPrincipalName\r\n| extend City = tostring(LocationDetails.city)\r\n| extend State = tostring(LocationDetails.state)\r\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\r\n| summarize count() by UserPrincipalName, LabelName_s, Activity_s, City, State, Country_Region\r\n| sort by count_ desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Monitor Geolocation of Sensitive Data Access", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Activity_s", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "pending", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "City", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Globe", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "State", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Globe", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Country_Region", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Globe", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InformationProtectionLogs_CL\r\n| extend UserPrincipalName = UserId_s\r\n| where LabelName_s <> \"\"\r\n| join (SigninLogs) on UserPrincipalName\r\n\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Monitor Geolocation of Sensitive Data Access", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "map", + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Activity_s", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "pending", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "City", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Globe", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "State", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Globe", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Country_Region", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Globe", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ] + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "orange" + } + ] + } + } + }, + "name": "query - 1 - Copy" + } + ] + }, + "name": "PE.L2-3.10.6", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 2: Advanced" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isPEVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Physical Protection", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Risk Assessment\r\n---\r\nRisk Assessment ensures a consistent approach to the identification, mitigation, and response to security risks. For more information, see the 💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html)" + }, + "customWidth": "50", + "name": "text - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 2: Advanced", + "items": [ + { + "type": 1, + "content": { + "json": "A subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments. Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "RA.L2-3.11.1", + "linkTarget": "step", + "linkLabel": "✳️ (RA.L2-3.11.1) Risk Assessments", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "cca4d1e8-e1e2-4b1d-9b8a-698e6496924c", + "cellValue": "RA.L2-3.11.2", + "linkTarget": "step", + "linkLabel": "✳️ (RA.L2-3.11.2) Vulnerability Scan", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "f7074cad-e2ec-4a2c-84d1-7b33b14d4c04", + "cellValue": "RA.L2-3.11.3", + "linkTarget": "step", + "linkLabel": "✳️ (RA.L2-3.11.3) Vulnerability Remediation", + "preText": "", + "postText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML2 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(RA.L2-3.11.1) Risk Assessments](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#periodically-assess-the-risk-to-organizational-operations-including-mission-functions-image-or-reputation-organizational-assets-and-individuals-resulting-from-the-operation-of-organizational-systems-and-the-associated-processing-storage-or-transmission-of-cui)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityScore](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securescores) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.11.1](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[RA-3](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| make-series count() default=0 on DiscoveredTimeUTC from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationSeverity", + "size": 0, + "showAnalytics": true, + "title": "Microsoft Defender for Cloud: Recommendations over Time by Severity", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "timechart", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "Medium", + "color": "yellow" + }, + { + "seriesName": "High", + "color": "redBright" + }, + { + "seriesName": "Low", + "color": "blueDark" + } + ] + } + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "RA.L2-3.11.1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(RA.L2-3.11.2) Vulnerability Scan](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#scan-for-vulnerabilities-in-organizational-systems-and-applications-periodically-and-when-new-vulnerabilities-affecting-those-systems-and-applications-are-identified)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login)
\r\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/)
\r\n✳️ [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) 🔀[GitHub](https://github.com/)
\r\n\r\n## Secondary Services\r\n✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) 🔀[DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.11.2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[RA-5, RA-5(5)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityBaseline\r\n| summarize arg_max(TimeGenerated, *) by Description, _ResourceId\r\n| summarize\r\n Failed = countif(AnalyzeResult == \"Failed\"),\r\n Passed = countif(AnalyzeResult == \"Passed\"),\r\n Total = countif(AnalyzeResult == \"Passed\" or AnalyzeResult == \"Failed\")\r\n by Description, CceId\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project CceId, Description, Total, PassedControls, Passed, Failed\r\n| where CceId <> \"\"\r\n| sort by Total desc\r\n| limit 250\r\n\r\n\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Review Security Baselines", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "CceId", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Description", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "AnalyzeResult", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "contains", + "thresholdValue": "Passed", + "representation": "success", + "text": "{0}{1}" + }, + { + "operator": "contains", + "thresholdValue": "Failed", + "representation": "failed", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + }, + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "Medium", + "color": "yellow" + }, + { + "seriesName": "High", + "color": "redBright" + }, + { + "seriesName": "Low", + "color": "blueDark" + } + ] + } + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "RA.L2-3.11.2", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(RA.L2-3.11.3) Vulnerability Remediation](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#remediate-vulnerabilities-in-accordance-with-risk-assessments)\r\n\r\n## Primary Services\r\n✳️ [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) 🔀[GitHub](https://github.com/)
\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login)
\r\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.11.3](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[RA-5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"vuln\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "RA.L2-3.11.3", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 2: Advanced" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isRMVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Risk Assessment Group", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Security Assessment\r\n---\r\nSecurity Assessment includes periodic evaluation of security controls for effectiveness. For more information, see the 💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html)" + }, + "customWidth": "50", + "name": "text - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 2: Advanced", + "items": [ + { + "type": 1, + "content": { + "json": "A subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments. Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security." + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "099484fd-2dc9-4c76-8ba8-df7726fa117e", + "cellValue": "CA.L2-3.12.1", + "linkTarget": "step", + "linkLabel": "✳️ (CA.L2-3.12.1) Security Control Assessment", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "CA.L2-3.12.2", + "linkTarget": "step", + "linkLabel": "✳️ (CA.L2-3.12.2) Plan of Action", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "d94ce568-dbf0-46d9-9846-e8012a05682f", + "cellValue": "CA.L2-3.12.3", + "linkTarget": "step", + "linkLabel": "✳️ (CA.L2-3.12.3) Security Control Monitoring", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "b2ee25d7-f4f8-41a2-912a-33da1db24b28", + "cellValue": "CA.L2-3.12.4", + "linkTarget": "step", + "linkLabel": "✳️ (CA.L2-3.12.4) System Security Plan", + "preText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML2 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(CA.L2-3.12.1) Security Control Assessment](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#periodically-assess-the-security-controls-in-organizational-systems-to-determine-if-the-controls-are-effective-in-their-application)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.12.1](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[CA-2, CA-5, CA-7, PL-2](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Microsoft Defender for Cloud Recommendations: Controls Assessment", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "CA.L2-3.12.1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (CA.L2-3.12.2) Plan of Action\r\n\r\n## Primary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.12.2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[CA-2, CA-5, CA-7, PL-2](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by AssessedResourceId\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project AssessedResourceId, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Develop Plan of Action via Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "AssessedResourceId", + "formatter": 13, + "formatOptions": { + "linkTarget": "Resource", + "showIcon": true + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "CA.L2-3.12.2", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(CA.L2-3.12.3) Security Control Monitoring](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#monitor-security-controls-on-an-ongoing-basis-to-ensure-the-continued-effectiveness-of-the-controls)\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n✳️ [Microsoft 365 Compliance Management](https://www.microsoft.com/microsoft-365/enterprise/compliance-management) 🔀[Microsoft 365 Compliance Management](https://compliance.microsoft.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.12.3](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[CA-2, CA-5, CA-7, PL-2](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityAlert\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by ProductName", + "size": 0, + "showAnalytics": true, + "title": "Monitor Security Controls for Efficiency", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "timechart" + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "CA.L2-3.12.3", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (CA.L2-3.12.4) System Security Plan\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Recommended Resources\r\n💡 [Understanding Network Map](https://docs.microsoft.com/azure/security-center/security-center-network-recommendations#understanding-the-network-map)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.12.4](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[CA-2, CA-5, CA-7, PL-2](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 1, + "content": { + "json": "### Network Map\r\n![Image Name](https://docs.microsoft.com/azure/security-center/media/security-center-network-recommendations/network-map-traffic.png) \r\n[Go To: Microsoft Defender for Cloud - Network Map >](https://portal.azure.com/#blade/Microsoft_Azure_Security_R3/NetworkMapBlade)\r\n" + }, + "customWidth": "45", + "name": "text - 2", + "styleSettings": { + "maxWidth": "45" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "CA.L2-3.12.4", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 2: Advanced" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isCAVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Security Assessment Group", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# System & Communications Protection\r\n---\r\nSystem & Communications Protection includes network security for administrative and management functions. The System & Communications Protection Control family includes 32 controls which varying application across the Cloud Service Provider (CSP) model including customer responsibility, service provider responsibility, and shared responsibility.  For more information, see the 💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html)" + }, + "customWidth": "50", + "name": "text - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 1: Foundational", + "items": [ + { + "type": 1, + "content": { + "json": "The Department views Level 1 (“Foundational”) as an opportunity to engage its contractors in developing and strengthening their approach to cybersecurity. Because Level 1 does not involve sensitive national security information, DoD intends for this Level to allow companies to assess their own cybersecurity and begin adopting practices that will thwart cyber-attacks. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 2" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "SC.L1-3.13.1", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L1-3.13.1) Boundary Protection", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "c64247a3-06f1-46af-bdae-bc852cb789ce", + "cellValue": "SC.L1-3.13.5", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L1-3.13.5) Public-Access System Separation", + "preText": "", + "postText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML1 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SC.L1-3.13.1) Boundary Protection](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#monitor-control-and-protect-communications-ie-information-transmitted-or-received-by-organizational-systems-at-the-external-boundaries-and-key-internal-boundaries-of-organizational-systems)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts)
\r\n✳️ [Azure ExpressRoute]( https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)
\r\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\r\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\r\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)
\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)
\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\r\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)
\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n✳️ [Customer Lockbox](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview) 🔀[Customer Lockbox](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://portal.atp.azure.com/)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.13.1](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SC-7, SA-8](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"network\" or RecommendationDisplayName contains \"transit\" or RecommendationDisplayName contains \"http\" or RecommendationDisplayName contains \"web\" or RecommendationDisplayName contains \"comm\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "SC.L1-3.13.1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SC.L1-3.13.5) Public-Access System Separation](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#implement-subnetworks-for-publicly-accessible-system-components-that-are-physically-or-logically-separated-from-internal-networks)\r\n\r\n## Secondary Services\r\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts)
\r\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\r\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)
\r\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\r\n\r\n## Recommended Logs\r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.13.5](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SC-7](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources\r\n| where type contains \"microsoft.network/\"\r\n| project id,type,location,resourceGroup\r\n| order by location asc", + "size": 0, + "showAnalytics": true, + "title": "Network Asset Listing", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. ", + "showExportToExcel": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "SC.L1-3.13.5", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML1Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 1: Foundational" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 2: Advanced", + "items": [ + { + "type": 1, + "content": { + "json": "A subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments. Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "eb462921-f3cf-4d08-ac32-c72bea21e204", + "cellValue": "SC.L2-3.13.2", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L2-3.13.2) Security Engineering", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "SC.L2-3.13.3", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L2-3.13.3) Role Separation", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "e391b908-4b08-46ce-b5ba-129d9905dd98", + "cellValue": "SC.L2-3.13.6", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L2-3.13.6) Network Communication by Exception", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "2eaf74ad-7c2f-42ae-9ea0-ef223dd2b7e8", + "cellValue": "SC.L2-3.13.8", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L2-3.13.8) Data in Transit", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "2885a56b-abb8-4cc5-a945-8cfe0786d160", + "cellValue": "SC.L2-3.13.10", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L2-3.13.10) Key Management", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "81a446a5-4409-4152-a958-116936cee2b4", + "cellValue": "SC.L2-3.13.11", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L2-3.13.11) CUI Encryption", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "ce448438-09a8-428d-9187-c34880fa323d", + "cellValue": "SC.L2-3.13.12", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L2-3.13.12) Collaborative Device Control", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "cd62a74b-086f-4e9f-8f89-059b969c692d", + "cellValue": "SC.L2-3.13.13", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L2-3.13.13) Mobile Code", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "88caef2e-6d4c-4d8d-b3e4-70c58f384c5d", + "cellValue": "SC.L2-3.13.14", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L2-3.13.14) Voice Over Internet Protocol", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "594c1cfd-447f-4616-9351-cb45d5429f11", + "cellValue": "SC.L2-3.13.15", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L2-3.13.15) Communications Authenticity", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "47e4f75f-5597-4228-8383-5fc04d1280b5", + "cellValue": "SC.L2-3.13.16", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L2-3.13.16) Data at Rest", + "preText": "", + "postText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML3 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SC.L2-3.13.2) Security Engineering](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#employ-architectural-designs-software-development-techniques-and-systems-engineering-principles-that-promote-effective-information-security-within-organizational-systems)\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.13.2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SC-7, SA-8](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Microsoft Defender for Cloud Recommendations Count Summary", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "SC.L2-3.13.2", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SC.L2-3.13.3) Role Separation](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#separate-user-functionality-from-system-management-functionality)\r\n\r\n## Primary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n\r\n## Secondary Services\r\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Recommended Logs\r\n🔷 [AADManagedIdentitySignInLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/aadmanagedidentitysigninlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.13.3](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SC-2](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AADManagedIdentitySignInLogs\r\n| summarize count() by ServicePrincipalName, ResourceDisplayName\r\n| sort by count_ desc\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "Azure Active Directory: Managed Identities", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "ServicePrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "SC.L2-3.13.3", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SC.L2-3.13.6) Network Communication by Exception](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#deny-network-communications-traffic-by-default-and-allow-network-communications-traffic-by-exception-ie-deny-all-permit-by-exception)\r\n\r\n## Primary Services\r\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)
\r\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Logs\r\n🔷 [AzureDiagnostics]https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.13.6](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SC-7(5)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AzureDiagnostics\r\n| where Category == \"AzureFirewallApplicationRule\"\r\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" \" TempDetails\r\n| parse TempDetails with \"was \" Action1 \". Reason: \" Rule1\r\n| parse TempDetails with \"to \" FQDN \":\" TargetPortInt:int \". Action: \" Action2 \".\" *\r\n| parse TempDetails with * \". Rule Collection: \" RuleCollection2a \". Rule:\" Rule2a\r\n| parse TempDetails with * \"Deny.\" RuleCollection2b \". Proceeding with\" Rule2b\r\n| extend SourcePort = tostring(SourcePortInt)\r\n| extend TargetPort = tostring(TargetPortInt)\r\n| extend Action1 = case(Action1 == \"Deny\",\"Deny\",\"Unknown Action\")\r\n| extend Action = case(Action2 == \"\",Action1,Action2),Rule = case(Rule2a == \"\", case(Rule1 == \"\",case(Rule2b == \"\",\"N/A\", Rule2b),Rule1),Rule2a), \r\nRuleCollection = case(RuleCollection2b == \"\",case(RuleCollection2a == \"\",\"No rule matched\",RuleCollection2a), RuleCollection2b),FQDN = case(FQDN == \"\", \"N/A\", FQDN),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort)\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Action\r\n| render timechart ", + "size": 0, + "showAnalytics": true, + "title": "Azure Firewall: Action Count by Time", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "SC.L2-3.13.6", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SC.L2-3.13.8) Data in Transit](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#implement-cryptographic-mechanisms-to-prevent-unauthorized-disclosure-of-cui-during-transmission-unless-otherwise-protected-by-alternative-physical-safeguards)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n\r\n\r\n# Secondary Services\r\n✳️ [Azure ExpressRoute]( https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)
\r\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\r\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\r\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)
\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n✳️ [Microsoft Information Protection](https://www.microsoft.com/security/business/compliance/information-protection) 🔀[Microsoft Information Protection](https://compliance.microsoft.com/informationprotection)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.13.8](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SC-8, SC-8(1)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"key\" or RecommendationDisplayName contains \"vault\" or RecommendationDisplayName contains \"crypt\" or RecommendationDisplayName contains \"region\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "SC.L2-3.13.8", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SC.L2-3.13.10) Key Management](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#establish-and-manage-cryptographic-keys-for-cryptography-employed-in-organizational-systems)\r\n\r\n# Primary Services\r\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n✳️ [GitHub Enterprise Cloud](https://github.com/enterprise) 🔀[GitHub Enterprise](https://enterprise.github.com/login)
\r\n\r\n# Secondary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.13.10](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SC-12](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"key\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "SC.L2-3.13.10", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SC.L2-3.13.11) CUI Encryption](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#employ-fips-validated-cryptography-when-used-to-protect-the-confidentiality-of-cui)\r\n\r\n## Primary Services\r\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) 🔀[GitHub](https://github.com/)
\r\n\r\n\r\n## Recommended Logs\r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.13.11](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SC-13](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources\r\n| where type contains \"key\" or type contains \"crypt\"\r\n| project id,type,location,resourceGroup\r\n| order by location asc", + "size": 0, + "showAnalytics": true, + "title": "Key Vault & Crytographic Assets Listing", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. ", + "showExportToExcel": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "warning", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "State", + "formatter": 1 + }, + { + "columnMatch": "ControlID", + "formatter": 1 + }, + { + "columnMatch": "Recommendation", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Recommendation >" + } + }, + { + "columnMatch": "statusChangeDate", + "formatter": 6 + }, + { + "columnMatch": "firstEvaluationDate", + "formatter": 6 + } + ], + "filter": true + }, + "sortBy": [], + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "RecommendationName", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "SC.L2-3.13.11", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (SC.L2-3.13.12) Collaborative Device Control
\r\n\r\n## Secondary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Recommended Resources\r\n💡 [Group Policy](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings)
\r\n💡 [Intune/Microsoft Endpoint Manager policy](https://docs.microsoft.com/mem/intune/protect/windows-hello)
\r\n💡 [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise)
\r\n💡 [View Connected Devices](https://docs.microsoft.com/azure/active-directory/user-help/my-account-portal-devices-page#view-your-connected-devices)
\r\n\r\n## Recommended Logs\r\n🔷 [Event](https://docs.microsoft.com/azure/azure-monitor/reference/tables/event) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.13.12](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SC-15](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Event\r\n| where TimeGenerated > ago(90d)\r\n| where RenderedDescription contains \"Windows Hello\"\r\n| summarize count() by _ResourceId, EventLevelName, RenderedDescription, EventID\r\n| sort by count_ desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Configure Windows Hello for Collaborative Computing Devices & Monitor Event Logs", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "SC.L2-3.13.12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (SC.L2-3.13.13) Mobile Code\r\n\r\n# Primary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n# Secondary Services\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n\r\n## Recommended Logs\r\n🔷 [DeviceFileEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/devicefileevents) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.13.13](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SC-18](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DeviceFileEvents\r\n| where FileName contains \".pdf\" or FileName contains \".vbx\" or FileName contains \"java\" or FileName contains \".dcr\"\r\n| summarize count() by ActionType, FileName\r\n| sort by count_ desc \r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Control and Monitor the Use of Mobile Code", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "ActionType", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "File", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "SC.L2-3.13.13", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (SC.L2-3.13.14) Voice Over Internet Protocol\r\n\r\n# Secondary Services\r\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage)
\r\n\r\n## Recommended Logs\r\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.13.14](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SC-19](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "OfficeActivity\r\n| where RecordType == \"MicrosoftTeams\"\r\n| summarize count() by RecordType, Operation, UserId\r\n| sort by count_ desc\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "Control & Monitor Microsoft Teams Activity", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecordType", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Connect", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "UserId", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + }, + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "RecommendationName", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "SC.L2-3.13.14", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SC.L2-3.13.15) Communications Authenticity](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#protect-the-authenticity-of-communications-sessions)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Azure Portal](https://azure.microsoft.com/services/azure-defender-for-iot/) 🔀[Microsoft Azure Portal](https://portal.azure.com/)
\r\n\r\n# Secondary Services\r\n✳️ [Azure ExpressRoute]( https://azure.microsoft.com/services/expressroute/) 🔀[ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits)
\r\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\r\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\r\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)
\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.13.15](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SC-23](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"web\" or RecommendationDisplayName contains \"http\" or RecommendationDisplayName contains \"protocol\" or RecommendationDisplayName contains \"session\" or RecommendationDisplayName contains \"comm\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "SC.L2-3.13.15", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SC.L2-3.13.16) Data at Rest](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#protect-the-confidentiality-of-cui-at-rest)\r\n\r\n## Primary Services\r\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\r\n\r\n# Secondary Services\r\n✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/) 🔀[Monitor](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview)
\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) 🔀[Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.13.16](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SC-28](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationDisplayName contains \"stor\" or RecommendationDisplayName contains \"disk\" or RecommendationDisplayName contains \"SQL\" or RecommendationDisplayName contains \"database\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationDisplayName, AssessedResourceId\r\n| summarize\r\n Failed = countif(RecommendationState == \"Unhealthy\"),\r\n Passed = countif(RecommendationState == \"Healthy\"),\r\n Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\")\r\n by RecommendationDisplayName\r\n| extend PassedControls = (Passed / todouble(Total)) * 100\r\n| project RecommendationDisplayName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "RecommendationDisplayName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Gear", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "maximumFractionDigits": 2 + } + } + }, + { + "columnMatch": "ControlNumber", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "AllServices", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "RecommendationState", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "!=", + "thresholdValue": "Healthy", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Control Assessment\r\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "52668f65-b44a-4e14-82d8-c87410e7e5dc", + "version": "KqlParameterItem/1.0", + "name": "ImplementationStatus", + "label": "Implementation Status", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Not Implemented\", \"label\": \"Not Implemented\", \"selected\":true},\r\n {\"value\": \"Implemented\", \"label\": \"Implemented\"},\r\n {\"value\": \"Alternate Implementation\", \"label\": \"Alternate Implementation\"},\r\n {\"value\": \"Planned\", \"label\": \"Planned\"},\r\n {\"value\": \"Out of Scope\", \"label\": \"Out of Scope\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "578b8620-30b9-4b92-abc6-997998bc8156", + "version": "KqlParameterItem/1.0", + "name": "ImplementationDate", + "label": "Implementation Date", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + } + }, + { + "version": "KqlParameterItem/1.0", + "name": "Notes", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 86400000 + }, + "id": "7bd0d384-d3c3-4c77-9dae-d75e823edfcf" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Status" + }, + { + "type": 1, + "content": { + "json": "### Notes
\r\n{Notes}" + }, + "name": "text - 1" + } + ] + }, + "customWidth": "50", + "name": "group - 2" + } + ] + }, + "name": "SC.L2-3.13.16", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 2: Advanced" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isSCVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "System & Communications Group", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# System & Information Integrity\r\n---\r\nSystem & Information Integrity includes controls to identify system flaws, combat malware, and identify anomalies. For more information, see the 💡[CMMC Model](https://www.acq.osd.mil/cmmc/model.html)" + }, + "customWidth": "50", + "name": "text - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 1: Foundational", + "items": [ + { + "type": 1, + "content": { + "json": "The Department views Level 1 (“Foundational”) as an opportunity to engage its contractors in developing and strengthening their approach to cybersecurity. Because Level 1 does not involve sensitive national security information, DoD intends for this Level to allow companies to assess their own cybersecurity and begin adopting practices that will thwart cyber-attacks. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 2" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "SC.L1-3.14.1", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L1-3.14.1) Flaw Remediation", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "cc953797-1e63-4908-b327-696b9852e011", + "cellValue": "SC.L1-3.14.2", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L1-3.14.2) Malicious Code Protection", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "a9af4f42-5e43-480e-b684-94903ea3ab1a", + "cellValue": "SC.L1-3.14.4", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L1-3.14.4) Update Malicious Code Protection", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "591eebe3-fee7-4d51-825e-1651c99d5761", + "cellValue": "SC.L1-3.14.5", + "linkTarget": "step", + "linkLabel": "✳️ (SC.L1-3.14.5) System & File Scanning", + "preText": "", + "postText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML1 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SC.L1-3.14.1) Flaw Remediation](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#identify-report-and-correct-information-and-information-system-flaws-in-a-timely-manner)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n\r\n## Secondary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.14.1](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SI-2, SI-3, SI-5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId, RecommendationSeverity\r\n| summarize Failed = countif(RecommendationState == \"Unhealthy\"), Passed = countif(RecommendationState == \"Healthy\"), Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\") by RecommendationSeverity\r\n| extend PassedControls = (Passed/todouble(Total))*100\r\n| where RecommendationSeverity <> \"\"\r\n| project RecommendationSeverity, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Microsoft Defender for Cloud Recommendations by Severity", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "[\"Passed\"]/[\"Total\"]", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "useGrouping": true, + "minimumIntegerDigits": 2, + "minimumFractionDigits": 2, + "maximumFractionDigits": 2, + "minimumSignificantDigits": 2, + "maximumSignificantDigits": 4 + } + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "total_controls_curr", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "[\"Passed\"]/[\"Failed\"]", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + } + ], + "filter": true + }, + "sortBy": [] + }, + "customWidth": "50", + "name": "query - 6 - Copy" + } + ] + }, + "name": "SC.L1-3.14.1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SC.L1-3.14.2) Malicious Code Protection](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#provide-protection-from-malicious-code-at-appropriate-locations-within-organizational-information-systems)\r\n\r\n## Primary Services\r\n✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) 🔀 [Web Application Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FFrontDoorWebApplicationFirewallPolicies)
\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n\r\n## Secondary Services\r\n✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) 🔀[DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)
\r\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\r\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.14.2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SI-2, SI-3, SI-5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationName contains \"malware\" or RecommendationName contains \"endpoint protect\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId\r\n| summarize Failed = countif(RecommendationState == \"Unhealthy\"), Passed = countif(RecommendationState == \"Healthy\"), Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\") by RecommendationName\r\n| extend PassedControls = (Passed/todouble(Total))*100\r\n| project RecommendationName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "[\"Passed\"]/[\"Total\"]", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "useGrouping": true, + "minimumIntegerDigits": 2, + "minimumFractionDigits": 2, + "maximumFractionDigits": 2, + "minimumSignificantDigits": 2, + "maximumSignificantDigits": 4 + } + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "total_controls_curr", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "[\"Passed\"]/[\"Failed\"]", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + } + ], + "filter": true + }, + "sortBy": [] + }, + "customWidth": "50", + "name": "query - 6 - Copy" + } + ] + }, + "name": "SC.L1-3.14.2", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SC.L1-3.14.4) Update Malicious Code Protection](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#update-malicious-code-protection-mechanisms-when-new-releases-are-available)\r\n\r\n## Primary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.14.4](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SI-3](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRegulatoryCompliance\r\n| where RecommendationName contains \"Update\" and RecommendationName contains \"Signature\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId\r\n| summarize Failed = countif(State == \"Failed\"), Passed = countif(State == \"Passed\"), Total = countif(State == \"Passed\" or State == \"Failed\") by RecommendationName\r\n| extend PassedControls = (Passed/todouble(Total))*100\r\n| project RecommendationName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "[\"Passed\"]/[\"Total\"]", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "useGrouping": true, + "minimumIntegerDigits": 2, + "minimumFractionDigits": 2, + "maximumFractionDigits": 2, + "minimumSignificantDigits": 2, + "maximumSignificantDigits": 4 + } + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "total_controls_curr", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "[\"Passed\"]/[\"Failed\"]", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + } + ], + "filter": true + }, + "sortBy": [] + }, + "customWidth": "50", + "name": "query - 6 - Copy" + } + ] + }, + "name": "SC.L1-3.14.4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SC.L1-3.14.5) System & File Scanning](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#perform-periodic-scans-of-the-information-system-and-real-time-scans-of-files-from-external-sources-as-files-are-downloaded-opened-or-executed)\r\n\r\n## Primary Services\r\n✳️ [Intune/Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager) 🔀[Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com/#home)
\r\n\r\n## Secondary Services\r\n✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) 🔀[DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)
\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.14.5](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SI-3](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityRecommendation\r\n| where RecommendationName contains \"defender\"\r\n| summarize arg_max(TimeGenerated, *) by RecommendationName, AssessedResourceId\r\n| summarize Failed = countif(RecommendationState == \"Unhealthy\"), Passed = countif(RecommendationState == \"Healthy\"), Total = countif(RecommendationState == \"Healthy\" or RecommendationState == \"Unhealthy\") by RecommendationName\r\n| extend PassedControls = (Passed/todouble(Total))*100\r\n| project RecommendationName, Total, PassedControls, Passed, Failed\r\n| sort by Total desc\r\n| limit 250", + "size": 0, + "showAnalytics": true, + "title": "Review Microsoft Defender for Cloud Recommendations", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Total", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "[\"Passed\"]/[\"Total\"]", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + }, + { + "columnMatch": "PassedControls", + "formatter": 0, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal", + "useGrouping": true, + "minimumIntegerDigits": 2, + "minimumFractionDigits": 2, + "maximumFractionDigits": 2, + "minimumSignificantDigits": 2, + "maximumSignificantDigits": 4 + } + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "total_controls_curr", + "formatter": 22, + "formatOptions": { + "compositeBarSettings": { + "labelText": "[\"Passed\"]/[\"Failed\"]", + "columnSettings": [ + { + "columnName": "Passed", + "color": "green" + }, + { + "columnName": "Failed", + "color": "redBright" + } + ] + } + } + } + ], + "filter": true + }, + "sortBy": [] + }, + "customWidth": "50", + "name": "query - 6 - Copy" + } + ] + }, + "name": "SC.L1-3.14.5", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML1Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 1: Foundational" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Level 2: Advanced", + "items": [ + { + "type": 1, + "content": { + "json": "A subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments. Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security. " + }, + "customWidth": "50", + "name": "text - 1" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "5", + "name": "text - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "af33f331-b64b-4fbd-a0b4-3e411ff705a8", + "cellValue": "SI.L2-3.14.3", + "linkTarget": "step", + "linkLabel": "✳️ (SI.L2-3.14.3) Security Alerts & Advisories", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "aae96c20-ec13-43d0-8602-0c46bdcec567", + "cellValue": "SI.L2-3.14.6", + "linkTarget": "step", + "linkLabel": "✳️ (SI.L2-3.14.6) Monitor Communications for Attacks", + "preText": "", + "postText": "", + "style": "link" + }, + { + "id": "74d74ca8-57df-47d7-8067-0e0044d59579", + "cellValue": "SI.L2-3.14.7", + "linkTarget": "step", + "linkLabel": "✳️ (SI.L2-3.14.7) Identify Unauthorized Use", + "preText": "", + "postText": "", + "style": "link" + } + ] + }, + "customWidth": "40", + "name": "ML2 Steps" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# (SI.L2-3.14.3) Security Alerts & Advisories\r\n\r\n## Primary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n\r\n## Recommended Logs\r\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.14.3](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SI-2, SI-3, SI-5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources\r\n| where type contains \"logic\"\r\n| project id,type,location,resourceGroup\r\n| order by location asc", + "size": 0, + "showAnalytics": true, + "title": "Automated Security Response (SOAR) Actions Configured", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. ", + "showExportToExcel": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "filter": true + } + }, + "customWidth": "50", + "name": "query - 1" + } + ] + }, + "name": "SI.L2-3.14.3", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SI.L2-3.14.6) Monitor Communications for Attacks](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#monitor-organizational-systems-including-inbound-and-outbound-communications-traffic-to-detect-attacks-and-indicators-of-potential-attacks)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n\r\n## Secondary Services\r\n✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) 🔀[DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)
\r\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) 🔀[Azure Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\r\n✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/) 🔀[Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n✳️ [Virtual Network]( https://azure.microsoft.com/services/virtual-network/) 🔀[Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\r\n✳️ [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) 🔀[Azure Active Directory: Conditional Access](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) 🔀[Microsoft Defender for Identity](https://portal.atp.azure.com/)
\r\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage)
\r\n\r\n## Recommended Logs\r\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.14.6](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[AU-2, AU-2(3), AU-6, SI-4, SI-4(4)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityAlert\r\n| distinct AlertName, AlertSeverity, ProductName, Status, Tactics, AlertLink, TimeGenerated\r\n| sort by TimeGenerated desc\r\n| limit 250\r\n", + "size": 0, + "showAnalytics": true, + "title": "Monitor Security Alerts", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "AlertName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "3", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ProductName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "uninitialized", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AlertLink", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "" + } + }, + { + "columnMatch": "UPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "2", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Go to Incident >" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + }, + { + "columnMatch": "city_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "state_", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark", + "text": "{0}{1}" + } + ] + } + } + ], + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "SigninStatus", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": false + }, + "mapSettings": { + "locInfo": "CountryRegion", + "locInfoColumn": "Location", + "latitude": "SourceIPLocation", + "longitude": "SourceIPLocation", + "sizeSettings": "Location", + "sizeAggregation": "Count", + "legendMetric": "Location", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "Location", + "colorAggregation": "Count", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueDark" + } + ] + } + } + }, + "customWidth": "50", + "name": "query - 4" + } + ] + }, + "name": "SI.L2-3.14.6", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# [(SI.L2-3.14.7) Identify Unauthorized Use](https://docs.microsoft.com/azure/governance/policy/samples/cmmc-l3?WT.mc_id=Portal-fx#identify-unauthorized-use-of-organizational-systems)\r\n\r\n## Primary Services\r\n✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) 🔀[Microsoft Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\r\n✳️ [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center) 🔀[Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\r\n✳️ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) 🔀 [Microsoft Defender for Cloud Apps Portal](https://portal.cloudappsecurity.com/)
\r\n\r\n## Secondary Services\r\n✳️ [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) 🔀[Bastions](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FbastionHosts)
\r\n✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/) 🔀[Load Balancers](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\r\n✳️ [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) 🔀[Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\r\n✳️ [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 🔀[Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\r\n✳️ [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) 🔀[Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)
\r\n✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) 🔀[Azure Active Directory Portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\r\n✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender) 🔀[Microsoft 365 Defender](https://security.microsoft.com/)
\r\n✳️ [Azure AD Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started) 🔀[Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\r\n✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) 🔀[Microsoft 365 Defender Portal](https://security.microsoft.com/homepage)
\r\n\r\n## Recommended Logs\r\n🔷 [BehaviorAnalytics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/behavioranalytics) ✳️ [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\r\n\r\n## Implementation Guidance\r\n[Microsoft Technical Reference Guide for CMMC](https://aka.ms/cmmc/techrefguide)\r\n## NIST SP 800-171 Mapping\r\n[3.14.7](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
\r\n## NIST SP 800-53 R4 Mapping\r\n[SI-4](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final)\r\n## Microsoft Defender for Cloud: Regulatory Compliance\r\n[Go To: NIST SP 800-171 Assessment >](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)
\r\n" + }, + "customWidth": "50", + "name": "text - 0", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let AnomalousSigninActivity = BehaviorAnalytics\r\n | where ActionType == \"Sign-in\"\r\n | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\r\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\r\n or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\r\n | join (\r\n SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \"none\"\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//witdstomstl\r\nlet AnomalousRoleAssignment = AuditLogs\r\n | where TimeGenerated > ago(28d)\r\n | where OperationName == \"Add member to role\"\r\n | mv-expand TargetResources\r\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n | where isnotempty(RoleId) and RoleId in (critical, high)\r\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n | where isnotempty(RoleName)\r\n | extend TargetId = tostring(TargetResources.id)\r\n | extend Target = tostring(TargetResources.userPrincipalName)\r\n | join kind=inner (\r\n BehaviorAnalytics\r\n | where ActionType == \"Add member to role\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n )\r\n on $left._ItemId == $right.SourceRecordId\r\n | extend AnomalyName = \"Anomalous Role Assignemt\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, RoleName, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; let LogOns=materialize(\r\n BehaviorAnalytics\r\n | where ActivityType == \"LogOn\");\r\nlet AnomalousResourceAccess = LogOns\r\n | where ActionType == \"ResourceAccess\"\r\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n | extend AnomalyName = \"Anomalous Resource Access\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousRDPActivity = LogOns\r\n | where ActionType == \"RemoteInteractiveLogon\"\r\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n | extend AnomalyName = \"Anomalous RDP Activity\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousLogintoDevices = LogOns\r\n | where ActionType == \"InteractiveLogon\"\r\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\r\n | extend AnomalyName = \"Anomalous Login To Devices\",\r\n Tactic = \"Privilege Escalation\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousPasswordReset = BehaviorAnalytics\r\n | where ActionType == \"Reset user password\"\r\n | where ActivityInsights.FirstTimeUserPerformedAction == \"True\"\r\n | join (\r\n AuditLogs\r\n | where OperationName == \"Reset user password\"\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | mv-expand TargetResources\r\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(TargetResources.userPrincipalName, \"#\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Password Reset\",\r\n Tactic = \"Impact\",\r\n Technique = \"Account Access Removal\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority\r\n | sort by TimeGenerated desc;\r\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\r\n | where ActionType == \"Sign-in\"\r\n | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\r\n | join (\r\n SigninLogs\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Initial Access\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousFailedLogon = BehaviorAnalytics\r\n | where ActivityType == \"LogOn\"\r\n | where UsersInsights.BlastRadius == \"High\"\r\n | join (\r\n SigninLogs \r\n | where Status.errorCode == 50126\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Failed Logon\",\r\n Tactic = \"Credential Access\",\r\n Technique = \"Brute Force\",\r\n SubTechnique = \"Password Guessing\",\r\n Description = \"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"Evidence\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousAADAccountManipulation = AuditLogs\r\n | where OperationName == \"Update user\"\r\n | mv-expand AdditionalDetails\r\n | where AdditionalDetails.key == \"UserPrincipalName\"\r\n | mv-expand TargetResources\r\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n | where isnotempty(RoleId) and RoleId in (critical, high)\r\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n | where isnotempty(RoleName)\r\n | extend TargetId = tostring(TargetResources.id)\r\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(TargetResources.userPrincipalName, \"#\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\r\n | join kind=inner ( \r\n BehaviorAnalytics\r\n | where ActionType == \"Update user\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n )\r\n on $left._ItemId == $right.SourceRecordId\r\n | extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName) \r\n | extend AnomalyName = \"Anomalous Account Manipulation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\"\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, RoleName, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\r\n | where ActionType == \"Add user\"\r\n | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\r\n | join(\r\n AuditLogs\r\n | where OperationName == \"Add user\"\r\n )\r\n on $left.SourceRecordId == $right._ItemId\r\n | mv-expand TargetResources\r\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(TargetResources.userPrincipalName, \"#\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\r\n | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\r\n UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserPrincipalName),\r\n UserName = iff(UserName contains \"#EXT#\", replace(\"_\", \"@\", tostring(split(UserPrincipalName, \"#\")[0])), UserName)\r\n | extend AnomalyName = \"Anomalous Account Creation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Create Account\",\r\n SubTechnique = \"Cloud Account\",\r\n Description = \"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\"\t\r\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target, [\"Evidence\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"]=InvestigationPriority\r\n | sort by TimeGenerated desc;\r\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\r\nlet TopUsersByAnomalies = AnomalyTable\r\n | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\r\n | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\r\n | sort by AnomalyCount desc;\r\nlet TopUsersByIncidents = SecurityIncident\r\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n | where Status == \"New\" or Status == \"Active\"\r\n | mv-expand AlertIds\r\n | extend AlertId = tostring(AlertIds)\r\n | join kind= innerunique ( \r\n SecurityAlert \r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n | where UPN <> \"\"\r\n | where UPN <> \" @ \"\r\n | union TopUsersByAnomalies\r\n | extend \r\n AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\r\n SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\r\n UPNExists = iff(isempty(UPN), false, true),\r\n NameExists = iff(isempty(Name), false, true),\r\n SidExists = iff(isempty(Sid), false, true),\r\n AADExists = iff(isempty(AadUserId), false, true)\r\n | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\r\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\r\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\r\n | project [\"UserName\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\"AadUserId\"]=AadAnchor, [\"OnPremSid\"]=SidAnchor, [\"UserPrincipalName\"]=UPNAnchor;\r\nTopUsersByIncidents\r\n| where UserPrincipalName !contains \"[\"\r\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\r\n| sort by IncidentCount desc\r\n| limit 50\r\n", + "size": 0, + "showAnalytics": true, + "title": "Review User Entity Behavior Analytics for Unauthorized Activity", + "noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening. Controls: Confirm Licensing, Availability, and Health of Respective Offerings. Logging: Confirm Log Source is Onboarded to the Log Analytics Workspace. Time: Adjust the Time Parameter for a Larger Data-Set. ", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "UserPrincipalName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Person", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentCount", + "formatter": 8, + "formatOptions": { + "palette": "redBright" + } + }, + { + "columnMatch": "AlertCount", + "formatter": 8, + "formatOptions": { + "palette": "orange" + } + }, + { + "columnMatch": "AnomalyCount", + "formatter": 8, + "formatOptions": { + "palette": "yellow" + } + } + ], + "rowLimit": 50, + "filter": true, + "sortBy": [ + { + "itemKey": "$gen_heatmap_IncidentCount_1", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "$gen_heatmap_IncidentCount_1", + "sortOrder": 2 + } + ] + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50" + } + } + ] + }, + "name": "SI.L2-3.14.7", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "isML2Visible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "Level 2: Advanced" + } + ] + }, + "conditionalVisibility": { + "parameterName": "isSIVisible", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "System & Information Integrity Group", + "styleSettings": { + "showBorder": true + } + } + ], + "fromTemplateId": "sentinel-CybersecurityMaturityModelCertification(CMMC)2.0", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/Images/CybersecurityMaturityModelCertification(CMMC)Black1.png b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/Images/CybersecurityMaturityModelCertification(CMMC)Black1.png new file mode 100644 index 0000000000..ce0a2615ef Binary files /dev/null and b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/Images/CybersecurityMaturityModelCertification(CMMC)Black1.png differ diff --git a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/Images/CybersecurityMaturityModelCertification(CMMC)White1.png b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/Images/CybersecurityMaturityModelCertification(CMMC)White1.png new file mode 100644 index 0000000000..d5d12230d0 Binary files /dev/null and b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/Images/CybersecurityMaturityModelCertification(CMMC)White1.png differ diff --git a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/Images/CybersecurityMaturityModelCertification(CMMC)Workbook.png b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/Images/CybersecurityMaturityModelCertification(CMMC)Workbook.png new file mode 100644 index 0000000000..0eb059c803 Binary files /dev/null and b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/Images/CybersecurityMaturityModelCertification(CMMC)Workbook.png differ diff --git a/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/readme.md b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/readme.md new file mode 100644 index 0000000000..7abe7355ba --- /dev/null +++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/readme.md @@ -0,0 +1,37 @@ +# Overview +--- +The Microsoft Sentinel: Cybersecurity Maturity Model Certification (CMMC) 2.0 Solution provides a mechanism for viewing log queries aligned to CMMC 2.0 requirements across the Microsoft portfolio. This solution enables governance and compliance teams to design, build, monitor, and respond to CMMC 2.0 requirements across 25+ Microsoft products. The solution includes the new CMMC 2.0 Workbook, (2) Analytics Rules, and (1) Playbook. While only Microsoft Sentinel is required to get started, the solution is enhanced with numerous Microsoft offerings. This Solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective security best practice. + +## Try on Portal +You can deploy the solution by clicking on the buttons below: + + + + +![Workbook Overview](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Workbooks/Images/CybersecurityMaturityModelCertification(CMMC)Black1.png?raw=true) + +# Getting Started +This Solution is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with Cybersecurity Maturity Model Certification 2.0 control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and level. This offering telemetry from 50+ Microsoft Security products, while only Microsoft Sentinel/Microsoft Defender for Cloud are required to get started, each offering provides additional enrichment for aligning with control requirements. Each CMMC control includes a Control Card detailing an overiew of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads. +💡 [Planning: Review Microsoft Product Placemat for CMMC 2.0](https://aka.ms/cmmc/productplacemat)
+💡 [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)
+💡 [Onboard Microsoft Defender for Cloud](https://docs.microsoft.com/azure/security-center/security-center-get-started)
+💡 [Add the Microsoft Defender for Cloud: NIST SP 800 171 R2 Assessment to Your Dashboard](https://docs.microsoft.com/azure/security-center/update-regulatory-compliance-packages#add-a-regulatory-standard-to-your-dashboard)
+💡 [Continuously Export Security Center Data to Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/continuous-export)
+💡 [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)
+ +# Workbook +The Microsoft Sentinel CMMC 2.0 Workbook provides a mechanism for viewing log queries, azure resource graph, and policies aligned to CMMC controls across the Microsoft portfolio including Microsoft security offerings, Office 365, Teams, and many more. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective CMMC 2.0 requirements and practices. + +# Analytics Rules +The Microsoft Sentinel: CMMC 2.0 Analytics rules leverage Microsoft Defender for Cloud Regulatory Compliance mappings (Derived from NIST SP 800-171) to measure CMMC 2.0 alignment across Level 1 (Foundation) and Level 2 (Advanced) requirements. The default configuration is set for scheduled rules running every 7 days to reduce alert overload. The default configuration is to alert when posture compliance is below 70% and this number is configurable per organizational requirements. + +# Playbooks +## 1) Notify Governance Compliance Team +This Security Orchestration, Automation, & Response (SOAR) capability is designed for configuration with the solution's analytics rules. When analytics rules trigger this automation notifies the governance compliance team of respective details via Teams chat and exchange email. this automation reduces requirements to manually monitor the workbook or analytics rules while increasing response times.
+## 2) Open DevOps Task based on Recommendation +This Security Orchestration, Automation, & Response (SOAR) capability is designed to create an Azure DevOps Task when an alert is triggered. This automation enables a consistent response when resources become unhealthy relative to a predefined recommendation, enabling teams to focus on remediation and improving response times. +## 3) Open JIRA Ticket based on Recommendation +This Security Orchestration, Automation, & Response (SOAR) capability is designed to open a Jira issue when a recommendation is unhealthy in Microsoft Defender for Cloud. This automation improves time to response by providing consistant notifications when resources become unhealthy relative to a predefined recommendation. + +## Disclaimer +The Microsoft Sentinel CMMC 2.0 Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. The workbook outlines controls across Levels 1-2. All accreditation requirements and decisions are governed by the 💡[CMMC Accreditation Body](https://www.cmmcab.org/c3pao-lp). This solution provides visibility and situational awareness for control requirements delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations and query modification for operation. Recommendations should be considered a starting point for planning full or partial coverage of respective control requirements. \ No newline at end of file diff --git a/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml new file mode 100755 index 0000000000..4cf6eaacd4 --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml @@ -0,0 +1,34 @@ +id: b52cda18-c1af-40e5-91f3-1fcbf9fa267e +name: Digital Guardian - Sensitive data transfer over insecure channel +description: | + 'Detects sensitive data transfer over insecure channel.' +severity: Medium +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where isnotempty(MatchedPolicies) + | where isnotempty(inspected_document) + | where NetworkApplicationProtocol =~ 'HTTP' + | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianExfiltrationOverDNS.yaml b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianExfiltrationOverDNS.yaml new file mode 100755 index 0000000000..6559233a30 --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianExfiltrationOverDNS.yaml @@ -0,0 +1,28 @@ +id: 39e25deb-49bb-4cdb-89c1-c466d596e2bd +name: Digital Guardian - Exfiltration using DNS protocol +description: | + 'Detects exfiltration using DNS protocol.' +severity: High +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where DstPortNumber == 53 + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianExfiltrationToFileShareServices.yaml b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianExfiltrationToFileShareServices.yaml new file mode 100755 index 0000000000..77a561bb76 --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianExfiltrationToFileShareServices.yaml @@ -0,0 +1,32 @@ +id: f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8 +name: Digital Guardian - Exfiltration to online fileshare +description: | + 'Detects exfiltration to online fileshare.' +severity: High +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + let threshold = 10; + DigitalGuardianDLPEvent + | where isnotempty(inspected_document) + | where http_url contains 'dropbox' or http_url contains 'mega.nz' + | summarize f = dcount(inspected_document) by SrcUserName, bin(TimeGenerated, 30m) + | where f >= threshold + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianFileSentToExternal.yaml b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianFileSentToExternal.yaml new file mode 100755 index 0000000000..356c97c9a6 --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianFileSentToExternal.yaml @@ -0,0 +1,35 @@ +id: edead9b5-243a-466b-ae78-2dae32ab1117 +name: Digital Guardian - Exfiltration to private email +description: | + 'Detects exfiltration to private email.' +severity: High +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where NetworkApplicationProtocol =~ 'SMTP' + | where isnotempty(inspected_document) + | extend s_user = substring(SrcUserName, 0, indexof(SrcUserName, '@')) + | extend d_user = substring(DstUserName, 0, indexof(DstUserName, '@')) + | extend s_domain = extract(@'@(.*)', 1, SrcUserName) + | extend d_domain = extract(@'@(.*)', 1, DstUserName) + | where s_domain != d_domain + | where s_user == d_user + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianFileSentToExternalDomain.yaml b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianFileSentToExternalDomain.yaml new file mode 100755 index 0000000000..36f6fb2e7b --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianFileSentToExternalDomain.yaml @@ -0,0 +1,34 @@ +id: a19885c8-1e44-47e3-81df-d1d109f5c92d +name: Digital Guardian - Exfiltration to external domain +description: | + 'Detects exfiltration to external domain.' +severity: Medium +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + let corp_domain = dynamic(['example.com']); //add all corporate domains to this list + DigitalGuardianDLPEvent + | where NetworkApplicationProtocol =~ 'SMTP' + | where isnotempty(inspected_document) + | extend s_domain = extract(@'@(.*)', 1, SrcUserName) + | extend d_domain = extract(@'@(.*)', 1, DstUserName) + | where s_domain in~ (corp_domain) + | where d_domain !in (corp_domain) + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianFilesSentToExternalDomain.yaml b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianFilesSentToExternalDomain.yaml new file mode 100755 index 0000000000..c76ef1106d --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianFilesSentToExternalDomain.yaml @@ -0,0 +1,37 @@ +id: 5f75a873-b524-4ba5-a3b8-2c20db517148 +name: Digital Guardian - Bulk exfiltration to external domain +description: | + 'Detects bulk exfiltration to external domain.' +severity: Medium +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + let threshold = 10; + let corp_domain = dynamic(['example.com']); + DigitalGuardianDLPEvent + | where NetworkApplicationProtocol =~ 'SMTP' + | where isnotempty(inspected_document) + | extend s_domain = extract(@'@(.*)', 1, SrcUserName) + | extend d_domain = extract(@'@(.*)', 1, DstUserName) + | where s_domain in~ (corp_domain) + | where d_domain !in (corp_domain) + | summarize f = dcount(inspected_document) by SrcUserName, DstUserName, bin(TimeGenerated, 30m) + | where f >= threshold + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianMultipleIncidentsFromUser.yaml b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianMultipleIncidentsFromUser.yaml new file mode 100755 index 0000000000..2207907c38 --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianMultipleIncidentsFromUser.yaml @@ -0,0 +1,31 @@ +id: e8901dac-2549-4948-b793-5197a5ed697a +name: Digital Guardian - Multiple incidents from user +description: | + 'Detects multiple incidents from user.' +severity: High +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + let threshold = 2; + DigitalGuardianDLPEvent + | where isnotempty(MatchedPolicies) + | summarize count() by SrcUserName, bin(TimeGenerated, 30m) + | where count_ >= threshold + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianPossibleProtocolAbuse.yaml b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianPossibleProtocolAbuse.yaml new file mode 100755 index 0000000000..eacbf06ee5 --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianPossibleProtocolAbuse.yaml @@ -0,0 +1,29 @@ +id: a374a933-f6c4-4200-8682-70402a9054dd +name: Digital Guardian - Possible SMTP protocol abuse +description: | + 'Detects possible SMTP protocol abuse.' +severity: High +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where NetworkApplicationProtocol =~ 'SMTP' + | where DstPortNumber != 25 + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianUnexpectedProtocol.yaml b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianUnexpectedProtocol.yaml new file mode 100755 index 0000000000..f23bbe6a82 --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianUnexpectedProtocol.yaml @@ -0,0 +1,28 @@ +id: a14f2f95-bbd2-4036-ad59-e3aff132b296 +name: Digital Guardian - Unexpected protocol +description: | + 'Detects RDP protocol usage for data transfer which is not common.' +severity: High +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where DstPortNumber == 3389 + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianViolationNotBlocked.yaml b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianViolationNotBlocked.yaml new file mode 100755 index 0000000000..b2747a3d1c --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianViolationNotBlocked.yaml @@ -0,0 +1,31 @@ +id: 07bca129-e7d6-4421-b489-32abade0b6a7 +name: Digital Guardian - Incident with not blocked action +description: | + 'Detects when incident has not block action.' +severity: High +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where isnotempty(IncidentStatus) + | extend inc_act = split(IncidentStatus, ',') + | where inc_act has 'New' + | where inc_act !contains 'Block' + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianDomains.yaml b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianDomains.yaml new file mode 100755 index 0000000000..b3dd0d480c --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianDomains.yaml @@ -0,0 +1,26 @@ +id: 444c91d4-e4b8-4adc-9b05-61fe908441b8 +name: Digital Guardian - Incident domains +description: | + 'Query searches for incident domains.' +severity: Medium +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where TimeGenerated > ago(24h) + | where isnotempty(http_url) + | extend u = parse_url(http_url) + | extend domain=u.Host + | summarize count() by tostring(domain), SrcUserName + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity \ No newline at end of file diff --git a/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianFilesSentByUsers.yaml b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianFilesSentByUsers.yaml new file mode 100755 index 0000000000..64f6e97d38 --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianFilesSentByUsers.yaml @@ -0,0 +1,24 @@ +id: 66dd7ab7-bbc0-48b7-a3b9-4e71e610df48 +name: Digital Guardian - Files sent by users +description: | + 'Query searches for files sent by users.' +severity: Medium +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where TimeGenerated > ago(24h) + | where isnotempty(inspected_document) + | summarize Files = makeset(inspected_document) by SrcUserName + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianIncidentsByUser.yaml b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianIncidentsByUser.yaml new file mode 100755 index 0000000000..9c5e307724 --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianIncidentsByUser.yaml @@ -0,0 +1,25 @@ +id: 83d5652c-025c-4cee-9f33-3bc114648859 +name: Digital Guardian - Users' incidents +description: | + 'Query searches for users' incidents.' +severity: Medium +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where TimeGenerated > ago(24h) + | where isnotempty(IncidentStatus) + | where inc_act has 'New' + | summarize makeset(IncidentsUrl) by SrcUserName + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianInsecureProtocolSources.yaml b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianInsecureProtocolSources.yaml new file mode 100755 index 0000000000..b72c0dbbce --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianInsecureProtocolSources.yaml @@ -0,0 +1,24 @@ +id: 196930a4-bd79-4800-b2bb-582a8f1c8dd4 +name: Digital Guardian - Insecure file transfer sources +description: | + 'Query searches for insecure file transfer sources.' +severity: Medium +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where TimeGenerated > ago(24h) + | where NetworkApplicationProtocol in~ ('HTTP', 'FTP') + | project SrcUserName, SrcIpAddr, DstIpAddr, DstPortNumber, File=inspected_document + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianInspectedFiles.yaml b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianInspectedFiles.yaml new file mode 100755 index 0000000000..1b035239a9 --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianInspectedFiles.yaml @@ -0,0 +1,24 @@ +id: e459b709-55f7-48b6-8afc-0ae1062d3584 +name: Digital Guardian - Inspected files +description: | + 'Query searches for inspected files.' +severity: Medium +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where TimeGenerated > ago(24h) + | where isnotempty(inspected_document) + | project SrcUserName, DstUserName, File=inspected_document, MatchedPolicies + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianNewIncidents.yaml b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianNewIncidents.yaml new file mode 100755 index 0000000000..dbb4e3a8a0 --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianNewIncidents.yaml @@ -0,0 +1,25 @@ +id: ae482a2c-b4e7-46fc-aeb7-744f7aad27ea +name: Digital Guardian - New incidents +description: | + 'Query searches for new incidents.' +severity: Medium +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where TimeGenerated > ago(24h) + | where isnotempty(IncidentStatus) + | extend inc_act = split(IncidentStatus, ',') + | where inc_act has 'New' + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianRareDestinationPorts.yaml b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianRareDestinationPorts.yaml new file mode 100755 index 0000000000..5265643877 --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianRareDestinationPorts.yaml @@ -0,0 +1,25 @@ +id: 82cba92e-fe2f-4bba-9b46-647040b24090 +name: Digital Guardian - Rare destination ports +description: | + 'Query searches for rare destination ports.' +severity: Medium +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where TimeGenerated > ago(24h) + | summarize count() by DstIpAddr, DstPortNumber + | order by count_ asc + | top 10 by count_ + | extend IPCustomEntity = DstIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianRareNetworkProtocols.yaml b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianRareNetworkProtocols.yaml new file mode 100755 index 0000000000..0c5cec985c --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianRareNetworkProtocols.yaml @@ -0,0 +1,30 @@ +id: 8ab2f0db-baa1-495c-a8dd-718b81d0b8c7 +name: Digital Guardian - Rare network protocols +description: | + 'Query searches rare network protocols.' +severity: Medium +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where TimeGenerated > ago(24h) + | where isnotempty(NetworkApplicationProtocol) + | summarize count() by SrcIpAddr, SrcUserName + | order by count_ asc + | top 10 by count_ + | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianRareUrls.yaml b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianRareUrls.yaml new file mode 100755 index 0000000000..84fc46275b --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianRareUrls.yaml @@ -0,0 +1,26 @@ +id: b9a69da9-1ca0-4e09-a24f-5d88d57e0402 +name: Digital Guardian - Rare Urls +description: | + 'Query searches for rare Urls.' +severity: Medium +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where TimeGenerated > ago(24h) + | where isnotempty(http_url) + | summarize count() by SrcUserName, http_url + | order by count_ asc + | top 10 by count_ + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianUrlByUser.yaml b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianUrlByUser.yaml new file mode 100755 index 0000000000..4c84cac72f --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianUrlByUser.yaml @@ -0,0 +1,24 @@ +id: 310433ca-67aa-406d-bbdf-c167a474b0a0 +name: Digital Guardian - Urls used +description: | + 'Query searches for URLs used.' +severity: Medium +requiredDataConnectors: + - connectorId: DigitalGuardianDLP + dataTypes: + - DigitalGuardianDLPEvent +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + DigitalGuardianDLPEvent + | where TimeGenerated > ago(24h) + | where isnotempty(http_url) + | project SrcUserName, DstUserName, URL=http_url, MatchedPolicies + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/DigitalGuardianDLP/Workbooks/DigitalGuardian.json b/Solutions/DigitalGuardianDLP/Workbooks/DigitalGuardian.json new file mode 100644 index 0000000000..722e15ba04 --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Workbooks/DigitalGuardian.json @@ -0,0 +1,422 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "**NOTE**: This data connector depends on a parser based on Kusto Function **DigitalGuardianDLPEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-DigitalGuardian-parser)" + }, + "name": "text - 8" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "cd8447d9-b096-4673-92d8-2a1e8291a125", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "description": "Sets the time name for analysis", + "value": { + "durationMs": 7776000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DigitalGuardianDLPEvent\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};", + "size": 0, + "title": "Events Over Time", + "color": "green", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "graphSettings": { + "type": 0 + } + }, + "customWidth": "45", + "name": "query - 12", + "styleSettings": { + "maxWidth": "55" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DigitalGuardianDLPEvent\n| summarize count() by NetworkApplicationProtocol", + "size": 3, + "title": "Network Protocols", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "30", + "name": "query - 10" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Data Connector Statistics", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DigitalGuardianDLPEvent\r\n| where isnotempty(SrcIpAddr)\r\n| summarize dcount(SrcIpAddr)", + "size": 3, + "title": "IP Addresses", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "50", + "name": "query - 3", + "styleSettings": { + "margin": "10", + "padding": "10" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DigitalGuardianDLPEvent\n| where isnotempty(SrcUserName)\n| summarize dcount(SrcUserName)", + "size": 3, + "title": "Users", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DigitalGuardianDLPEvent\n| where isnotempty(SrcIpAddr)\n| summarize dcount(SrcIpAddr)", + "size": 3, + "title": "Hosts", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DigitalGuardianDLPEvent\n| where isnotempty(IncidentId)\n| summarize dcount(IncidentId)", + "size": 3, + "title": "Total Incidents", + "noDataMessage": "0", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "50", + "name": "query - 3" + } + ] + }, + "customWidth": "20", + "name": "group - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DigitalGuardianDLPEvent\r\n| where isnotempty(SrcIpAddr)\r\n| summarize count() by SrcIpAddr\r\n| top 10 by count_", + "size": 3, + "title": "Top Source Addresses", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "tileSettings": { + "titleContent": { + "columnMatch": "cat", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "purple" + } + }, + "showBorder": false + } + }, + "customWidth": "35", + "name": "query - 0", + "styleSettings": { + "maxWidth": "30" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DigitalGuardianDLPEvent\n| where isnotempty(SrcUserName)\n| summarize count() by SrcUserName\n| top 10 by count_", + "size": 3, + "title": "Top Users", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "35", + "name": "query - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DigitalGuardianDLPEvent\n| where isnotempty(http_url)\n| extend u = parse_url(http_url)\n| extend Domain = tostring(u.Host)\n| summarize count() by Domain\n| project Domain, EventCount=count_", + "size": 3, + "title": "Top domains", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10 + } + }, + "customWidth": "30", + "name": "query - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DigitalGuardianDLPEvent\n| where isnotempty(DstUserName)\n| summarize f = makeset(inspected_document) by DstUserName\n| project Email = DstUserName, Files = f, FileCount = array_length(f)", + "size": 0, + "title": "Top Recipients", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10 + }, + "tileSettings": { + "titleContent": { + "columnMatch": "User", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "TotalMailsReceived", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 10, + "formatOptions": { + "palette": "magenta" + } + }, + "showBorder": false + } + }, + "customWidth": "40", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DigitalGuardianDLPEvent\r\n| where isnotempty(inspected_document)\r\n| order by TimeGenerated\r\n| project File=inspected_document, User=SrcUserName, Policy=MatchedPolicies", + "size": 0, + "title": "Inspected files", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Total Bytes (KB)", + "formatter": 8, + "formatOptions": { + "palette": "greenRed" + } + } + ], + "filter": true + }, + "sortBy": [], + "tileSettings": { + "titleContent": { + "columnMatch": "User", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "TrafficVolume(MB)", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 21, + "formatOptions": { + "palette": "blue" + } + }, + "showBorder": false + } + }, + "customWidth": "55", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DigitalGuardianDLPEvent\r\n| where isnotempty(IncidentStatus)\r\n| extend inc_act = split(IncidentStatus, ',')\r\n| where inc_act has 'New'\r\n| order by TimeGenerated\r\n| project TimeGenerated, User=SrcUserName, File=inspected_document, MatchedPolicies\r\n", + "size": 0, + "title": "New Incidents", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "filter": true + } + }, + "name": "query - 1" + } + ], + "fromTemplateId": "sentinel-DigitalGuardianWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/DigitalGuardianDLP/Workbooks/Images/DigitalGuardianBlack.png b/Solutions/DigitalGuardianDLP/Workbooks/Images/DigitalGuardianBlack.png new file mode 100644 index 0000000000..ffb11ebe85 Binary files /dev/null and b/Solutions/DigitalGuardianDLP/Workbooks/Images/DigitalGuardianBlack.png differ diff --git a/Solutions/DigitalGuardianDLP/Workbooks/Images/DigitalGuardianWhite.png b/Solutions/DigitalGuardianDLP/Workbooks/Images/DigitalGuardianWhite.png new file mode 100644 index 0000000000..5cd20654d2 Binary files /dev/null and b/Solutions/DigitalGuardianDLP/Workbooks/Images/DigitalGuardianWhite.png differ diff --git a/Solutions/HYAS/Package/1.1.1.zip b/Solutions/HYAS/Package/1.1.1.zip new file mode 100644 index 0000000000..8290a04754 Binary files /dev/null and b/Solutions/HYAS/Package/1.1.1.zip differ diff --git a/Solutions/HYAS/Package/createUiDefinition.json b/Solutions/HYAS/Package/createUiDefinition.json index 287d04b776..8785f00b18 100644 --- a/Solutions/HYAS/Package/createUiDefinition.json +++ b/Solutions/HYAS/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Playbooks:** 13\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Playbooks:** 17\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -564,12 +564,164 @@ } } ] + }, + { + "name": "playbook14", + "type": "Microsoft.Common.Section", + "label": "Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution", + "elements": [ + { + "name": "playbook14-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with C2 Attribution information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key." + } + }, + { + "name": "playbook14-PlaybookName", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution", + "toolTip": "Resource name for the logic app playbook. No spaces are allowed", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a playbook resource name" + } + }, + { + "name": "playbook14-UserName", + "type": "Microsoft.Common.TextBox", + "label": "HYAS Username", + "defaultValue": "@", + "toolTip": "Username to connect to HYAS API", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a playbook username" + } + } + ] + }, + { + "name": "playbook15", + "type": "Microsoft.Common.Section", + "label": "Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution", + "elements": [ + { + "name": "playbook15-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with C2 Attribution information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key." + } + }, + { + "name": "playbook15-PlaybookName", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution", + "toolTip": "Resource name for the logic app playbook. No spaces are allowed", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a playbook resource name" + } + }, + { + "name": "playbook15-UserName", + "type": "Microsoft.Common.TextBox", + "label": "HYAS Username", + "defaultValue": "@", + "toolTip": "Username to connect to HYAS API", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a playbook username" + } + } + ] + }, + { + "name": "playbook16", + "type": "Microsoft.Common.Section", + "label": "Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution", + "elements": [ + { + "name": "playbook16-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with C2 Attribution information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key." + } + }, + { + "name": "playbook16-PlaybookName", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution", + "toolTip": "Resource name for the logic app playbook. No spaces are allowed", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a playbook resource name" + } + }, + { + "name": "playbook16-UserName", + "type": "Microsoft.Common.TextBox", + "label": "HYAS Username", + "defaultValue": "@", + "toolTip": "Username to connect to HYAS API", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a playbook username" + } + } + ] + }, + { + "name": "playbook17", + "type": "Microsoft.Common.Section", + "label": "Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution", + "elements": [ + { + "name": "playbook17-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with C2 Attribution information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key." + } + }, + { + "name": "playbook17-PlaybookName", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution", + "toolTip": "Resource name for the logic app playbook. No spaces are allowed", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a playbook resource name" + } + }, + { + "name": "playbook17-UserName", + "type": "Microsoft.Common.TextBox", + "label": "HYAS Username", + "defaultValue": "@", + "toolTip": "Username to connect to HYAS API", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a playbook username" + } + } + ] } ] } ], "outputs": { - "workspace-location": "[resourceGroup().location]", + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(filter.id, toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", "location": "[location()]", "workspace": "[basics('workspace')]", "playbook1-PlaybookName": "[steps('playbooks').playbook1.playbook1-PlaybookName]", @@ -597,7 +749,15 @@ "playbook12-PlaybookName": "[steps('playbooks').playbook12.playbook12-PlaybookName]", "playbook12-UserName": "[steps('playbooks').playbook12.playbook12-UserName]", "playbook13-PlaybookName": "[steps('playbooks').playbook13.playbook13-PlaybookName]", - "playbook13-UserName": "[steps('playbooks').playbook13.playbook13-UserName]" + "playbook13-UserName": "[steps('playbooks').playbook13.playbook13-UserName]", + "playbook14-PlaybookName": "[steps('playbooks').playbook14.playbook14-PlaybookName]", + "playbook14-UserName": "[steps('playbooks').playbook14.playbook14-UserName]", + "playbook15-PlaybookName": "[steps('playbooks').playbook15.playbook15-PlaybookName]", + "playbook15-UserName": "[steps('playbooks').playbook15.playbook15-UserName]", + "playbook16-PlaybookName": "[steps('playbooks').playbook16.playbook16-PlaybookName]", + "playbook16-UserName": "[steps('playbooks').playbook16.playbook16-UserName]", + "playbook17-PlaybookName": "[steps('playbooks').playbook17.playbook17-PlaybookName]", + "playbook17-UserName": "[steps('playbooks').playbook17.playbook17-UserName]" } } } diff --git a/Solutions/HYAS/Package/mainTemplate.json b/Solutions/HYAS/Package/mainTemplate.json index 8a73761677..d047b1be3a 100644 --- a/Solutions/HYAS/Package/mainTemplate.json +++ b/Solutions/HYAS/Package/mainTemplate.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "author": "Nikhil Tripathi - v-ntripathi@microsoft.com", + "author": "Manoj Arimanda - v-marimanda@microsoft.com", "comments": "Solution template for HYAS" }, "parameters": { @@ -16,10 +16,9 @@ }, "workspace-location": { "type": "string", - "minLength": 1, - "defaultValue": "[parameters('location')]", + "defaultValue": "", "metadata": { - "description": "Region to deploy solution resources" + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" } }, "workspace": { @@ -236,72 +235,152 @@ "metadata": { "description": "Username to connect to HYAS API" } + }, + "playbook14-PlaybookName": { + "defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Resource name for the logic app playbook. No spaces are allowed" + } + }, + "playbook14-UserName": { + "defaultValue": "@", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Username to connect to HYAS API" + } + }, + "playbook15-PlaybookName": { + "defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Resource name for the logic app playbook. No spaces are allowed" + } + }, + "playbook15-UserName": { + "defaultValue": "@", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Username to connect to HYAS API" + } + }, + "playbook16-PlaybookName": { + "defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Resource name for the logic app playbook. No spaces are allowed" + } + }, + "playbook16-UserName": { + "defaultValue": "@", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Username to connect to HYAS API" + } + }, + "playbook17-PlaybookName": { + "defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Resource name for the logic app playbook. No spaces are allowed" + } + }, + "playbook17-UserName": { + "defaultValue": "@", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Username to connect to HYAS API" + } } }, "variables": { - "Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS": "Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS", - "_Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS": "[variables('Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS')]", + "playbook1-Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS": "playbook1-Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS", + "_playbook1-Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS": "[variables('playbook1-Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS')]", "playbook1-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook1-PlaybookName'))]", "playbook1-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook1-PlaybookName'))]", "playbook-1-connection-1": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azuresentinel')]", "_playbook-1-connection-1": "[variables('playbook-1-connection-1')]", "playbook-1-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/hyasinsight')]", "_playbook-1-connection-2": "[variables('playbook-1-connection-2')]", - "Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS": "Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS", - "_Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS": "[variables('Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS')]", + "playbook2-Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS": "playbook2-Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS", + "_playbook2-Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS": "[variables('playbook2-Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS')]", "playbook2-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook2-PlaybookName'))]", "playbook2-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook2-PlaybookName'))]", - "Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS": "Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS", - "_Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS": "[variables('Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS')]", + "playbook3-Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS": "playbook3-Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS", + "_playbook3-Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS": "[variables('playbook3-Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS')]", "playbook3-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook3-PlaybookName'))]", "playbook3-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook3-PlaybookName'))]", - "Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS": "Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS", - "_Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS": "[variables('Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS')]", + "playbook4-Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS": "playbook4-Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS", + "_playbook4-Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS": "[variables('playbook4-Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS')]", "playbook4-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook4-PlaybookName'))]", "playbook4-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook4-PlaybookName'))]", - "Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS": "Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS", - "_Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS": "[variables('Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS')]", + "playbook5-Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS": "playbook5-Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS", + "_playbook5-Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS": "[variables('playbook5-Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS')]", "playbook5-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook5-PlaybookName'))]", "playbook5-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook5-PlaybookName'))]", - "Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS": "Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS", - "_Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS": "[variables('Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS')]", + "playbook6-Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS": "playbook6-Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS", + "_playbook6-Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS": "[variables('playbook6-Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS')]", "playbook6-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook6-PlaybookName'))]", "playbook6-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook6-PlaybookName'))]", - "Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS": "Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS", - "_Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS": "[variables('Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS')]", + "playbook7-Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS": "playbook7-Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS", + "_playbook7-Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS": "[variables('playbook7-Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS')]", "playbook7-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook7-PlaybookName'))]", "playbook7-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook7-PlaybookName'))]", - "Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash": "Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash", - "_Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash": "[variables('Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash')]", + "playbook8-Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash": "playbook8-Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash", + "_playbook8-Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash": "[variables('playbook8-Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash')]", "playbook8-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook8-PlaybookName'))]", "playbook8-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook8-PlaybookName'))]", - "Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate": "Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate", - "_Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate": "[variables('Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate')]", + "playbook9-Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate": "playbook9-Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate", + "_playbook9-Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate": "[variables('playbook9-Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate')]", "playbook9-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook9-PlaybookName'))]", "playbook9-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook9-PlaybookName'))]", - "Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole": "Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole", - "_Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole": "[variables('Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole')]", + "playbook10-Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole": "playbook10-Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole", + "_playbook10-Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole": "[variables('playbook10-Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole')]", "playbook10-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook10-PlaybookName'))]", "playbook10-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook10-PlaybookName'))]", - "Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo": "Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo", - "_Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo": "[variables('Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo')]", + "playbook11-Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo": "playbook11-Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo", + "_playbook11-Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo": "[variables('playbook11-Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo')]", "playbook11-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook11-PlaybookName'))]", "playbook11-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook11-PlaybookName'))]", - "Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo": "Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo", - "_Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo": "[variables('Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo')]", + "playbook12-Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo": "playbook12-Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo", + "_playbook12-Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo": "[variables('playbook12-Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo')]", "playbook12-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook12-PlaybookName'))]", "playbook12-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook12-PlaybookName'))]", - "Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS": "Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS", - "_Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS": "[variables('Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS')]", + "playbook13-Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS": "playbook13-Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS", + "_playbook13-Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS": "[variables('playbook13-Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS')]", "playbook13-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook13-PlaybookName'))]", "playbook13-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook13-PlaybookName'))]", + "playbook14-Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution": "playbook14-Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution", + "_playbook14-Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution": "[variables('playbook14-Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution')]", + "playbook14-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook14-PlaybookName'))]", + "playbook14-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook14-PlaybookName'))]", + "playbook15-Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution": "playbook15-Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution", + "_playbook15-Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution": "[variables('playbook15-Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution')]", + "playbook15-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook15-PlaybookName'))]", + "playbook15-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook15-PlaybookName'))]", + "playbook16-Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution": "playbook16-Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution", + "_playbook16-Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution": "[variables('playbook16-Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution')]", + "playbook16-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook16-PlaybookName'))]", + "playbook16-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook16-PlaybookName'))]", + "playbook17-Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution": "playbook17-Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution", + "_playbook17-Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution": "[variables('playbook17-Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution')]", + "playbook17-HYASInsightApiKey": "[concat('hyasinsight-', parameters('playbook17-PlaybookName'))]", + "playbook17-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook17-PlaybookName'))]", "sourceId": "hyas.a-hyas-insight-azure-sentinel-solutions-gallery", "_sourceId": "[variables('sourceId')]" }, "resources": [ { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook1-AzureSentinelConnectionName')]", "location": "[parameters('workspace-location')]", "properties": { @@ -312,7 +391,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook1-HYASInsightApiKey')]", "location": "[parameters('workspace-location')]", "properties": { @@ -324,7 +403,7 @@ }, { "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", + "apiVersion": "2017-07-01", "name": "[parameters('playbook1-PlaybookName')]", "location": "[parameters('workspace-location')]", "dependsOn": [ @@ -635,7 +714,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook2-AzureSentinelConnectionName')]", "location": "[parameters('workspace-location')]", "properties": { @@ -646,7 +725,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook2-HYASInsightApiKey')]", "location": "[parameters('workspace-location')]", "properties": { @@ -658,7 +737,7 @@ }, { "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", + "apiVersion": "2017-07-01", "name": "[parameters('playbook2-PlaybookName')]", "location": "[parameters('workspace-location')]", "dependsOn": [ @@ -942,7 +1021,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook3-AzureSentinelConnectionName')]", "location": "[parameters('workspace-location')]", "properties": { @@ -953,7 +1032,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook3-HYASInsightApiKey')]", "location": "[parameters('workspace-location')]", "properties": { @@ -965,7 +1044,7 @@ }, { "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", + "apiVersion": "2017-07-01", "name": "[parameters('playbook3-PlaybookName')]", "location": "[parameters('workspace-location')]", "dependsOn": [ @@ -1243,7 +1322,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook4-AzureSentinelConnectionName')]", "location": "[parameters('workspace-location')]", "properties": { @@ -1254,7 +1333,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook4-HYASInsightApiKey')]", "location": "[parameters('workspace-location')]", "properties": { @@ -1266,7 +1345,7 @@ }, { "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", + "apiVersion": "2017-07-01", "name": "[parameters('playbook4-PlaybookName')]", "location": "[parameters('workspace-location')]", "dependsOn": [ @@ -1618,7 +1697,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook5-AzureSentinelConnectionName')]", "location": "[parameters('workspace-location')]", "properties": { @@ -1629,7 +1708,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook5-HYASInsightApiKey')]", "location": "[parameters('workspace-location')]", "properties": { @@ -1641,7 +1720,7 @@ }, { "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", + "apiVersion": "2017-07-01", "name": "[parameters('playbook5-PlaybookName')]", "location": "[parameters('workspace-location')]", "dependsOn": [ @@ -1998,7 +2077,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook6-AzureSentinelConnectionName')]", "location": "[parameters('workspace-location')]", "properties": { @@ -2009,7 +2088,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook6-HYASInsightApiKey')]", "location": "[parameters('workspace-location')]", "properties": { @@ -2021,7 +2100,7 @@ }, { "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", + "apiVersion": "2017-07-01", "name": "[parameters('playbook6-PlaybookName')]", "location": "[parameters('workspace-location')]", "dependsOn": [ @@ -2300,7 +2379,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook7-AzureSentinelConnectionName')]", "location": "[parameters('workspace-location')]", "properties": { @@ -2311,7 +2390,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook7-HYASInsightApiKey')]", "location": "[parameters('workspace-location')]", "properties": { @@ -2323,7 +2402,7 @@ }, { "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", + "apiVersion": "2017-07-01", "name": "[parameters('playbook7-PlaybookName')]", "location": "[parameters('workspace-location')]", "dependsOn": [ @@ -2601,7 +2680,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook8-AzureSentinelConnectionName')]", "location": "[parameters('workspace-location')]", "properties": { @@ -2612,7 +2691,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook8-HYASInsightApiKey')]", "location": "[parameters('workspace-location')]", "properties": { @@ -2624,7 +2703,7 @@ }, { "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", + "apiVersion": "2017-07-01", "name": "[parameters('playbook8-PlaybookName')]", "location": "[parameters('workspace-location')]", "dependsOn": [ @@ -2900,7 +2979,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook9-AzureSentinelConnectionName')]", "location": "[parameters('workspace-location')]", "properties": { @@ -2911,7 +2990,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook9-HYASInsightApiKey')]", "location": "[parameters('workspace-location')]", "properties": { @@ -2923,7 +3002,7 @@ }, { "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", + "apiVersion": "2017-07-01", "name": "[parameters('playbook9-PlaybookName')]", "location": "[parameters('workspace-location')]", "dependsOn": [ @@ -3203,7 +3282,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook10-AzureSentinelConnectionName')]", "location": "[parameters('workspace-location')]", "properties": { @@ -3214,7 +3293,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook10-HYASInsightApiKey')]", "location": "[parameters('workspace-location')]", "properties": { @@ -3226,7 +3305,7 @@ }, { "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", + "apiVersion": "2017-07-01", "name": "[parameters('playbook10-PlaybookName')]", "location": "[parameters('workspace-location')]", "dependsOn": [ @@ -3505,7 +3584,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook11-AzureSentinelConnectionName')]", "location": "[parameters('workspace-location')]", "properties": { @@ -3516,7 +3595,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook11-HYASInsightApiKey')]", "location": "[parameters('workspace-location')]", "properties": { @@ -3528,7 +3607,7 @@ }, { "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", + "apiVersion": "2017-07-01", "name": "[parameters('playbook11-PlaybookName')]", "location": "[parameters('workspace-location')]", "dependsOn": [ @@ -3804,7 +3883,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook12-AzureSentinelConnectionName')]", "location": "[parameters('workspace-location')]", "properties": { @@ -3815,7 +3894,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook12-HYASInsightApiKey')]", "location": "[parameters('workspace-location')]", "properties": { @@ -3827,7 +3906,7 @@ }, { "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", + "apiVersion": "2017-07-01", "name": "[parameters('playbook12-PlaybookName')]", "location": "[parameters('workspace-location')]", "dependsOn": [ @@ -4103,7 +4182,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook13-AzureSentinelConnectionName')]", "location": "[parameters('workspace-location')]", "properties": { @@ -4114,7 +4193,7 @@ }, { "type": "Microsoft.Web/connections", - "apiVersion": "2018-07-01-preview", + "apiVersion": "2016-06-01", "name": "[variables('playbook13-HYASInsightApiKey')]", "location": "[parameters('workspace-location')]", "properties": { @@ -4126,7 +4205,7 @@ }, { "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", + "apiVersion": "2017-07-01", "name": "[parameters('playbook13-PlaybookName')]", "location": "[parameters('workspace-location')]", "dependsOn": [ @@ -4402,11 +4481,1402 @@ } } }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook14-AzureSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook14-AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[variables('_playbook-1-connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook14-HYASInsightApiKey')]", + "location": "[parameters('workspace-location')]", + "properties": { + "displayName": "[parameters('playbook14-UserName')]", + "api": { + "id": "[variables('_playbook-1-connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('playbook14-PlaybookName')]", + "location": "[parameters('workspace-location')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook14-HYASInsightApiKey'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook14-AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Entities_-_Get_Hosts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/host" + } + }, + "JSON_Output_Variable": { + "runAfter": { + "Entities_-_Get_Hosts": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Json Output", + "type": "array" + } + ] + } + }, + "Looping_through_Hosts_Object": { + "foreach": "@body('Entities_-_Get_Hosts')?['Hosts']", + "actions": { + "Add_comment_to_incident_(V2)_2": { + "runAfter": { + "Checking_If_the_Response_Returned_Data": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Value": "HYAS Insight C2 Attribution Enrichment data for the Domain \"@{items('Looping_through_Hosts_Object')?['HostName']}.@{items('Looping_through_Hosts_Object')?['DnsDomain']}\" : @{variables('Comment')} For detailed information, see https://insight.hyas.com/static/details?domain=@{items('Looping_through_Hosts_Object')?['HostName']}.@{items('Looping_through_Hosts_Object')?['DnsDomain']}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + } + }, + "Checking_If_the_Response_Returned_Data": { + "actions": { + "Assigning_Table_Formatted_Output_to_Incident_Comment_Variable": { + "runAfter": { + "Set_Comment_Variable_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "@body('Create_HTML_table')" + } + }, + "Create_HTML_table": { + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('Json Output')" + } + }, + "For_each": { + "foreach": "@take(body('Retrieve_C2_Attribution_information_for_Domain'),3)", + "actions": { + "Append_to_array_variable": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Json Output", + "value": { + "actor_ipv4": "@items('For_each')?['actor_ipv4']", + "c2_domain": "@items('For_each')?['c2_domain']", + "c2_ipv4": "@items('For_each')?['c2_ip']", + "c2_url": "@items('For_each')?['c2_url']", + "datetime": "@items('For_each')?['datetime']", + "email": "@items('For_each')?['email']", + "email_domain": "@items('For_each')?['email_domain']", + "referrer_domain": "@items('For_each')?['referrer_domain']", + "referrer_ipv4": "@items('For_each')?['referrer_ipv4']", + "referrer_url": "@items('For_each')?['referrer_url']", + "sha256": "@items('For_each')?['sha256']" + } + } + } + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Set_Comment_Variable_to_Empty": { + "runAfter": { + "Set_Json_Output_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": " " + } + }, + "Set_Json_Output_to_Empty": { + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Json Output" + } + } + }, + "runAfter": { + "Setting_the_Response_Length_Variable": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "No_Records_Found": { + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "No records found in HYAS Insight for the Domain \"@{items('Looping_through_Hosts_Object')?['HostName']}.@{items('Looping_through_Hosts_Object')?['DnsDomain']}\"" + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('RecordsLength')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Retrieve_C2_Attribution_information_for_Domain": { + "type": "ApiConnection", + "inputs": { + "body": { + "applied_filters": { + "domain": "@{items('Looping_through_Hosts_Object')?['HostName']}.@{items('Looping_through_Hosts_Object')?['DnsDomain']}" + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['hyasinsight']['connectionId']" + } + }, + "method": "post", + "path": "/c2attribution/domain" + } + }, + "Setting_the_Response_Length_Variable": { + "runAfter": { + "Retrieve_C2_Attribution_information_for_Domain": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "RecordsLength", + "value": "@length(body('Retrieve_C2_Attribution_information_for_Domain'))" + } + } + }, + "runAfter": { + "Sentinel_Incident_Comment_Variable": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Response_Length_Variable": { + "runAfter": { + "JSON_Output_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "RecordsLength", + "type": "integer", + "value": 0 + } + ] + } + }, + "Sentinel_Incident_Comment_Variable": { + "runAfter": { + "Response_Length_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Comment", + "type": "string" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook14-AzureSentinelConnectionName'))]", + "connectionName": "[variables('playbook14-AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "hyasinsight": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook14-HYASInsightApiKey'))]", + "connectionName": "[variables('playbook14-HYASInsightApiKey')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/hyasinsight')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook15-AzureSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook15-AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[variables('_playbook-1-connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook15-HYASInsightApiKey')]", + "location": "[parameters('workspace-location')]", + "properties": { + "displayName": "[parameters('playbook15-UserName')]", + "api": { + "id": "[variables('_playbook-1-connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('playbook15-PlaybookName')]", + "location": "[parameters('workspace-location')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook15-HYASInsightApiKey'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook15-AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Account_Name_Variable": { + "runAfter": { + "Sentinel_Incident_Comment_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Email1", + "type": "string" + } + ] + } + }, + "Account_UPN_Suffix_Variable": { + "runAfter": { + "Account_Name_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Email2", + "type": "string" + } + ] + } + }, + "Email_Connector_Variable": { + "runAfter": { + "Account_UPN_Suffix_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Connector", + "type": "string", + "value": "@" + } + ] + } + }, + "Entities_-_Get_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "JSON_Output_Variable": { + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Json Output", + "type": "array" + } + ] + } + }, + "Looping_Through_Account_Object_for_Accounts_Name": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Add_comment_to_incident_(V2)_2": { + "runAfter": { + "Checking_If_the_Response_Returned_Data": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Value": "HYAS Insight C2 Attribution Enrichment data the Email Address\"@{concat(variables('Email1'),variables('Connector'),variables('Email2'))}\" : @{variables('Comment')} For detailed information, see https://insight.hyas.com/static/details?email=@{concat(variables('Email1'),variables('Connector'),variables('Email2'))}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + } + }, + "Checking_If_the_Response_Returned_Data": { + "actions": { + "Assigning_Table_Formatted_Output_to_Incident_Comment_Variable": { + "runAfter": { + "Set_Comment_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "@body('Create_HTML_table')" + } + }, + "Create_HTML_table": { + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('Json Output')" + } + }, + "For_each": { + "foreach": "@take(body('Retrieve_C2_Attribution_information_for_Email_address'),3)", + "actions": { + "Append_to_array_variable": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Json Output", + "value": { + "actor_ipv4": "@items('For_each')?['actor_ipv4']", + "c2_domain": "@items('For_each')?['c2_domain']", + "c2_ipv4": "@items('For_each')?['c2_ip']", + "c2_url": "@items('For_each')?['c2_url']", + "datetime": "@items('For_each')?['datetime']", + "email": "@items('For_each')?['email']", + "email_domain": "@items('For_each')?['email_domain']", + "referrer_domain": "@items('For_each')?['referrer_domain']", + "referrer_ipv4": "@items('For_each')?['referrer_ipv4']", + "referrer_url": "@items('For_each')?['referrer_url']", + "sha256": "@items('For_each')?['sha256']" + } + } + } + }, + "type": "Foreach" + }, + "Set_Comment_to_Empty": { + "runAfter": { + "Set_JSON_Output_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": " " + } + }, + "Set_JSON_Output_to_Empty": { + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Json Output" + } + } + }, + "runAfter": { + "Setting_Response_Length_Variable": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "No_Records_Found": { + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "No records found in HYAS Insight for the Email Address \"@{concat(variables('Email1'),variables('Connector'),variables('Email2'))}\"." + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('RecordsLength')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Retrieve_C2_Attribution_information_for_Email_address": { + "runAfter": { + "Setting_Accounts_UPN_suffix_variable": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "applied_filters": { + "email": "@{concat(variables('Email1'),variables('Connector'),variables('Email2'))}" + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['hyasinsight']['connectionId']" + } + }, + "method": "post", + "path": "/c2attribution/email" + } + }, + "Setting_Accounts_Name_Variable": { + "type": "SetVariable", + "inputs": { + "name": "Email1", + "value": "@items('Looping_Through_Account_Object_for_Accounts_Name')?['Name']" + } + }, + "Setting_Accounts_UPN_suffix_variable": { + "runAfter": { + "Setting_Accounts_Name_Variable": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Email2", + "value": "@items('Looping_Through_Account_Object_for_Accounts_Name')?['UPNSuffix']" + } + }, + "Setting_Response_Length_Variable": { + "runAfter": { + "Retrieve_C2_Attribution_information_for_Email_address": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "RecordsLength", + "value": "@length(body('Retrieve_C2_Attribution_information_for_Email_address'))" + } + } + }, + "runAfter": { + "Email_Connector_Variable": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Response_Length_Variable": { + "runAfter": { + "JSON_Output_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "RecordsLength", + "type": "integer", + "value": 0 + } + ] + } + }, + "Sentinel_Incident_Comment_Variable": { + "runAfter": { + "Response_Length_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Comment", + "type": "string" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook15-AzureSentinelConnectionName'))]", + "connectionName": "[variables('playbook15-AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "hyasinsight": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook15-HYASInsightApiKey'))]", + "connectionName": "[variables('playbook15-HYASInsightApiKey')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/hyasinsight')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook16-AzureSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook16-AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[variables('_playbook-1-connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook16-HYASInsightApiKey')]", + "location": "[parameters('workspace-location')]", + "properties": { + "displayName": "[parameters('playbook16-UserName')]", + "api": { + "id": "[variables('_playbook-1-connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('playbook16-PlaybookName')]", + "location": "[parameters('workspace-location')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook16-HYASInsightApiKey'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook16-AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Entities_-_Get_IPs": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "JSON_Output_Variable": { + "runAfter": { + "Entities_-_Get_IPs": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Json Output", + "type": "array" + } + ] + } + }, + "Looping_Through_Sentinel_IPs": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Add_comment_to_incident_(V2)_2": { + "runAfter": { + "Checking_If_the_Response_Returned_Data": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Value": "HYAS Insight C2 Attribution Enrichment data for the IP Address \"@{items('Looping_Through_Sentinel_IPs')?['Address']}\" : @{variables('Comment')} For detailed information, see https://insight.hyas.com/static/details?ip=@{items('Looping_Through_Sentinel_IPs')?['Address']}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + } + }, + "Checking_If_the_Response_Returned_Data": { + "actions": { + "Assigning_Table_Formatted_Output_to_Incident_Comment_Variable": { + "runAfter": { + "Set_Comment_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "@body('Create_HTML_table')" + } + }, + "Create_HTML_table": { + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('Json Output')" + } + }, + "For_each": { + "foreach": "@take(body('Retrieve_C2_Attribution_information_for_IP_address'),3)", + "actions": { + "Append_to_array_variable": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Json Output", + "value": { + "actor_ipv4": "@items('For_each')?['actor_ipv4']", + "c2_domain": "@items('For_each')?['c2_domain']", + "c2_ipv4": "@items('For_each')?['c2_ip']", + "c2_url": "@items('For_each')?['c2_url']", + "datetime": "@items('For_each')?['datetime']", + "email": "@items('For_each')?['email']", + "email_domain": "@items('For_each')?['email_domain']", + "referrer_domain": "@items('For_each')?['referrer_domain']", + "referrer_ipv4": "@items('For_each')?['referrer_ipv4']", + "referrer_url": "@items('For_each')?['referrer_url']", + "sha256": "@items('For_each')?['sha256']" + } + } + } + }, + "type": "Foreach" + }, + "Set_Comment_to_Empty": { + "runAfter": { + "Set_Json_Output_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": " " + } + }, + "Set_Json_Output_to_Empty": { + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Json Output" + } + } + }, + "runAfter": { + "Setting_Response_Length_Variable": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "No_Records_Found": { + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "No records found in HYAS Insight for the IP Address \"@{items('Looping_Through_Sentinel_IPs')?['Address']}\"." + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('RecordsLength')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Retrieve_C2_Attribution_information_for_IP_address": { + "type": "ApiConnection", + "inputs": { + "body": { + "applied_filters": { + "ip": "@items('Looping_Through_Sentinel_IPs')?['Address']" + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['hyasinsight']['connectionId']" + } + }, + "method": "post", + "path": "/c2attribution/ip" + } + }, + "Setting_Response_Length_Variable": { + "runAfter": { + "Retrieve_C2_Attribution_information_for_IP_address": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "RecordsLength", + "value": "@length(body('Retrieve_C2_Attribution_information_for_IP_address'))" + } + } + }, + "runAfter": { + "Sentinel_Incident_Comment_Variable": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Response_Length_Variable": { + "runAfter": { + "JSON_Output_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "RecordsLength", + "type": "integer", + "value": 0 + } + ] + } + }, + "Sentinel_Incident_Comment_Variable": { + "runAfter": { + "Response_Length_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Comment", + "type": "string" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook16-AzureSentinelConnectionName'))]", + "connectionName": "[variables('playbook16-AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "hyasinsight": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook16-HYASInsightApiKey'))]", + "connectionName": "[variables('playbook16-HYASInsightApiKey')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/hyasinsight')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook17-AzureSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook17-AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[variables('_playbook-1-connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook17-HYASInsightApiKey')]", + "location": "[parameters('workspace-location')]", + "properties": { + "displayName": "[parameters('playbook17-UserName')]", + "api": { + "id": "[variables('_playbook-1-connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('playbook17-PlaybookName')]", + "location": "[parameters('workspace-location')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook17-HYASInsightApiKey'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook17-AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Entities_-_Get_FileHashes": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/filehash" + } + }, + "Filehash_Variable": { + "runAfter": { + "Sentinel_Incident_Comment_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "FileHashValue", + "type": "string" + } + ] + } + }, + "JSON_Output_Variable": { + "runAfter": { + "Entities_-_Get_FileHashes": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Json Output", + "type": "array" + } + ] + } + }, + "Looping_Through_Sentinel_Sha256_values": { + "foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']", + "actions": { + "Add_comment_to_incident_(V2)_2": { + "runAfter": { + "Checking_If_the_Response_Returned_Data": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Value": "HYAS Insight C2 Attribution Enrichment data for the SHA256 \"@{variables('FileHashValue')}\" : @{variables('Comment')} For detailed information, see https://insight.hyas.com/static/details?sha256=@{variables('FileHashValue')}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + } + }, + "Checking_If_the_Response_Returned_Data": { + "actions": { + "Assigning_Table_Formatted_Output_to_Incident_Comment_Variable": { + "runAfter": { + "Set_Comment_Variable_to_empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "@body('Create_HTML_table')" + } + }, + "Create_HTML_table": { + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('Json Output')" + } + }, + "For_each": { + "foreach": "@take(body('Retrieve_C2_Attribution_information_for_SHA256'),3)", + "actions": { + "Append_to_array_variable": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Json Output", + "value": { + "actor_ipv4": "@items('For_each')?['actor_ipv4']", + "c2_domain": "@items('For_each')?['c2_domain']", + "c2_ipv4": "@items('For_each')?['c2_ip']", + "c2_url": "@items('For_each')?['c2_url']", + "datetime": "@items('For_each')?['datetime']", + "email": "@items('For_each')?['email']", + "email_domain": "@items('For_each')?['email_domain']", + "referrer_domain": "@items('For_each')?['referrer_domain']", + "referrer_ipv4": "@items('For_each')?['referrer_ipv4']", + "referrer_url": "@items('For_each')?['referrer_url']", + "sha256": "@items('For_each')?['sha256']" + } + } + } + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Set_Comment_Variable_to_empty": { + "runAfter": { + "Set_Json_output_to_empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": " " + } + }, + "Set_Json_output_to_empty": { + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Json Output" + } + } + }, + "runAfter": { + "Setting_Response_Length_Variable": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "No_Records_Found": { + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "No records found in HYAS Insight for the SHA256 \"@{items('Looping_Through_Sentinel_Sha256_values')?['Address']}\"." + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('RecordsLength')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Retrieve_C2_Attribution_information_for_SHA256": { + "runAfter": { + "Set_Filehash_Value": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "applied_filters": { + "sha256": "@variables('FileHashValue')" + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['hyasinsight']['connectionId']" + } + }, + "method": "post", + "path": "/c2attribution/sha256" + } + }, + "Set_Filehash_Value": { + "type": "SetVariable", + "inputs": { + "name": "FileHashValue", + "value": "@items('Looping_Through_Sentinel_Sha256_values')?['Value']" + } + }, + "Setting_Response_Length_Variable": { + "runAfter": { + "Retrieve_C2_Attribution_information_for_SHA256": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "RecordsLength", + "value": "@length(body('Retrieve_C2_Attribution_information_for_SHA256'))" + } + } + }, + "runAfter": { + "Filehash_Variable": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Response_Length_Variable": { + "runAfter": { + "JSON_Output_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "RecordsLength", + "type": "integer", + "value": 0 + } + ] + } + }, + "Sentinel_Incident_Comment_Variable": { + "runAfter": { + "Response_Length_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Comment", + "type": "string" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook17-AzureSentinelConnectionName'))]", + "connectionName": "[variables('playbook17-AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "hyasinsight": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook17-HYASInsightApiKey'))]", + "connectionName": "[variables('playbook17-HYASInsightApiKey')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/hyasinsight')]" + } + } + } + } + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2021-03-01-preview", "properties": { - "version": "1.1.0", + "version": "1.1.1", "kind": "Solution", "contentId": "[variables('_sourceId')]", "parentId": "[variables('_sourceId')]", @@ -4416,8 +5886,8 @@ "sourceId": "[variables('_sourceId')]" }, "author": { - "name": "Nikhil Tripathi", - "email": "v-ntripathi@microsoft.com" + "name": "Manoj Arimanda", + "email": "v-marimanda@microsoft.com" }, "support": { "name": "HYAS", @@ -4429,68 +5899,88 @@ "criteria": [ { "kind": "Playbook", - "contentId": "[variables('_Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS')]", - "version": "1.1.0" + "contentId": "[variables('_playbook1-Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS')]", + "version": "1.1.1" }, { "kind": "Playbook", - "contentId": "[variables('_Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS')]", - "version": "1.1.0" + "contentId": "[variables('_playbook2-Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS')]", + "version": "1.1.1" }, { "kind": "Playbook", - "contentId": "[variables('_Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS')]", - "version": "1.1.0" + "contentId": "[variables('_playbook3-Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS')]", + "version": "1.1.1" }, { "kind": "Playbook", - "contentId": "[variables('_Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS')]", - "version": "1.1.0" + "contentId": "[variables('_playbook4-Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS')]", + "version": "1.1.1" }, { "kind": "Playbook", - "contentId": "[variables('_Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS')]", - "version": "1.1.0" + "contentId": "[variables('_playbook5-Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS')]", + "version": "1.1.1" }, { "kind": "Playbook", - "contentId": "[variables('_Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS')]", - "version": "1.1.0" + "contentId": "[variables('_playbook6-Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS')]", + "version": "1.1.1" }, { "kind": "Playbook", - "contentId": "[variables('_Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS')]", - "version": "1.1.0" + "contentId": "[variables('_playbook7-Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS')]", + "version": "1.1.1" }, { "kind": "Playbook", - "contentId": "[variables('_Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash')]", - "version": "1.1.0" + "contentId": "[variables('_playbook8-Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash')]", + "version": "1.1.1" }, { "kind": "Playbook", - "contentId": "[variables('_Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate')]", - "version": "1.1.0" + "contentId": "[variables('_playbook9-Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate')]", + "version": "1.1.1" }, { "kind": "Playbook", - "contentId": "[variables('_Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole')]", - "version": "1.1.0" + "contentId": "[variables('_playbook10-Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole')]", + "version": "1.1.1" }, { "kind": "Playbook", - "contentId": "[variables('_Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo')]", - "version": "1.1.0" + "contentId": "[variables('_playbook11-Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo')]", + "version": "1.1.1" }, { "kind": "Playbook", - "contentId": "[variables('_Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo')]", - "version": "1.1.0" + "contentId": "[variables('_playbook12-Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo')]", + "version": "1.1.1" }, { "kind": "Playbook", - "contentId": "[variables('_Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS')]", - "version": "1.1.0" + "contentId": "[variables('_playbook13-Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS')]", + "version": "1.1.1" + }, + { + "kind": "Playbook", + "contentId": "[variables('_playbook14-Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution')]", + "version": "1.1.1" + }, + { + "kind": "Playbook", + "contentId": "[variables('_playbook15-Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution')]", + "version": "1.1.1" + }, + { + "kind": "Playbook", + "contentId": "[variables('_playbook16-Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution')]", + "version": "1.1.1" + }, + { + "kind": "Playbook", + "contentId": "[variables('_playbook17-Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution')]", + "version": "1.1.1" } ] }, diff --git a/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution/azuredeploy.json b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution/azuredeploy.json new file mode 100644 index 0000000000..4e80a037a8 --- /dev/null +++ b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution/azuredeploy.json @@ -0,0 +1,359 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "comments": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with C2 Attribution information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key.", + "author": "Paul van Gool, HYAS Infosec" + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution", + "type": "string" + }, + "UserName": { + "defaultValue": "@", + "type": "string" + } + }, + "variables": { + "HYASInsightApiKey": "[concat('hyasinsight-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('HYASInsightApiKey')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[parameters('UserName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/hyasinsight')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('HYASInsightApiKey'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Entities_-_Get_Hosts": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/host" + } + }, + "JSON_Output_Variable": { + "runAfter": { + "Entities_-_Get_Hosts": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Json Output", + "type": "array" + } + ] + } + }, + "Looping_through_Hosts_Object": { + "foreach": "@body('Entities_-_Get_Hosts')?['Hosts']", + "actions": { + "Add_comment_to_incident_(V2)_2": { + "runAfter": { + "Checking_If_the_Response_Returned_Data": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Value": "HYAS Insight C2 Attribution Enrichment data for the Domain \"@{items('Looping_through_Hosts_Object')?['HostName']}.@{items('Looping_through_Hosts_Object')?['DnsDomain']}\" : \n\n@{variables('Comment')}\n\nFor detailed information, see https://insight.hyas.com/static/details?domain=@{items('Looping_through_Hosts_Object')?['HostName']}.@{items('Looping_through_Hosts_Object')?['DnsDomain']}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + } + }, + "Checking_If_the_Response_Returned_Data": { + "actions": { + "Assigning_Table_Formatted_Output_to_Incident_Comment_Variable": { + "runAfter": { + "Set_Comment_Variable_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "@body('Create_HTML_table')" + } + }, + "Create_HTML_table": { + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('Json Output')" + } + }, + "For_each": { + "foreach": "@take(body('Retrieve_C2_Attribution_information_for_Domain'),3)", + "actions": { + "Append_to_array_variable": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Json Output", + "value": { + "actor_ipv4": "@items('For_each')?['actor_ipv4']", + "c2_domain": "@items('For_each')?['c2_domain']", + "c2_ipv4": "@items('For_each')?['c2_ip']", + "c2_url": "@items('For_each')?['c2_url']", + "datetime": "@items('For_each')?['datetime']", + "email": "@items('For_each')?['email']", + "email_domain": "@items('For_each')?['email_domain']", + "referrer_domain": "@items('For_each')?['referrer_domain']", + "referrer_ipv4": "@items('For_each')?['referrer_ipv4']", + "referrer_url": "@items('For_each')?['referrer_url']", + "sha256": "@items('For_each')?['sha256']" + } + } + } + }, + "runAfter": {}, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Set_Comment_Variable_to_Empty": { + "runAfter": { + "Set_Json_Output_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": " " + } + }, + "Set_Json_Output_to_Empty": { + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Json Output", + "value": [] + } + } + }, + "runAfter": { + "Setting_the_Response_Length_Variable": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "No_Records_Found": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "No records found in HYAS Insight for the Domain \"@{items('Looping_through_Hosts_Object')?['HostName']}.@{items('Looping_through_Hosts_Object')?['DnsDomain']}\"" + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('RecordsLength')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Retrieve_C2_Attribution_information_for_Domain": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "applied_filters": { + "domain": "@{items('Looping_through_Hosts_Object')?['HostName']}.@{items('Looping_through_Hosts_Object')?['DnsDomain']}" + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['hyasinsight']['connectionId']" + } + }, + "method": "post", + "path": "/c2attribution/domain" + } + }, + "Setting_the_Response_Length_Variable": { + "runAfter": { + "Retrieve_C2_Attribution_information_for_Domain": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "RecordsLength", + "value": "@length(body('Retrieve_C2_Attribution_information_for_Domain'))" + } + } + }, + "runAfter": { + "Sentinel_Incident_Comment_Variable": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Response_Length_Variable": { + "runAfter": { + "JSON_Output_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "RecordsLength", + "type": "integer", + "value": 0 + } + ] + } + }, + "Sentinel_Incident_Comment_Variable": { + "runAfter": { + "Response_Length_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Comment", + "type": "string" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "hyasinsight": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('HYASInsightApiKey'))]", + "connectionName": "[variables('HYASInsightApiKey')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/hyasinsight')]" + } + } + } + } + } + } + ] +} diff --git a/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution/readme.md b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution/readme.md new file mode 100644 index 0000000000..a3f43f82e6 --- /dev/null +++ b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution/readme.md @@ -0,0 +1,11 @@ +# Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution +author: Paul van Gool, HYAS Infosec + +This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with C2 Attribution information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the [connector documentation](https://docs.microsoft.com/connectors/hyasinsight/) or visit [HYAS Insight](https://www.hyas.com/contact) to request a trial key. + + +## Links to deploy the Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution playbook template: + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FHYAS%2FPlaybooks%2FEnrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution%2Fazuredeploy.json) + +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FHYAS%2FPlaybooks%2FEnrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution%2Fazuredeploy.json) diff --git a/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution/azuredeploy.json b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution/azuredeploy.json new file mode 100644 index 0000000000..308eda4728 --- /dev/null +++ b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution/azuredeploy.json @@ -0,0 +1,427 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "comments": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with C2 Attribution information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key.", + "author": "Paul van Gool, HYAS Infosec" + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution", + "type": "string" + }, + "UserName": { + "defaultValue": "@", + "type": "string" + } + }, + "variables": { + "HYASInsightApiKey": "[concat('hyasinsight-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('HYASInsightApiKey')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[parameters('UserName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/hyasinsight')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('HYASInsightApiKey'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Account_Name_Variable": { + "runAfter": { + "Sentinel_Incident_Comment_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Email1", + "type": "string" + } + ] + } + }, + "Account_UPN_Suffix_Variable": { + "runAfter": { + "Account_Name_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Email2", + "type": "string" + } + ] + } + }, + "Email_Connector_Variable": { + "runAfter": { + "Account_UPN_Suffix_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Connector", + "type": "string", + "value": "@" + } + ] + } + }, + "Entities_-_Get_Accounts": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "JSON_Output_Variable": { + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Json Output", + "type": "array" + } + ] + } + }, + "Looping_Through_Account_Object_for_Accounts_Name": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Add_comment_to_incident_(V2)_2": { + "runAfter": { + "Checking_If_the_Response_Returned_Data": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Value": "HYAS Insight C2 Attribution Enrichment data the Email Address\"@{concat(variables('Email1'),variables('Connector'),variables('Email2'))}\" :\n\n@{variables('Comment')}\n\nFor detailed information, see https://insight.hyas.com/static/details?email=@{concat(variables('Email1'),variables('Connector'),variables('Email2'))}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + } + }, + "Checking_If_the_Response_Returned_Data": { + "actions": { + "Assigning_Table_Formatted_Output_to_Incident_Comment_Variable": { + "runAfter": { + "Set_Comment_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "@body('Create_HTML_table')" + } + }, + "Create_HTML_table": { + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('Json Output')" + } + }, + "For_each": { + "foreach": "@take(body('Retrieve_C2_Attribution_information_for_Email_address'),3)", + "actions": { + "Append_to_array_variable": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Json Output", + "value": { + "actor_ipv4": "@items('For_each')?['actor_ipv4']", + "c2_domain": "@items('For_each')?['c2_domain']", + "c2_ipv4": "@items('For_each')?['c2_ip']", + "c2_url": "@items('For_each')?['c2_url']", + "datetime": "@items('For_each')?['datetime']", + "email": "@items('For_each')?['email']", + "email_domain": "@items('For_each')?['email_domain']", + "referrer_domain": "@items('For_each')?['referrer_domain']", + "referrer_ipv4": "@items('For_each')?['referrer_ipv4']", + "referrer_url": "@items('For_each')?['referrer_url']", + "sha256": "@items('For_each')?['sha256']" + } + } + } + }, + "runAfter": {}, + "type": "Foreach" + }, + "Set_Comment_to_Empty": { + "runAfter": { + "Set_JSON_Output_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": " " + } + }, + "Set_JSON_Output_to_Empty": { + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Json Output", + "value": [] + } + } + }, + "runAfter": { + "Setting_Response_Length_Variable": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "No_Records_Found": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "No records found in HYAS Insight for the Email Address \"@{concat(variables('Email1'),variables('Connector'),variables('Email2'))}\"." + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('RecordsLength')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Retrieve_C2_Attribution_information_for_Email_address": { + "runAfter": { + "Setting_Accounts_UPN_suffix_variable": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "applied_filters": { + "email": "@{concat(variables('Email1'),variables('Connector'),variables('Email2'))}" + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['hyasinsight']['connectionId']" + } + }, + "method": "post", + "path": "/c2attribution/email" + } + }, + "Setting_Accounts_Name_Variable": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Email1", + "value": "@items('Looping_Through_Account_Object_for_Accounts_Name')?['Name']" + } + }, + "Setting_Accounts_UPN_suffix_variable": { + "runAfter": { + "Setting_Accounts_Name_Variable": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Email2", + "value": "@items('Looping_Through_Account_Object_for_Accounts_Name')?['UPNSuffix']" + } + }, + "Setting_Response_Length_Variable": { + "runAfter": { + "Retrieve_C2_Attribution_information_for_Email_address": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "RecordsLength", + "value": "@length(body('Retrieve_C2_Attribution_information_for_Email_address'))" + } + } + }, + "runAfter": { + "Email_Connector_Variable": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Response_Length_Variable": { + "runAfter": { + "JSON_Output_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "RecordsLength", + "type": "integer", + "value": 0 + } + ] + } + }, + "Sentinel_Incident_Comment_Variable": { + "runAfter": { + "Response_Length_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Comment", + "type": "string" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "hyasinsight": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('HYASInsightApiKey'))]", + "connectionName": "[variables('HYASInsightApiKey')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/hyasinsight')]" + } + } + } + } + } + } + ] +} diff --git a/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution/readme.md b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution/readme.md new file mode 100644 index 0000000000..bb8f752013 --- /dev/null +++ b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution/readme.md @@ -0,0 +1,11 @@ +# Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution +author: Paul van Gool, HYAS Infosec + +This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with C2 Attribution information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the [connector documentation](https://docs.microsoft.com/connectors/hyasinsight/) or visit [HYAS Insight](https://www.hyas.com/contact) to request a trial key. + + +## Links to deploy the Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution playbook template: + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FHYAS%2FPlaybooks%2FEnrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution%2Fazuredeploy.json) + +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FHYAS%2FPlaybooks%2FEnrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution%2Fazuredeploy.json) diff --git a/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution/azuredeploy.json b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution/azuredeploy.json new file mode 100644 index 0000000000..a0fdbc34f7 --- /dev/null +++ b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution/azuredeploy.json @@ -0,0 +1,354 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "comments": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with C2 Attribution information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key.", + "author": "Paul van Gool, HYAS Infosec" + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution", + "type": "string" + }, + "UserName": { + "defaultValue": "@", + "type": "string" + } + }, + "variables": { + "HYASInsightApiKey": "[concat('hyasinsight-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('HYASInsightApiKey')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[parameters('UserName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/hyasinsight')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('HYASInsightApiKey'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Entities_-_Get_IPs": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "JSON_Output_Variable": { + "runAfter": { + "Entities_-_Get_IPs": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Json Output", + "type": "array" + } + ] + } + }, + "Looping_Through_Sentinel_IPs": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Add_comment_to_incident_(V2)_2": { + "runAfter": { + "Checking_If_the_Response_Returned_Data": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Value": "HYAS Insight C2 Attribution Enrichment data for the IP Address\n \"@{items('Looping_Through_Sentinel_IPs')?['Address']}\" :\n \n@{variables('Comment')}\n\nFor detailed information, see https://insight.hyas.com/static/details?ip=@{items('Looping_Through_Sentinel_IPs')?['Address']}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + } + }, + "Checking_If_the_Response_Returned_Data": { + "actions": { + "Assigning_Table_Formatted_Output_to_Incident_Comment_Variable": { + "runAfter": { + "Set_Comment_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "@body('Create_HTML_table')" + } + }, + "Create_HTML_table": { + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('Json Output')" + } + }, + "For_each": { + "foreach": "@take(body('Retrieve_C2_Attribution_information_for_IP_address'),3)", + "actions": { + "Append_to_array_variable": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Json Output", + "value": { + "actor_ipv4": "@items('For_each')?['actor_ipv4']", + "c2_domain": "@items('For_each')?['c2_domain']", + "c2_ipv4": "@items('For_each')?['c2_ip']", + "c2_url": "@items('For_each')?['c2_url']", + "datetime": "@items('For_each')?['datetime']", + "email": "@items('For_each')?['email']", + "email_domain": "@items('For_each')?['email_domain']", + "referrer_domain": "@items('For_each')?['referrer_domain']", + "referrer_ipv4": "@items('For_each')?['referrer_ipv4']", + "referrer_url": "@items('For_each')?['referrer_url']", + "sha256": "@items('For_each')?['sha256']" + } + } + } + }, + "runAfter": {}, + "type": "Foreach" + }, + "Set_Comment_to_Empty": { + "runAfter": { + "Set_Json_Output_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": " " + } + }, + "Set_Json_Output_to_Empty": { + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Json Output", + "value": [] + } + } + }, + "runAfter": { + "Setting_Response_Length_Variable": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "No_Records_Found": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "No records found in HYAS Insight for the IP Address \"@{items('Looping_Through_Sentinel_IPs')?['Address']}\"." + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('RecordsLength')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Retrieve_C2_Attribution_information_for_IP_address": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "applied_filters": { + "ip": "@items('Looping_Through_Sentinel_IPs')?['Address']" + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['hyasinsight']['connectionId']" + } + }, + "method": "post", + "path": "/c2attribution/ip" + } + }, + "Setting_Response_Length_Variable": { + "runAfter": { + "Retrieve_C2_Attribution_information_for_IP_address": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "RecordsLength", + "value": "@length(body('Retrieve_C2_Attribution_information_for_IP_address'))" + } + } + }, + "runAfter": { + "Sentinel_Incident_Comment_Variable": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Response_Length_Variable": { + "runAfter": { + "JSON_Output_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "RecordsLength", + "type": "integer", + "value": 0 + } + ] + } + }, + "Sentinel_Incident_Comment_Variable": { + "runAfter": { + "Response_Length_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Comment", + "type": "string" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "hyasinsight": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('HYASInsightApiKey'))]", + "connectionName": "[variables('HYASInsightApiKey')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/hyasinsight')]" + } + } + } + } + } + } + ] +} diff --git a/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution/readme.md b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution/readme.md new file mode 100644 index 0000000000..bfedaa195c --- /dev/null +++ b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution/readme.md @@ -0,0 +1,11 @@ +# Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution +author: Paul van Gool, HYAS Infosec + +This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with historic WHOIS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the [connector documentation](https://docs.microsoft.com/connectors/hyasinsight/) or visit [HYAS Insight](https://www.hyas.com/contact) to request a trial key. + + +## Links to deploy the Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution playbook template: + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FHYAS%2FPlaybooks%2FEnrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution%2Fazuredeploy.json) + +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FHYAS%2FPlaybooks%2FEnrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution%2Fazuredeploy.json) diff --git a/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution/azuredeploy.json b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution/azuredeploy.json new file mode 100644 index 0000000000..a600d0efce --- /dev/null +++ b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution/azuredeploy.json @@ -0,0 +1,387 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "comments": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with C2 Attribution information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key.", + "author": "Paul van Gool, HYAS Infosec" + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution", + "type": "string" + }, + "UserName": { + "defaultValue": "@", + "type": "string" + } + }, + "variables": { + "HYASInsightApiKey": "[concat('hyasinsight-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('HYASInsightApiKey')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[parameters('UserName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/hyasinsight')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('HYASInsightApiKey'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Entities_-_Get_FileHashes": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/filehash" + } + }, + "Filehash_Variable": { + "runAfter": { + "Sentinel_Incident_Comment_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "FileHashValue", + "type": "string" + } + ] + } + }, + "JSON_Output_Variable": { + "runAfter": { + "Entities_-_Get_FileHashes": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Json Output", + "type": "array" + } + ] + } + }, + "Looping_Through_Sentinel_Sha256_values": { + "foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']", + "actions": { + "Add_comment_to_incident_(V2)_2": { + "runAfter": { + "Checking_If_the_Response_Returned_Data": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Value": "HYAS Insight C2 Attribution Enrichment data for the SHA256 \"@{variables('FileHashValue')}\"\n\n :\n@{variables('Comment')}\n\n\nFor detailed information, see https://insight.hyas.com/static/details?sha256=@{variables('FileHashValue')}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + } + }, + "Checking_If_the_Response_Returned_Data": { + "actions": { + "Assigning_Table_Formatted_Output_to_Incident_Comment_Variable": { + "runAfter": { + "Set_Comment_Variable_to_empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "@body('Create_HTML_table')" + } + }, + "Create_HTML_table": { + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('Json Output')" + } + }, + "For_each": { + "foreach": "@take(body('Retrieve_C2_Attribution_information_for_SHA256'),3)", + "actions": { + "Append_to_array_variable": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Json Output", + "value": { + "actor_ipv4": "@items('For_each')?['actor_ipv4']", + "c2_domain": "@items('For_each')?['c2_domain']", + "c2_ipv4": "@items('For_each')?['c2_ip']", + "c2_url": "@items('For_each')?['c2_url']", + "datetime": "@items('For_each')?['datetime']", + "email": "@items('For_each')?['email']", + "email_domain": "@items('For_each')?['email_domain']", + "referrer_domain": "@items('For_each')?['referrer_domain']", + "referrer_ipv4": "@items('For_each')?['referrer_ipv4']", + "referrer_url": "@items('For_each')?['referrer_url']", + "sha256": "@items('For_each')?['sha256']" + } + } + } + }, + "runAfter": {}, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Set_Comment_Variable_to_empty": { + "runAfter": { + "Set_Json_output_to_empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": " " + } + }, + "Set_Json_output_to_empty": { + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Json Output", + "value": [] + } + } + }, + "runAfter": { + "Setting_Response_Length_Variable": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "No_Records_Found": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Comment", + "value": "No records found in HYAS Insight for the SHA256 \"@{items('Looping_Through_Sentinel_Sha256_values')?['Address']}\"." + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('RecordsLength')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Retrieve_C2_Attribution_information_for_SHA256": { + "runAfter": { + "Set_Filehash_Value": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "applied_filters": { + "sha256": "@variables('FileHashValue')" + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['hyasinsight']['connectionId']" + } + }, + "method": "post", + "path": "/c2attribution/sha256" + } + }, + "Set_Filehash_Value": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "FileHashValue", + "value": "@items('Looping_Through_Sentinel_Sha256_values')?['Value']" + } + }, + "Setting_Response_Length_Variable": { + "runAfter": { + "Retrieve_C2_Attribution_information_for_SHA256": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "RecordsLength", + "value": "@length(body('Retrieve_C2_Attribution_information_for_SHA256'))" + } + } + }, + "runAfter": { + "Filehash_Variable": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Response_Length_Variable": { + "runAfter": { + "JSON_Output_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "RecordsLength", + "type": "integer", + "value": 0 + } + ] + } + }, + "Sentinel_Incident_Comment_Variable": { + "runAfter": { + "Response_Length_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Comment", + "type": "string" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "hyasinsight": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('HYASInsightApiKey'))]", + "connectionName": "[variables('HYASInsightApiKey')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/hyasinsight')]" + } + } + } + } + } + } + ] +} diff --git a/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution/readme.md b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution/readme.md new file mode 100644 index 0000000000..bfed695196 --- /dev/null +++ b/Solutions/HYAS/Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution/readme.md @@ -0,0 +1,11 @@ +# Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution +author: Paul van Gool, HYAS Infosec + +This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with historic WHOIS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the [connector documentation](https://docs.microsoft.com/connectors/hyasinsight/) or visit [HYAS Insight](https://www.hyas.com/contact) to request a trial key. + + +## Links to deploy the Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution playbook template: + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FHYAS%2FPlaybooks%2FEnrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution%2Fazuredeploy.json) + +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FHYAS%2FPlaybooks%2FEnrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution%2Fazuredeploy.json) diff --git a/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAbnormalProtocolUsage.yaml b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAbnormalProtocolUsage.yaml new file mode 100755 index 0000000000..7885d17acd --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAbnormalProtocolUsage.yaml @@ -0,0 +1,30 @@ +id: 363307f6-09ba-4926-ad52-03aadfd24b5e +name: Imperva - Abnormal protocol usage +description: | + 'Detects abnormal protocol usage.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1190 + - T1133 +query: | + ImpervaWAFCloud + | where NetworkApplicationProtocol in~ ('HTTP', 'HTTPs') + | where DstPortNumber !in ('80', '443') + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAdminPanelUncommonIp.yaml b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAdminPanelUncommonIp.yaml new file mode 100755 index 0000000000..39d6fb37c9 --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAdminPanelUncommonIp.yaml @@ -0,0 +1,30 @@ +id: 427c025d-c068-4844-8205-66879e89bcfa +name: Imperva - Request from unexpected IP address to admin panel +description: | + 'Detects requests from unexpected IP addresses to admin panel.' +severity: high +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1190 + - T1133 +query: | + ImpervaWAFCloud + | where QueryString contains @'/admin' + | where ipv4_is_private(SrcIpAddr) == False + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAttackNotBlocked.yaml b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAttackNotBlocked.yaml new file mode 100755 index 0000000000..8ff33826bc --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAttackNotBlocked.yaml @@ -0,0 +1,30 @@ +id: 4d365217-f96a-437c-9c57-53594fa261c3 +name: Imperva - Critical severity event not blocked +description: | + 'Detects when critical severity event was not blocked.' +severity: high +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1190 + - T1133 +query: | + ImpervaWAFCloud + | where EventSeverity =~ 'CRITICAL' + | where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_' + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaCommandInUri.yaml b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaCommandInUri.yaml new file mode 100755 index 0000000000..d5ea98abb8 --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaCommandInUri.yaml @@ -0,0 +1,29 @@ +id: 6214f187-5840-4cf7-a174-0cf9a72bfd29 +name: Imperva - Possible command injection +description: | + 'Detects requests with commands in URI.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1190 + - T1133 +query: | + ImpervaWAFCloud + | where QueryString contains '%2fetc%2fpasswd' or QueryString contains '%2fetc%2fshadow' or QueryString contains 'ping' or QueryString contains 'whoami' or QueryString contains 'phpinfo' or QueryString contains '%2fbin%2fbash' or QueryString contains 'curl' or QueryString contains 'exec(' or QueryString contains 'wget' or QueryString contains 'python' or QueryString contains 'gcc' or QueryString contains 'uname' or QueryString contains 'systeminfo' or QueryString contains 'rout' or QueryString contains 'hostname' or QueryString contains 'ifconfig' + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenCountry.yaml b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenCountry.yaml new file mode 100755 index 0000000000..16b3bc21f5 --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenCountry.yaml @@ -0,0 +1,31 @@ +id: 58300723-22e0-4096-b33a-aa9b992c3564 +name: Imperva - Request from unexpected countries +description: | + 'Detects request attempts from unexpected countries.' +severity: High +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1190 + - T1133 +query: | + let bl_country = dynamic(['CH', 'KR']); + ImpervaWAFCloud + | where Country in (bl_country) + | where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_' + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenMethod.yaml b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenMethod.yaml new file mode 100755 index 0000000000..0742c4f846 --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenMethod.yaml @@ -0,0 +1,34 @@ +id: 7ebc9e24-319c-4786-9151-c898240463bc +name: Imperva - Forbidden HTTP request method in request +description: | + 'Detects connections with unexpected HTTP request method.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1190 + - T1133 +query: | + let bl_http_methods = dynamic(['PUT', 'HEAD', 'OPTIONS', 'TRACE', 'POST']); + ImpervaWAFCloud + | where HttpRequestMethod in~ (bl_http_methods) + | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: URL + fieldMappings: + - identifier: Url + columnName: UrlCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMaliciousClient.yaml b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMaliciousClient.yaml new file mode 100755 index 0000000000..764f9ef4d3 --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMaliciousClient.yaml @@ -0,0 +1,34 @@ +id: 2ff35ed4-b26a-4cad-93a6-f67adb00e919 +name: Imperva - Malicious Client +description: | + 'Detects connections from known malicious clients.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1190 + - T1133 +query: | + ImpervaWAFCloud + | where ClientApp in~ ('VulnerabilityScanner', 'DDoSBot', 'ClickBot','CommentSpamBot','HackingTool', 'SpamBot', 'Worm') + | where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_' + | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = QueryString +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: URL + fieldMappings: + - identifier: Url + columnName: UrlCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMaliciousUA.yaml b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMaliciousUA.yaml new file mode 100755 index 0000000000..3541ed6de4 --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMaliciousUA.yaml @@ -0,0 +1,30 @@ +id: 905794a9-bc46-42b9-974d-5a2dd58110c5 +name: Imperva - Malicious user agent +description: | + 'Detects requests containing known malicious user agent strings.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1190 + - T1133 +query: | + ImpervaWAFCloud + | where HttpUserAgentOriginal has_any ('Nikto', 'hydra', 'advanced email extractor', 'BFAC', 'brutus', 'cgichk', 'cisco-torch', 'scanner', 'datacha0s', 'dirbuster', 'grabber', 'havij', 'internet ninja', 'masscan', 'morfeus', 'mysqloit', 'n-stealth', 'nessus', 'netsparker', 'nmap nse', 'nmap scripting engine', 'nmap-nse', 'nsauditor', 'openvas', 'pangolin', 'qualys was', 'security scan', 'springenwerk', 'sql power injector', 'sqlmap', 'sqlninja', 'w3af.sf.net', 'w3af.sourceforge.net', 'w3af.org', 'webbandit', 'webinspect', 'webvulnscan', 'xmlrpc exploit', 'WPScan', 'XSpider', 'Webster', 'fantomCrew', 'fantomBrowser') + | summarize count() by SrcIpAddr, bin(TimeGenerated, 5m) + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml new file mode 100755 index 0000000000..f3cb016ee4 --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml @@ -0,0 +1,31 @@ +id: 4e8032eb-f04d-4a30-85d3-b74bf2c8f204 +name: Imperva - Multiple user agents from same source +description: | + 'Detects connections with unexpected HTTP request method.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1190 + - T1133 +query: | + let threshold = 10; + ImpervaWAFCloud + | summarize d_uas = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m) + | where d_uas >= threshold + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaSuspiciousDstPort.yaml b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaSuspiciousDstPort.yaml new file mode 100755 index 0000000000..f62ebc12ea --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaSuspiciousDstPort.yaml @@ -0,0 +1,31 @@ +id: 0ba78922-033c-468c-82de-2974d7b1797d +name: Imperva - Request to unexpected destination port +description: | + 'Detects request attempts to unexpected destination ports.' +severity: high +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1190 + - T1133 +query: | + let bl_ports = dynamic(['22', '3389']); + ImpervaWAFCloud + | where DstPortNumber in (bl_ports) + | where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_' + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaDestinationBlocked.yaml b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaDestinationBlocked.yaml new file mode 100755 index 0000000000..00d666e40c --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaDestinationBlocked.yaml @@ -0,0 +1,27 @@ +id: e360c980-b515-4c27-921c-19d411bd059d +name: Imperva - Top destinations with blocked requests +description: | + 'Query searches destination IP addresses requests to which were blocked by the service.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +tactics: + - InitialAccess + - Impact +relevantTechniques: + - T1190 + - T1133 + - T1498 +query: | + ImpervaWAFCloud + | where TimeGenerated > ago(24h) + | where DvcAction startswith 'REQ_BLOCKED' + | summarize count() by DstIpAddr + | extend IPCustomEntity = DstIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaInsecureWebProtocolVersion.yaml b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaInsecureWebProtocolVersion.yaml new file mode 100755 index 0000000000..3d8a909b0c --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaInsecureWebProtocolVersion.yaml @@ -0,0 +1,24 @@ +id: 4cf72a93-537a-4c1f-83a3-0a5b743fe93e +name: Imperva - Applications with insecure web protocol version +description: | + 'Query searches for with insecure web protocol version.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +tactics: + - InitialAccess +relevantTechniques: + - T1190 +query: | + ImpervaWAFCloud + | where TimeGenerated > ago(24h) + | where NetworkApplicationProtocoVersion !startswith 'TLSv1.2' + | summarize count() by DstDomainHostname + | extend DomainNameCustom = DstDomainHostname +entityMappings: + - entityType: DNS + fieldMappings: + - identifier: DomainName + columnName: CustomDomainName diff --git a/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaNonWebApplication.yaml b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaNonWebApplication.yaml new file mode 100755 index 0000000000..5b878f482c --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaNonWebApplication.yaml @@ -0,0 +1,24 @@ +id: 1f99e54f-0e75-474e-8232-90963207f02b +name: Imperva - Non HTTP/HTTPs applications +description: | + 'Query searches for non HTTP/HTTPs applications.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +tactics: + - InitialAccess +relevantTechniques: + - T1190 +query: | + ImpervaWAFCloud + | where TimeGenerated > ago(24h) + | where NetworkApplicationProtocol !in~ ('HTTP', 'HTTPs') + | summarize count() by DstIpAddr, NetworkApplicationProtocol + | extend IPCustomEntity = DstIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRareApplications.yaml b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRareApplications.yaml new file mode 100755 index 0000000000..d6bd0a703d --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRareApplications.yaml @@ -0,0 +1,25 @@ +id: 426a8b59-41ad-4022-bb01-cf914fd5687a +name: Imperva - Rare applications +description: | + 'Query searches for rare application protocols.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +tactics: + - InitialAccess +relevantTechniques: + - T1190 +query: | + ImpervaWAFCloud + | where TimeGenerated > ago(24h) + | where isnotempty(NetworkApplicationProtocol) + | summarize count() by NetworkApplicationProtocol + | top 5 by count_ asc + | extend AppCustomEntity = NetworkApplicationProtocol +entityMappings: + - entityType: CloudApplication + fieldMappings: + - identifier: Name + columnName: AppCustomEntity diff --git a/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRareClientApplications.yaml b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRareClientApplications.yaml new file mode 100755 index 0000000000..a28434c81f --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRareClientApplications.yaml @@ -0,0 +1,25 @@ +id: 4a8a88af-4f40-40bd-aca8-e016dd6960de +name: Imperva - Rare client applications +description: | + 'Query searches for rare client applications used.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +tactics: + - InitialAccess +relevantTechniques: + - T1190 +query: | + ImpervaWAFCloud + | where TimeGenerated > ago(24h) + | where isnotempty(ClientApp) + | summarize count() by ClientApp + | top 10 by count_ asc + | extend AppCustomEntity = ClientApp +entityMappings: + - entityType: CloudApplication + fieldMappings: + - identifier: Name + columnName: AppCustomEntity diff --git a/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRareDstPorts.yaml b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRareDstPorts.yaml new file mode 100755 index 0000000000..dee8996ce7 --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRareDstPorts.yaml @@ -0,0 +1,24 @@ +id: e68c3b84-7895-41d5-a9af-4ef776e82408 +name: Imperva - Rare destination ports +description: | + 'Query searches for requests for rare destination ports.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +tactics: + - InitialAccess +relevantTechniques: + - T1190 +query: | + ImpervaWAFCloud + | where TimeGenerated > ago(24h) + | summarize count() by DstIpAddr, DstPortNumber + | top 20 by count asc + | extend IPCustomEntity = DstIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRequestsFromBots.yaml b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRequestsFromBots.yaml new file mode 100755 index 0000000000..256f5ee2a4 --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRequestsFromBots.yaml @@ -0,0 +1,24 @@ +id: 4cb3088c-445a-4a99-a90f-d583fe253a7d +name: Imperva - request from known bots +description: | + 'Query searches for requests from known bots.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +tactics: + - InitialAccess +relevantTechniques: + - T1190 +query: | + ImpervaWAFCloud + | where TimeGenerated > ago(24h) + | where ClientApp =~ 'Bot' + | summarize count() by SrcIpAddr, NetworkApplicationProtocol + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaSourceBlocked.yaml b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaSourceBlocked.yaml new file mode 100755 index 0000000000..0251457800 --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaSourceBlocked.yaml @@ -0,0 +1,27 @@ +id: ec5b9eb6-f43a-40fc-ae65-2af9ae1e77ae +name: Imperva - Top sources with blocked requests +description: | + 'Query searches source IP addresses with blocked requests.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +tactics: + - InitialAccess + - Impact +relevantTechniques: + - T1190 + - T1133 + - T1498 +query: | + ImpervaWAFCloud + | where TimeGenerated > ago(24h) + | where DvcAction startswith 'REQ_BLOCKED' + | summarize count() by SrcIpAddr + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaTopApplicationsErrors.yaml b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaTopApplicationsErrors.yaml new file mode 100755 index 0000000000..d83d450454 --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaTopApplicationsErrors.yaml @@ -0,0 +1,29 @@ +id: 934f19a5-f4bc-47eb-a213-db918b097434 +name: Imperva - Top applications with error requests +description: | + 'Query searches for top applications with protocol or network errors.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +tactics: + - InitialAccess +relevantTechniques: + - T1190 +query: | + ImpervaWAFCloud + | where TimeGenerated > ago(24h) + | where DvcAction startswith 'REQ_BAD_' + | summarize count() by DstIpAddr, DstDomainHostname + | top 10 by count_ + | extend IPCustomEntity = DstIpAddr, DomainNameCustom = DstDomainHostname +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity + - entityType: DNS + fieldMappings: + - identifier: DomainName + columnName: CustomDomainName diff --git a/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaTopSourcesErrors.yaml b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaTopSourcesErrors.yaml new file mode 100755 index 0000000000..d55cebc0e6 --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaTopSourcesErrors.yaml @@ -0,0 +1,25 @@ +id: c359e40f-3a56-4e75-8dbb-41e5057bba64 +name: Imperva - Top sources with error requests +description: | + 'Query searches for top source IP addresses with protocol or network errors.' +severity: Medium +requiredDataConnectors: + - connectorId: ImpervaWAFCloudAPI + dataTypes: + - ImpervaWAFCloud +tactics: + - InitialAccess +relevantTechniques: + - T1190 +query: | + ImpervaWAFCloud + | where TimeGenerated > ago(24h) + | where DvcAction startswith 'REQ_BAD_' + | summarize count() by SrcIpAddr + | top 100 by count_ + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudBlack01.png b/Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudBlack01.png new file mode 100644 index 0000000000..ecda094f39 Binary files /dev/null and b/Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudBlack01.png differ diff --git a/Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudBlack02.png b/Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudBlack02.png new file mode 100644 index 0000000000..055675d3cf Binary files /dev/null and b/Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudBlack02.png differ diff --git a/Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudWhite01.png b/Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudWhite01.png new file mode 100644 index 0000000000..09cafc9af8 Binary files /dev/null and b/Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudWhite01.png differ diff --git a/Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudWhite02.png b/Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudWhite02.png new file mode 100644 index 0000000000..c4b381158c Binary files /dev/null and b/Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudWhite02.png differ diff --git a/Solutions/ImpervaCloudWAF/Workbooks/Imperva WAF Cloud Overview.json b/Solutions/ImpervaCloudWAF/Workbooks/Imperva WAF Cloud Overview.json new file mode 100644 index 0000000000..c04746881e --- /dev/null +++ b/Solutions/ImpervaCloudWAF/Workbooks/Imperva WAF Cloud Overview.json @@ -0,0 +1,407 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "**NOTE**: This data connector depends on a parser based on Kusto Function **ImpervaWAFCloud** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-ImpervaWAFCloud-parser)" + }, + "name": "text - 8" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "cd8447d9-b096-4673-92d8-2a1e8291a125", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "description": "Sets the time name for analysis", + "value": { + "durationMs": 7776000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 900000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ImpervaWAFCloud\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};", + "size": 0, + "title": "Events Over Time", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "graphSettings": { + "type": 0 + } + }, + "customWidth": "60", + "name": "query - 12", + "styleSettings": { + "maxWidth": "55" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Total Http status code result\r\nImpervaWAFCloud\r\n| where isnotempty(HttpStatusCode)\r\n| extend HttpStatus = case( \r\n HttpStatusCode startswith \"2\", \"Success\", \r\n HttpStatusCode startswith \"4\", \"Client Error\",\r\n HttpStatusCode startswith \"5\", \"Server Error\",\r\n \"Unknown\")\r\n| summarize TotalHttpStatus = count() by HttpStatus", + "size": 3, + "title": "HTTP Status Codes", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "30", + "name": "query - 0", + "styleSettings": { + "maxWidth": "30" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ImpervaWAFCloud\r\n| where isnotempty(SrcIpAddr)\r\n| summarize dcount(SrcIpAddr) ", + "size": 3, + "title": "Unique IP Addresses", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "name": "query - 0" + } + ] + }, + "name": "group - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ImpervaWAFCloud\r\n| where isnotempty(DstDomainHostname) \r\n| summarize dcount(DstDomainHostname)", + "size": 3, + "title": "Unique Domains", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "name": "query - 0" + } + ] + }, + "name": "group - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ImpervaWAFCloud\r\n| where DvcAction startswith 'REQ_BLOCKED'\r\n| count", + "size": 3, + "title": "Total blocked requests", + "noDataMessage": "0", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "name": "query - 0" + } + ] + }, + "name": "group - 2" + } + ] + }, + "customWidth": "10", + "name": "group - 9", + "styleSettings": { + "maxWidth": "100", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ImpervaWAFCloud\r\n| where isnotempty(SrcIpAddr)\r\n| summarize count() by SrcIpAddr\r\n| project-rename SourceIP=SrcIpAddr\r\n| top 10 by count_ ", + "size": 3, + "title": "Top 10 Sources", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "34", + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ImpervaWAFCloud\r\n| where DvcAction startswith 'REQ_BLOCKED'\r\n| summarize count() by SrcIpAddr\r\n| project-rename SourceIP = SrcIpAddr\r\n| top 10 by count_ desc ", + "size": 3, + "title": "Top Source IP addresses with blocked requests", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table" + }, + "customWidth": "33", + "name": "query - 3", + "styleSettings": { + "margin": "10", + "padding": "10" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ImpervaWAFCloud\r\n| where isnotempty(Country)\r\n| summarize count() by Country\r\n| top 10 by count_ desc ", + "size": 3, + "title": "Top Source IP addresses with client error", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "sortBy": [ + { + "itemKey": "TotalEvents", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "TotalEvents", + "sortOrder": 2 + } + ] + }, + "customWidth": "33", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ImpervaWAFCloud\r\n| where isnotempty(DstDomainHostname)\r\n| summarize TotalEvents = count() by DstDomainHostname\r\n| top 10 by TotalEvents desc", + "size": 3, + "title": "Top destination hosts", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table" + }, + "customWidth": "30", + "name": "query - 8" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ImpervaWAFCloud\r\n| extend File = extract(@\".*\\/([a-zA-Z0-9-._]*)\", 1, tostring(QueryString))\r\n| where isnotempty(File)\r\n| sort by TimeGenerated desc \r\n| project File, strcat(iff(HttpStatusCode startswith \"4\" or HttpStatusCode startswith \"5\", '❌', '✅')), HttpStatusCode\r\n| project-rename Result = Column1, FileName=File", + "size": 0, + "title": "Latest files accessed", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 50, + "filter": true + } + }, + "customWidth": "35", + "name": "query - 12", + "styleSettings": { + "maxWidth": "33" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ImpervaWAFCloud\r\n| where isnotempty(ClientApp)\r\n| summarize count() by ClientApp", + "size": 3, + "title": "Client application types", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "rowLimit": 10 + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "SrcIpAddr", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "LargeRequest", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "30", + "name": "query - 7" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ImpervaWAFCloud\n| where isnotempty(SrcIpAddr)\n| summarize by SrcIpAddr, SrcGeoLatitude, SrcGeoLongitude", + "size": 3, + "title": "Attack Map", + "color": "redBright", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "map", + "gridSettings": { + "filter": true + }, + "mapSettings": { + "locInfo": "LatLong", + "latitude": "SrcGeoLatitude", + "longitude": "SrcGeoLongitude", + "sizeSettings": "SrcIpAddr", + "sizeAggregation": "Count", + "defaultSize": 20, + "labelSettings": "SrcIpAddr", + "legendMetric": "SrcIpAddr", + "legendAggregation": "Count", + "itemColorSettings": { + "nodeColorField": "SrcIpAddr", + "colorAggregation": "Count", + "type": "heatmap", + "heatmapPalette": "greenRed" + } + } + }, + "name": "query - 11" + } + ], + "fromTemplateId": "sentinel-ImpervaWAFCloudWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/InsightVM/Package/1.0.2.zip b/Solutions/InsightVM/Package/1.0.2.zip new file mode 100644 index 0000000000..abe625dd09 Binary files /dev/null and b/Solutions/InsightVM/Package/1.0.2.zip differ diff --git a/Solutions/InsightVM/Package/createUiDefinition.json b/Solutions/InsightVM/Package/createUiDefinition.json new file mode 100644 index 0000000000..41dc60f07f --- /dev/null +++ b/Solutions/InsightVM/Package/createUiDefinition.json @@ -0,0 +1,102 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Rapid7 Insight platform](https://www.rapid7.com/products/insightvm/) brings together Rapid7’s library of vulnerability research, exploit knowledge, global attacker behavior, Internet-wide scanning data, exposure analytics, and real-time reporting to provide a fully available, scalable, and efficient way to collect your vulnerability data and turn it into answers. InsightVM leverages this platform for live vulnerability and endpoint analytics.\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Rapid7InsightVM. You can get Rapid7InsightVM custom log data in your Microsoft Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) NexposeInsightVMCloud_assets_CL NexposeInsightVMCloud_vulnerabilities_CL in your Microsoft Sentinel / Azure Log Analytics workspace." + } + }, + { + "name": "dataconnectors-parser-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." + } + }, + { + "name": "dataconnectors-link1", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about normalized format", + "uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema" + } + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + } + ], + "outputs": { + "workspace-location":"[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(filter.id, toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/InsightVM/Package/mainTemplate.json b/Solutions/InsightVM/Package/mainTemplate.json new file mode 100644 index 0000000000..1aeaede804 --- /dev/null +++ b/Solutions/InsightVM/Package/mainTemplate.json @@ -0,0 +1,294 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Mallikarjun Udanashiv - v-maudan@microsoft.com", + "comments": "Solution template for Rapid7InsightVM" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup" + } + }, + "connector1-name": { + "type": "string", + "defaultValue": "72734cab-7bb0-4c53-8251-9822d9ebb0db" + } + }, + "variables": { + "workspace-dependency": "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspace'))]", + "InsightVMAssets_Parser": "InsightVMAssets_Parser", + "_InsightVMAssets_Parser": "[variables('InsightVMAssets_Parser')]", + "InsightVMVulnerabilities_Parser": "InsightVMVulnerabilities_Parser", + "_InsightVMVulnerabilities_Parser": "[variables('InsightVMVulnerabilities_Parser')]", + "connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]", + "_connector1-source": "[variables('connector1-source')]", + "InsightVMCloudAPIConnector": "InsightVMCloudAPIConnector", + "_InsightVMCloudAPIConnector": "[variables('InsightVMCloudAPIConnector')]", + "sourceId": "azuresentinel.azure-sentinel-solution-rapid7insightvm", + "_sourceId": "[variables('sourceId')]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2020-08-01", + "name": "[parameters('workspace')]", + "location": "[parameters('workspace-location')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "Rapid7InsightVM InsightVMAssets Data Parser", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Rapid7InsightVM Data Parser", + "category": "Samples", + "functionAlias": "InsightVMAssets", + "query": "\nlet Insight_VM_assets_view = view () { \r\n NexposeInsightVMCloud_assets_CL\r\n| extend packed = pack(\r\n \"AssessedForPolicies\", assessed_for_policies_b,\r\n \"AssessedForVulnerabilities\", assessed_for_vulnerabilities_b,\r\n \"CredentialAssessments\", credential_assessments_s,\r\n \"CriticalVulnerabilities\", critical_vulnerabilities_d,\r\n \"Exploits\", exploits_d,\r\n \"DvcHostname\", host_name_s,\r\n \"AssetId\", id_s,\r\n \"DvcIpAddr\", ip_s,\r\n \"LastAssessedForVulnerabilities\", last_assessed_for_vulnerabilities_t,\r\n \"LastScanEnd\", last_scan_end_t,\r\n \"LastScanStart\", last_scan_start_t,\r\n \"MalwareKits\", malware_kits_d,\r\n \"ModerateVulnerabilities\", moderate_vulnerabilities_d,\r\n \"DvcOsArch\", os_architecture_s,\r\n \"DvcOsDesc\", os_description_s,\r\n \"DvcOsFamily\", os_family_s,\r\n \"DvcOs\", os_name_s,\r\n \"DvcOsSysName\", os_system_name_s,\r\n \"DvcOsType\", os_type_s,\r\n \"DvcOsVendor\", os_vendor_s,\r\n \"DvcModelNumber\", os_version_s,\r\n \"RiskScore\", risk_score_d,\r\n \"SevereVulnerabilitiesCount\", severe_vulnerabilities_d,\r\n \"TotalVulnerabilitiesCount\", total_vulnerabilities_d,\r\n \"Uid\", unique_identifiers_s,\r\n \"VulnerabilitiesSolutions\", same_s,\r\n \"DvcMacAddr\", mac_s\r\n )\r\n| project TimeGenerated, packed\r\n| evaluate bag_unpack(packed)\r\n| extend \r\n EventVendor=\"Rapid7\",\r\n EventProduct=\"Insight VM\",\r\n EventType=\"Assets\"\r\n};\r\nInsight_VM_assets_view", + "version": 1 + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "Rapid7InsightVM InsightVMVulnerabilities Data Parser", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Rapid7InsightVM Data Parser", + "category": "Samples", + "functionAlias": "InsightVMVulnerabilities", + "query": "\nlet Insight_VM_vulnerabilities_view = view () { \r\n NexposeInsightVMCloud_vulnerabilities_CL\r\n| extend packed = pack(\r\n \"AssetId\", asset_id_s,\r\n \"DvcHostname\", host_name_s,\r\n \"DvcIpAddr\", ip_s,\r\n \"VulnDetailsAdded\", vuln_details_added_t,\r\n \"VulnDetailsCategories\", vuln_details_categories_s,\r\n \"VulnDetailsCves\", vuln_details_cves_s,\r\n \"VulnDetailsCvssV2AccessComplexity\", vuln_details_cvss_v2_access_complexity_s,\r\n \"VulnDetailsCvssV2AccessVector\", vuln_details_cvss_v2_access_vector_s,\r\n \"VulnDetailsCvssV2Authentication\", vuln_details_cvss_v2_authentication_s,\r\n \"VulnDetailsCvssV2AvailabilityImpact\", vuln_details_cvss_v2_availability_impact_s,\r\n \"VulnDetailsCvssV2ConfidentialityImpact\", vuln_details_cvss_v2_confidentiality_impact_s,\r\n \"VulnDetailsCvssV2ExploitScore\", vuln_details_cvss_v2_exploit_score_d,\r\n \"VulnDetailsCvssV2ImpactScore\", vuln_details_cvss_v2_impact_score_d,\r\n \"VulnDetailsCvssV2IntegrityImpact\", vuln_details_cvss_v2_integrity_impact_s,\r\n \"VulnDetailsCvssV2Score\", vuln_details_cvss_v2_score_d,\r\n \"VulnDetailsCvssV2Vector\", vuln_details_cvss_v2_vector_s,\r\n \"VulnDetailsCvssV2AttackComplexity\", vuln_details_cvss_v3_attack_complexity_s,\r\n \"VulnDetailsCvssV3AttackVector\", vuln_details_cvss_v3_attack_vector_s,\r\n \"VulnDetailsCvssV3AvailabilityImpact\", vuln_details_cvss_v3_availability_impact_s,\r\n \"VulnDetailsCvssV3ConfidentialityImpact\", vuln_details_cvss_v3_confidentiality_impact_s,\r\n \"VulnDetailsCvssV3ExploitScore\", vuln_details_cvss_v3_exploit_score_d,\r\n \"VulnDetailsCvssV3ImpactScore\", vuln_details_cvss_v3_impact_score_d,\r\n \"VulnDetailsCvssV3IntegrityImpact\", vuln_details_cvss_v3_integrity_impact_s,\r\n \"VulnDetailsCvssV3PrivilegesRequired\", vuln_details_cvss_v3_privileges_required_s,\r\n \"VulnDetailsCvssV3Scope\", vuln_details_cvss_v3_scope_s,\r\n \"VulnDetailsCvssV3Score\", vuln_details_cvss_v3_score_d,\r\n \"VulnDetailsCvssV3UserInteraction\", vuln_details_cvss_v3_user_interaction_s,\r\n \"VulnDetailsCvssV3Vector\", vuln_details_cvss_v3_vector_s,\r\n \"VulnDetailsDenialOfService\", vuln_details_denial_of_service_b,\r\n \"VulnDetailsDescription\", vuln_details_description_s,\r\n \"VulnDetailsExploits\", vuln_details_exploits_s,\r\n \"VulnDetailsId\", vuln_details_id_s,\r\n \"VulnDetailsLinks\", vuln_details_links_s,\r\n \"VulnDetailsMalwareKits\", vuln_details_malware_kits_s,\r\n \"VulnDetailsModified\", vuln_details_modified_t,\r\n \"VulnDetailsPciCvssScore\", vuln_details_pci_cvss_score_d,\r\n \"VulnDetailsPciFail\", vuln_details_pci_fail_b,\r\n \"VulnDetailsPciSeverityScore\", vuln_details_pci_severity_score_d,\r\n \"VulnDetailsPciSpecialNotes\", vuln_details_pci_special_notes_s,\r\n \"VulnDetailsPciStatus\", vuln_details_pci_status_s,\r\n \"VulnDetailsPublished\", vuln_details_published_t,\r\n \"VulnDetailsReferences\", vuln_details_references_s,\r\n \"VulnDetailsRiskScore\", vuln_details_risk_score_d,\r\n \"VulnDetailsSeverity\", vuln_details_severity_s,\r\n \"VulnDetailsSeverityScore\", vuln_details_severity_score_d,\r\n \"VulnDetailsTitle\", vuln_details_title_s\r\n )\r\n| project TimeGenerated, packed\r\n| evaluate bag_unpack(packed)\r\n| extend \r\n EventVendor=\"Rapid7\",\r\n EventProduct=\"Insight VM\",\r\n EventType=\"Vulnerabilities\"\r\n};\r\nInsight_VM_vulnerabilities_view", + "version": 1 + } + } + ] + }, + { + "id": "[variables('_connector1-source')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector1-name'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Rapid7 Insight Platform Vulnerability Management Reports", + "publisher": "Rapid7", + "descriptionMarkdown": "The [Rapid7 Insight VM](https://www.rapid7.com/products/insightvm/) Report data connector provides the capability to ingest Scan reports and vulnerability data into Azure Sentinel through the REST API from the Rapid7 Insight platform (Managed in the cloud). Refer to [API documentation](https://docs.rapid7.com/insight/api-overview/) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "NexposeInsightVMCloud_assets_CL", + "baseQuery": "NexposeInsightVMCloud_assets_CL" + }, + { + "metricName": "Total data received", + "legend": "NexposeInsightVMCloud_vulnerabilities_CL", + "baseQuery": "NexposeInsightVMCloud_vulnerabilities_CL" + } + ], + "sampleQueries": [ + { + "description": "Insight VM Report Events - Assets information", + "query": "NexposeInsightVMCloud_assets_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Insight VM Report Events - Vulnerabilities information", + "query": "NexposeInsightVMCloud_vulnerabilities_CL\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "NexposeInsightVMCloud_assets_CL", + "lastDataReceivedQuery": "NexposeInsightVMCloud_assets_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NexposeInsightVMCloud_vulnerabilities_CL", + "lastDataReceivedQuery": "NexposeInsightVMCloud_vulnerabilities_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "NexposeInsightVMCloud_assets_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "NexposeInsightVMCloud_vulnerabilities_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "**InsightVMAPIKey** is required for REST API. [See the documentation to learn more about API](https://docs.rapid7.com/insight/api-overview/). Check all [requirements and follow the instructions](https://docs.rapid7.com/insight/managing-platform-api-keys/) for obtaining credentials." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Insight VM API to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": ">**NOTE:** This data connector depends on a parsers based on a Kusto Function to work as expected [**InsightVMAssets**](https://aka.ms/sentinel-InsightVMAssets-parser) and [**InsightVMVulnerabilities**](https://aka.ms/sentinel-InsightVMVulnerabilities-parser) which is deployed with the Azure Sentinel Solution." + }, + { + "description": "**STEP 1 - Configuration steps for the Insight VM Cloud**\n\n [Follow the instructions](https://docs.rapid7.com/insight/managing-platform-api-keys/) to obtain the credentials. \n" + }, + { + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Workspace data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Rapid7 Insight Vulnerability Management Report data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-InsightVMCloudAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **InsightVMAPIKey**, choose **InsightVMCloudRegion** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the Rapid7 Insight Vulnerability Management Report data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://aka.ms/sentinel-InsightVMCloudAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. InsightVMXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + }, + { + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tInsightVMAPIKey\n\t\tInsightVMCloudRegion\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**." + } + ], + "additionalRequirementBanner": "This data connector depends on a parsers based on a Kusto Function to work as expected [**InsightVMAssets**](https://aka.ms/sentinel-InsightVMAssets-parser) and [**InsightVMVulnerabilities**](https://aka.ms/sentinel-InsightVMVulnerabilities-parser) which is deployed with the Azure Sentinel Solution." + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2021-03-01-preview", + "properties": { + "version": "1.0.1", + "kind": "Solution", + "contentId": "[variables('_sourceId')]", + "parentId": "[variables('_sourceId')]", + "source": { + "kind": "Solution", + "name": "Rapid7InsightVM", + "sourceId": "[variables('_sourceId')]" + }, + "author": { + "name": "Mallikarjun Udanashiv", + "email": "v-maudan@microsoft.com" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Parser", + "contentId": "[variables('_InsightVMAssets_Parser')]", + "version": "1.0.1" + }, + { + "kind": "Parser", + "contentId": "[variables('_InsightVMVulnerabilities_Parser')]", + "version": "1.0.1" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_InsightVMCloudAPIConnector')]", + "version": "1.0.1" + } + ] + }, + "firstPublishDate": "2021-07-07", + "lastPublishDate": "2021-07-20", + "providers": [ + "Insight VM / Rapid7" + ], + "categories": { + "domains": [ + "Security - Vulnerability Management" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-DOMAIN/azuredeploy.json b/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-DOMAIN/azuredeploy.json old mode 100644 new mode 100755 index a38eefea78..a823f77f7d --- a/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-DOMAIN/azuredeploy.json +++ b/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-DOMAIN/azuredeploy.json @@ -2,28 +2,30 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "logicAppName": { + "PlaybookName": { "type": "string", "defaultValue": "Joshua-Indicators-Processor-DOMAIN", "metadata": { "description": "Name of the Logic App." } }, - "Playbook2Name": { + "Import2SentinelPlaybookName": { "defaultValue": "Joshua-Import-To-Sentinel", - "type": "string" + "type": "string", + "metadata": { + "description": "Name of Joshua-Import-To-Sentinel Playbook" + } }, "LogicAppsCategory_Tag": { "type": "string", "defaultValue": "security" }, - "HTTP_-_Joshua_API_2-URI": { + "Joshua_API_URI": { "type": "string", - "defaultValue": "https://api.cyberiskvision.com/external/azure-sentinel/ioc-feed" - }, - "HTTP_-_Joshua_API-URI": { - "type": "string", - "defaultValue": "https://api.cyberiskvision.com/external/azure-sentinel/ioc-feed" + "defaultValue": "https://api.cyberiskvision.com/external/azure-sentinel/ioc-feed", + "metadata": { + "description": "Joshua API Uniform Resource Identifiers URI" + } }, "RecurrenceFrequency": { "type": "string", @@ -35,7 +37,7 @@ }, "RecurrenceStartTime": { "type": "string", - "defaultValue": "2021-10-22T06:00:00.000Z" + "defaultValue": "2021-12-16T06:00:00.000Z" } }, "variables": {}, @@ -45,8 +47,8 @@ "LogicAppsCategory": "[parameters('LogicAppsCategory_Tag')]" }, "type": "Microsoft.Logic/workflows", - "apiVersion": "2016-06-01", - "name": "[parameters('logicAppName')]", + "apiVersion": "2019-05-01", + "name": "[parameters('PlaybookName')]", "location": "[resourceGroup().location]", "dependsOn": [], "properties": { @@ -86,7 +88,7 @@ "host": { "triggerName": "Batch_messages", "workflow": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Playbook2Name'))]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Import2SentinelPlaybookName'))]" } } } @@ -110,7 +112,7 @@ "size": "7000", "type": "domain" }, - "uri": "[parameters('HTTP_-_Joshua_API_2-URI')]" + "uri": "[parameters('Joshua_API_URI')]" } }, "Parse_JSON_array_of_Joshua_indicators_2": { @@ -255,7 +257,7 @@ "host": { "triggerName": "Batch_messages", "workflow": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Playbook2Name'))]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Import2SentinelPlaybookName'))]" } } } @@ -283,7 +285,7 @@ "size": "7000", "type": "domain" }, - "uri": "[parameters('HTTP_-_Joshua_API-URI')]" + "uri": "[parameters('Joshua_API_URI')]" } }, "Initialize_variable_Paging": { diff --git a/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-EMAIL/azuredeploy.json b/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-EMAIL/azuredeploy.json old mode 100644 new mode 100755 index bca63b7092..a5887f7a44 --- a/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-EMAIL/azuredeploy.json +++ b/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-EMAIL/azuredeploy.json @@ -2,28 +2,30 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "logicAppName": { + "PlaybookName": { "type": "string", "defaultValue": "Joshua-Indicators-Processor-EMAIL", "metadata": { "description": "Name of the Logic App." } }, - "Playbook2Name": { + "Import2SentinelPlaybookName": { "defaultValue": "Joshua-Import-To-Sentinel", - "type": "string" + "type": "string", + "metadata": { + "description": "Name of Joshua-Import-To-Sentinel Playbook" + } }, "LogicAppsCategory_Tag": { "type": "string", "defaultValue": "security" }, - "HTTP_-_Joshua_API_2-URI": { + "Joshua_API_URI": { "type": "string", - "defaultValue": "https://api.cyberiskvision.com/external/azure-sentinel/ioc-feed" - }, - "HTTP_-_Joshua_API-URI": { - "type": "string", - "defaultValue": "https://api.cyberiskvision.com/external/azure-sentinel/ioc-feed" + "defaultValue": "https://api.cyberiskvision.com/external/azure-sentinel/ioc-feed", + "metadata": { + "description": "Joshua API Uniform Resource Identifiers URI" + } }, "RecurrenceFrequency": { "type": "string", @@ -35,7 +37,7 @@ }, "RecurrenceStartTime": { "type": "string", - "defaultValue": "2021-10-22T06:00:00.000Z" + "defaultValue": "2021-12-16T06:00:00.000Z" } }, "variables": {}, @@ -45,8 +47,8 @@ "LogicAppsCategory": "[parameters('LogicAppsCategory_Tag')]" }, "type": "Microsoft.Logic/workflows", - "apiVersion": "2016-06-01", - "name": "[parameters('logicAppName')]", + "apiVersion": "2019-05-01", + "name": "[parameters('PlaybookName')]", "location": "[resourceGroup().location]", "dependsOn": [], "properties": { @@ -86,7 +88,7 @@ "host": { "triggerName": "Batch_messages", "workflow": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Playbook2Name'))]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Import2SentinelPlaybookName'))]" } } } @@ -110,7 +112,7 @@ "size": "7000", "type": "email" }, - "uri": "[parameters('HTTP_-_Joshua_API_2-URI')]" + "uri": "[parameters('Joshua_API_URI')]" } }, "Parse_JSON_array_of_Joshua_indicators_2": { @@ -255,7 +257,7 @@ "host": { "triggerName": "Batch_messages", "workflow": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Playbook2Name'))]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Import2SentinelPlaybookName'))]" } } } @@ -283,7 +285,7 @@ "size": "7000", "type": "email" }, - "uri": "[parameters('HTTP_-_Joshua_API-URI')]" + "uri": "[parameters('Joshua_API_URI')]" } }, "Initialize_variable_Paging": { diff --git a/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-FILE/azuredeploy.json b/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-FILE/azuredeploy.json old mode 100644 new mode 100755 index d760dd7971..2662495151 --- a/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-FILE/azuredeploy.json +++ b/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-FILE/azuredeploy.json @@ -2,28 +2,30 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "logicAppName": { + "PlaybookName": { "type": "string", "defaultValue": "Joshua-Indicators-Processor-FILE", "metadata": { "description": "Name of the Logic App." } }, - "Playbook2Name": { + "Import2SentinelPlaybookName": { "defaultValue": "Joshua-Import-To-Sentinel", - "type": "string" + "type": "string", + "metadata": { + "description": "Name of Joshua-Import-To-Sentinel Playbook" + } }, "LogicAppsCategory_Tag": { "type": "string", "defaultValue": "security" }, - "HTTP_-_Joshua_API_2-URI": { + "Joshua_API_URI": { "type": "string", - "defaultValue": "https://api.cyberiskvision.com/external/azure-sentinel/ioc-feed" - }, - "HTTP_-_Joshua_API-URI": { - "type": "string", - "defaultValue": "https://api.cyberiskvision.com/external/azure-sentinel/ioc-feed" + "defaultValue": "https://api.cyberiskvision.com/external/azure-sentinel/ioc-feed", + "metadata": { + "description": "Joshua API Uniform Resource Identifiers URI" + } }, "RecurrenceFrequency": { "type": "string", @@ -35,7 +37,7 @@ }, "RecurrenceStartTime": { "type": "string", - "defaultValue": "2021-10-22T06:00:00.000Z" + "defaultValue": "2021-12-16T06:00:00.000Z" } }, "variables": {}, @@ -45,8 +47,8 @@ "LogicAppsCategory": "[parameters('LogicAppsCategory_Tag')]" }, "type": "Microsoft.Logic/workflows", - "apiVersion": "2016-06-01", - "name": "[parameters('logicAppName')]", + "apiVersion": "2019-05-01", + "name": "[parameters('PlaybookName')]", "location": "[resourceGroup().location]", "dependsOn": [], "properties": { @@ -86,7 +88,7 @@ "host": { "triggerName": "Batch_messages", "workflow": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Playbook2Name'))]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Import2SentinelPlaybookName'))]" } } } @@ -110,7 +112,7 @@ "size": "7000", "type": "hash" }, - "uri": "[parameters('HTTP_-_Joshua_API_2-URI')]" + "uri": "[parameters('Joshua_API_URI')]" } }, "Parse_JSON_array_of_Joshua_indicators_2": { @@ -256,7 +258,7 @@ "host": { "triggerName": "Batch_messages", "workflow": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Playbook2Name'))]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Import2SentinelPlaybookName'))]" } } } @@ -284,7 +286,7 @@ "size": "7000", "type": "hash" }, - "uri": "[parameters('HTTP_-_Joshua_API-URI')]" + "uri": "[parameters('Joshua_API_URI')]" } }, "Initialize_variable_Paging": { diff --git a/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-IP/azuredeploy.json b/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-IP/azuredeploy.json old mode 100644 new mode 100755 index ff3e217c36..8e26c74573 --- a/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-IP/azuredeploy.json +++ b/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-IP/azuredeploy.json @@ -2,28 +2,30 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "logicAppName": { + "PlaybookName": { "type": "string", "defaultValue": "Joshua-Indicators-Processor-IP", "metadata": { "description": "Name of the Logic App." } }, - "Playbook2Name": { + "Import2SentinelPlaybookName": { "defaultValue": "Joshua-Import-To-Sentinel", - "type": "string" + "type": "string", + "metadata": { + "description": "Name of Joshua-Import-To-Sentinel Playbook" + } }, "LogicAppsCategory_Tag": { "type": "string", "defaultValue": "security" }, - "HTTP_-_Joshua_API_2-URI": { + "Joshua_API_URI": { "type": "string", - "defaultValue": "https://api.cyberiskvision.com/external/azure-sentinel/ioc-feed" - }, - "HTTP_-_Joshua_API-URI": { - "type": "string", - "defaultValue": "https://api.cyberiskvision.com/external/azure-sentinel/ioc-feed" + "defaultValue": "https://api.cyberiskvision.com/external/azure-sentinel/ioc-feed", + "metadata": { + "description": "Joshua API Uniform Resource Identifiers URI" + } }, "RecurrenceFrequency": { "type": "string", @@ -35,7 +37,7 @@ }, "RecurrenceStartTime": { "type": "string", - "defaultValue": "2021-10-22T06:00:00.000Z" + "defaultValue": "2021-12-16T06:00:00.000Z" } }, "variables": {}, @@ -45,8 +47,8 @@ "LogicAppsCategory": "[parameters('LogicAppsCategory_Tag')]" }, "type": "Microsoft.Logic/workflows", - "apiVersion": "2016-06-01", - "name": "[parameters('logicAppName')]", + "apiVersion": "2019-05-01", + "name": "[parameters('PlaybookName')]", "location": "[resourceGroup().location]", "dependsOn": [], "properties": { @@ -86,7 +88,7 @@ "host": { "triggerName": "Batch_messages", "workflow": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Playbook2Name'))]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Import2SentinelPlaybookName'))]" } } } @@ -110,7 +112,7 @@ "size": "7000", "type": "ipv4" }, - "uri": "[parameters('HTTP_-_Joshua_API_2-URI')]" + "uri": "[parameters('Joshua_API_URI')]" } }, "Parse_JSON_array_of_Joshua_indicators_2": { @@ -255,7 +257,7 @@ "host": { "triggerName": "Batch_messages", "workflow": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Playbook2Name'))]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Import2SentinelPlaybookName'))]" } } } @@ -283,7 +285,7 @@ "size": "7000", "type": "ipv4" }, - "uri": "[parameters('HTTP_-_Joshua_API-URI')]" + "uri": "[parameters('Joshua_API_URI')]" } }, "Initialize_variable_Paging": { diff --git a/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-URL/azuredeploy.json b/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-URL/azuredeploy.json old mode 100644 new mode 100755 index 03fea21367..e627b55ec8 --- a/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-URL/azuredeploy.json +++ b/Solutions/Joshua-Cyberiskvision/Playbooks/Joshua-Indicators-Processor-URL/azuredeploy.json @@ -2,28 +2,30 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "logicAppName": { + "PlaybookName": { "type": "string", "defaultValue": "Joshua-Indicators-Processor-URL", "metadata": { "description": "Name of the Logic App." } }, - "Playbook2Name": { + "Import2SentinelPlaybookName": { "defaultValue": "Joshua-Import-To-Sentinel", - "type": "string" + "type": "string", + "metadata": { + "description": "Name of Joshua-Import-To-Sentinel Playbook" + } }, "LogicAppsCategory_Tag": { "type": "string", "defaultValue": "security" }, - "HTTP_-_Joshua_API_2-URI": { + "Joshua_API_URI": { "type": "string", - "defaultValue": "https://api.cyberiskvision.com/external/azure-sentinel/ioc-feed" - }, - "HTTP_-_Joshua_API-URI": { - "type": "string", - "defaultValue": "https://api.cyberiskvision.com/external/azure-sentinel/ioc-feed" + "defaultValue": "https://api.cyberiskvision.com/external/azure-sentinel/ioc-feed", + "metadata": { + "description": "Joshua API Uniform Resource Identifiers URI" + } }, "RecurrenceFrequency": { "type": "string", @@ -35,7 +37,7 @@ }, "RecurrenceStartTime": { "type": "string", - "defaultValue": "2021-10-22T06:00:00.000Z" + "defaultValue": "2021-12-16T06:00:00.000Z" } }, "variables": {}, @@ -45,8 +47,8 @@ "LogicAppsCategory": "[parameters('LogicAppsCategory_Tag')]" }, "type": "Microsoft.Logic/workflows", - "apiVersion": "2016-06-01", - "name": "[parameters('logicAppName')]", + "apiVersion": "2019-05-01", + "name": "[parameters('PlaybookName')]", "location": "[resourceGroup().location]", "dependsOn": [], "properties": { @@ -86,7 +88,7 @@ "host": { "triggerName": "Batch_messages", "workflow": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Playbook2Name'))]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Import2SentinelPlaybookName'))]" } } } @@ -110,7 +112,7 @@ "size": "7000", "type": "url" }, - "uri": "[parameters('HTTP_-_Joshua_API_2-URI')]" + "uri": "[parameters('Joshua_API_URI')]" } }, "Parse_JSON_array_of_Joshua_indicators_2": { @@ -255,7 +257,7 @@ "host": { "triggerName": "Batch_messages", "workflow": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Playbook2Name'))]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('Import2SentinelPlaybookName'))]" } } } @@ -283,7 +285,7 @@ "size": "7000", "type": "url" }, - "uri": "[parameters('HTTP_-_Joshua_API-URI')]" + "uri": "[parameters('Joshua_API_URI')]" } }, "Initialize_variable_Paging": { diff --git a/Solutions/LastPass/Package/1.0.0.zip b/Solutions/LastPass/Package/1.0.0.zip new file mode 100644 index 0000000000..1f93442cfa Binary files /dev/null and b/Solutions/LastPass/Package/1.0.0.zip differ diff --git a/Solutions/LastPass/Package/createUiDefinition.json b/Solutions/LastPass/Package/createUiDefinition.json new file mode 100644 index 0000000000..b3a3f2d9e0 --- /dev/null +++ b/Solutions/LastPass/Package/createUiDefinition.json @@ -0,0 +1,293 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis repository contains all resources for the LastPass Azure Sentinel Solution. The LastPass Solution is built in order to easily integrate LastPass with Azure Sentinel.\n\nBy deploying this solution, you'll be able to monitor activity within LastPass and be alerted when potential security events arise. \n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 5, **Hunting Queries:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for LastPass. You can get LastPass custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) in your Azure Sentinel / Azure Log Analytics workspace." + } + }, + { + "name": "dataconnectors-link1", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about normalized format", + "uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema" + } + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "LastPass", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock" + }, + { + "name": "workbook1-name", + "type": "Microsoft.Common.TextBox", + "label": "Display Name", + "defaultValue": "LastPass", + "toolTip": "Display name for the workbook.", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a workbook name" + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Azure Sentinel Solution installs analytic rules for LastPass that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Employee account deleted", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This rule will monitor for any employee accounts being deleted.\nDeleting an employee account can have a big potential impact as all of the data for that user will be removed." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Failed sign-ins into LastPass due to MFA", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This rule will check if a sign-in failed into LastPass due to MFA.\nAn incident can indicate the potential brute forcing of a LastPass account. \nThe use of MFA is identified by combining the sign-in logs, this rule assumes LastPass is federated to AAD." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Highly Sensitive Password Accessed", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This rule will monitor access to highly sensitive passwords.\nWithin the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).\nWhen an activity is observed against such password, an incident is created." + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "TI map IP entity to LastPass data", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in LastPass table from any IP IOC from TI" + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "Unusual Volume of Password Updated or Removed", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This rule will check if there is an unnormal activity of sites that are deleted or changed per user.\n The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created." + } + } + ] + } + ] + }, + { + "name": "huntingqueries", + "label": "Hunting Queries", + "bladeTitle": "Hunting Queries", + "elements": [ + { + "name": "huntingqueries-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Azure Sentinel Solution installs hunting queries for LastPass that you can run in Azure Sentinel. These hunting queries will be deployed in the Hunting gallery of your Azure Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/hunting" + } + } + }, + { + "name": "huntingquery1", + "type": "Microsoft.Common.Section", + "label": "Failed sign-ins into LastPass due to MFA.", + "elements": [ + { + "name": "huntingquery1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This will check for sign-ins into LastPass which are not confirmed using MFA based on the Sign-in Logs It depends on the LastPass AzureActiveDirectory data connector and LastPass_BYOC_CL SigninLogs data type and LastPass AzureActiveDirectory parser." + } + } + ] + }, + { + "name": "huntingquery2", + "type": "Microsoft.Common.Section", + "label": "Login into LastPass from a previously unknown IP.", + "elements": [ + { + "name": "huntingquery2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query will check how many activity there is in LastPass from IPs that are not seen before in the Sign-in Logs It depends on the LastPass AzureActiveDirectory data connector and LastPass_BYOC_CL SigninLogs data type and LastPass AzureActiveDirectory parser." + } + } + ] + }, + { + "name": "huntingquery3", + "type": "Microsoft.Common.Section", + "label": "Password moved to shared folders", + "elements": [ + { + "name": "huntingquery3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query will check for data that is shared in the LastPass environment. It depends on the LastPass data connector and LastPass_BYOC_CL data type and LastPass parser." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(filter.id, toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]", + "workbook1-name": "[steps('workbooks').workbook1.workbook1-name]" + } + } +} diff --git a/Solutions/LastPass/Package/mainTemplate.json b/Solutions/LastPass/Package/mainTemplate.json new file mode 100644 index 0000000000..8d0c67c0d5 --- /dev/null +++ b/Solutions/LastPass/Package/mainTemplate.json @@ -0,0 +1,679 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Nikhil Tripathi - v-ntripathi@microsoft.com", + "comments": "Solution template for LastPass" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup" + } + }, + "connector1-name": { + "type": "string", + "defaultValue": "f7225dcd-634d-4baf-9d33-061715c4e3b5" + }, + "analytic1-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic2-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic3-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic4-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic5-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "formattedTimeNow": { + "type": "string", + "defaultValue": "[utcNow('g')]", + "metadata": { + "description": "Appended to workbook displayNames to make them unique" + } + }, + "workbook1-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the workbook" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "LastPass", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]", + "_connector1-source": "[variables('connector1-source')]", + "Connector": "Connector", + "_Connector": "[variables('Connector')]", + "EmployeeAccountDeleted_AnalyticalRules": "EmployeeAccountDeleted_AnalyticalRules", + "_EmployeeAccountDeleted_AnalyticalRules": "[variables('EmployeeAccountDeleted_AnalyticalRules')]", + "FailedSigninDueToMFA_AnalyticalRules": "FailedSigninDueToMFA_AnalyticalRules", + "_FailedSigninDueToMFA_AnalyticalRules": "[variables('FailedSigninDueToMFA_AnalyticalRules')]", + "HighlySensitivePasswordAccessed_AnalyticalRules": "HighlySensitivePasswordAccessed_AnalyticalRules", + "_HighlySensitivePasswordAccessed_AnalyticalRules": "[variables('HighlySensitivePasswordAccessed_AnalyticalRules')]", + "TIMapIPEntityToLastPass_AnalyticalRules": "TIMapIPEntityToLastPass_AnalyticalRules", + "_TIMapIPEntityToLastPass_AnalyticalRules": "[variables('TIMapIPEntityToLastPass_AnalyticalRules')]", + "UnusualVolumeOfPasswordsUpdatedOrRemoved_AnalyticalRules": "UnusualVolumeOfPasswordsUpdatedOrRemoved_AnalyticalRules", + "_UnusualVolumeOfPasswordsUpdatedOrRemoved_AnalyticalRules": "[variables('UnusualVolumeOfPasswordsUpdatedOrRemoved_AnalyticalRules')]", + "FailedSigninsDueToMFA_HuntingQueries": "FailedSigninsDueToMFA_HuntingQueries", + "_FailedSigninsDueToMFA_HuntingQueries": "[variables('FailedSigninsDueToMFA_HuntingQueries')]", + "workspace-dependency": "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspace'))]", + "LoginIntoLastPassFromUnknownIP_HuntingQueries": "LoginIntoLastPassFromUnknownIP_HuntingQueries", + "_LoginIntoLastPassFromUnknownIP_HuntingQueries": "[variables('LoginIntoLastPassFromUnknownIP_HuntingQueries')]", + "PasswordMoveToSharedFolder_HuntingQueries": "PasswordMoveToSharedFolder_HuntingQueries", + "_PasswordMoveToSharedFolder_HuntingQueries": "[variables('PasswordMoveToSharedFolder_HuntingQueries')]", + "LastPassWorkbook_workbook": "LastPassWorkbook_workbook", + "_LastPassWorkbook_workbook": "[variables('LastPassWorkbook_workbook')]", + "workbook-source": "[concat(resourceGroup().id, '/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'))]", + "_workbook-source": "[variables('workbook-source')]", + "sourceId": "publisherId_publisherId.offerId_offerId", + "_sourceId": "[variables('sourceId')]" + }, + "resources": [ + { + "id": "[variables('_connector1-source')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector1-name'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "APIPolling", + "properties": { + "connectorUiConfig": { + "title": "LastPass Enterprise - Reporting", + "publisher": "The Collective Consulting BV", + "descriptionMarkdown": "The [LastPass Enterprise](https://www.lastpass.com/products/enterprise-password-management-and-sso) connector provides the capability to LastPass reporting (audit) logs into Azure Sentinel. The connector provides visibility into logins and activity within LastPass (such as reading and removing passwords).", + "graphQueriesTableName": "LastPass_BYOC_CL", + "graphQueries": [{ + "metricName": "Total data received", + "legend": "LastPass Audit Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [{ + "description": "Password moved to shared folders", + "query": "{{graphQueriesTableName}}\n | where Action_s == \"Move to Shared Folder\"\n | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s, TimestampCustomEntity = todatetime(Time_s) " + } + ], + "dataTypes": [{ + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [{ + "type": "SentinelKindsV2", + "value": [ + "APIPolling" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [{ + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "action": true, + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ { + "name": "LastPass API Key", + "description": "A LastPass API key is required. [See the documentation to learn more about LastPass API](https://support.logmeininc.com/lastpass/help/use-the-lastpass-provisioning-api-lp010068)." + } + ] + }, + "instructionSteps": [ + { + "title": "Connect LastPass Enterprise to Azure Sentinel", + "description": "Provide the LastPass Provisioning API Key.", + "instructions": [ + { + "parameters": { + "enable": "true" + }, + "type": "APIKey" + } + ] + } + ] + }, + "pollingConfig": + { + "owner": "ASI", + "version": "2.0", + "source": "PaaS", + "auth": { + "authType": "APIKey", + "APIKeyName": "provhash", + "IsAPIKeyInPostPayload": true + }, + "request": { + "apiEndpoint": "https://lastpass.com/enterpriseapi.php", + "rateLimitQPS": 2, + "httpMethod": "Post", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "retryCount": 3, + "queryWindowInMin": 10, + "timeoutInSeconds": 120, + "queryParametersTemplate": "{'cid': '12537091', 'cmd': 'reporting', 'data': { 'from': '{_QueryWindowStartTime}', 'to': '{_QueryWindowEndTime}' }, '{_APIKeyName}': '{_APIKey}'}", + "isPostPayloadJson": true + }, + "response": { + "eventsJsonPaths": [ + "$.data" + ], + "successStatusJsonPath": "$.status", + "successStatusValue": "OK", + "convertChildPropertiesToArray": true + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageParaName": "next", + "nextPageTokenJsonPath": "$.next" + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic1-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This rule will monitor for any employee accounts being deleted.\nDeleting an employee account can have a big potential impact as all of the data for that user will be removed.", + "displayName": "Employee account deleted", + "enabled": false, + "query": "LastPass_BYOC_CL\n| where Action_s == \"Employee Account Deleted\" or Action_s == \"Remove User From Company\"\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountCustomEntity" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic2-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This rule will check if a sign-in failed into LastPass due to MFA.\nAn incident can indicate the potential brute forcing of a LastPass account. \nThe use of MFA is identified by combining the sign-in logs, this rule assumes LastPass is federated to AAD.", + "displayName": "Failed sign-ins into LastPass due to MFA", + "enabled": false, + "query": "LastPass_BYOC_CL\n| where Action_s == \"Log in\"\n| join (SigninLogs | where AppDisplayName == \"LastPass Enterprise\") on $left.IP_Address_s == $right.IPAddress and $left.Username_s == $right.UserPrincipalName\n| where ResultType in (50074, 50076)\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountCustomEntity" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic3-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This rule will monitor access to highly sensitive passwords.\nWithin the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).\nWhen an activity is observed against such password, an incident is created.", + "displayName": "Highly Sensitive Password Accessed", + "enabled": false, + "query": "let watchlist = (_GetWatchlist(\"LastPass\") | project name);\nLastPass_BYOC_CL\n| where Data_s in (watchlist)\n| extend timestamp = , AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "CredentialAccess", + "Discovery" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountCustomEntity" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URLCustomEntity" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic4-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in LastPass table from any IP IOC from TI", + "displayName": "TI map IP entity to LastPass data", + "enabled": false, + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking Network IP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| join (\n LastPass_BYOC_CL | where todatetime(Time_s) >= ago(dt_lookBack)\n | where Action_s != \"Reporting\"\n // renaming time column so it is clear the log this came from\n | extend LastPass_TimeGenerated = todatetime(Time_s)\n)\non $left.TI_ipEntity == $right.IP_Address_s\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, LastPass_TimeGenerated, \nTI_ipEntity, IP_Address_s, Username_s, Action_s, Data_s, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = LastPass_TimeGenerated, AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Url\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountCustomEntity" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URLCustomEntity" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic5-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This rule will check if there is an unnormal activity of sites that are deleted or changed per user.\n The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.", + "displayName": "Unusual Volume of Password Updated or Removed", + "enabled": false, + "query": "let threshold = toscalar (LastPass_BYOC_CL\n| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))\n| where Action_s == \"Site Changed\" or Action_s == \"Deleted Sites\" \n| summarize count() by Username_s, bin(todatetime(Time_s),1d)\n| summarize avg(count_), stdev(count_)\n| project threshold = avg_count_+stdev_count_*2);\nLastPass_BYOC_CL\n| where Username_s != \"API\"\n| where Action_s == \"Site Changed\" or Action_s == \"Deleted Sites\" and todatetime(Time_s) >= startofday(ago(1d))\n| summarize count() by Username_s, IP_Address_s\n| where count_ > ['threshold']\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s\n", + "queryFrequency": "P1D", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountCustomEntity" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2020-08-01", + "name": "[parameters('workspace')]", + "location": "[parameters('workspace-location')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "LastPass Hunting Query 1", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Failed sign-ins into LastPass due to MFA.", + "category": "Hunting Queries", + "query": "LastPass_BYOC_CL\n| where Action_s == \"Log in\"\n| join (SigninLogs | where AppDisplayName == \"LastPass Enterprise\") on $left.IP_Address_s == $right.IPAddress and $left.Username_s == $right.UserPrincipalName\n| where ResultType in (50074, 50076)\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, TimestampCustomEntity = todatetime(Time_s)\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This will check for sign-ins into LastPass which are not confirmed using MFA based on the Sign-in Logs" + }, + { + "name": "tactics", + "value": "InitialAccess" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "LastPass Hunting Query 2", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Login into LastPass from a previously unknown IP.", + "category": "Hunting Queries", + "query": "let IPs = SigninLogs\n | project IPAddress;\nLastPass_BYOC_CL\n| where Action_s != \"Reporting\"\n| where IP_Address_s !in (IPs)\n| summarize by IP_Address_s, Username_s, bin(todatetime(Time_s), 1d)\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, TimestampCustomEntity = Time_s\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This query will check how many activity there is in LastPass from IPs that are not seen before in the Sign-in Logs" + }, + { + "name": "tactics", + "value": "InitialAccess" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "LastPass Hunting Query 3", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Password moved to shared folders", + "category": "Hunting Queries", + "query": "LastPass_BYOC_CL\n| where Action_s == \"Move to Shared Folder\"\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s, TimestampCustomEntity = todatetime(Time_s)\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This query will check for data that is shared in the LastPass environment." + }, + { + "name": "tactics", + "value": "Collection" + } + ] + } + } + ] + }, + { + "type": "Microsoft.Insights/workbooks", + "name": "[parameters('workbook1-id')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2020-02-12", + "properties": { + "displayName": "[concat(parameters('workbook1-name'), ' - ', parameters('formattedTimeNow'))]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Additional diagrams about generic LastPass usage\\r\\n---\"},\"name\":\"text - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"LastPass_BYOC_CL\\r\\n| where isnotempty(Data_s)\\r\\n| summarize count() by Data_s\\r\\n| order by count_\\r\\n| render piechart\",\"size\":3,\"title\":\"Overview of the sites used\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"LastPass_BYOC_CL\\r\\n| where Username_s != \\\"API\\\"\\r\\n| summarize count() by Username_s\\r\\n| order by count_\\r\\n| render piechart\",\"size\":3,\"title\":\"Overview of the active users\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"LastPass_BYOC_CL\\r\\n| where Action_s != \\\"Reporting\\\"\\r\\n| summarize count() by Action_s\\r\\n| order by count_\\r\\n| render piechart\",\"size\":3,\"title\":\"Overview of the activity types\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"query - 2\"}]},\"name\":\"Additional diagrams about generic LastPass usage\"},{\"type\":1,\"content\":{\"json\":\"## Insights into sign-in methods\\r\\n---\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let IPs = SigninLogs | project IPAddress;\\r\\nLastPass_BYOC_CL\\r\\n| where Action_s != \\\"Reporting\\\"\\r\\n| where IP_Address_s !in (IPs)\\r\\n| summarize Count = count() by bin(todatetime(Time_s), 1d)\\r\\n| render timechart\",\"size\":3,\"title\":\"Sign-ins using an IP which has not been observed before\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"showMetrics\":false,\"ySettings\":{\"min\":0}}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"LastPass_BYOC_CL\\r\\n| where Action_s == \\\"Log in\\\"\\r\\n| join (SigninLogs | where AppDisplayName == \\\"LastPass Enterprise\\\") on $left.IP_Address_s == $right.IPAddress\\r\\n| extend isCompliant = iff(DeviceDetail.isCompliant == \\\"true\\\", \\\"Compliant\\\", \\\"Non-Compliant\\\")\\r\\n| summarize count() by isCompliant\",\"size\":3,\"title\":\"Overview of compliancy state of device used to login\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"## Logins in to admin console\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"LastPass_BYOC_CL\\n| where Action_s == \\\"Login to Admin Console\\\"\\n| summarize Count = count() by Username_s\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"}],\"fromTemplateId\":\"sentinel-LastPass\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('_workbook-source')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2021-03-01-preview", + "properties": { + "version": "1.0.0", + "kind": "Solution", + "contentId": "[variables('_sourceId')]", + "parentId": "[variables('_sourceId')]", + "source": { + "kind": "Solution", + "name": "LastPass", + "sourceId": "[variables('_sourceId')]" + }, + "author": { + "name": "Nikhil Tripathi", + "email": "v-ntripathi@microsoft.com" + }, + "support": { + "name": "name_name", + "email": "email_email", + "tier": "Partner", + "link": "link_link" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_Connector')]", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_EmployeeAccountDeleted_AnalyticalRules')]", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_FailedSigninDueToMFA_AnalyticalRules')]", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_HighlySensitivePasswordAccessed_AnalyticalRules')]", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_TIMapIPEntityToLastPass_AnalyticalRules')]", + "version": "1.0.0" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_UnusualVolumeOfPasswordsUpdatedOrRemoved_AnalyticalRules')]", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_FailedSigninsDueToMFA_HuntingQueries')]", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_LoginIntoLastPassFromUnknownIP_HuntingQueries')]", + "version": "1.0.0" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_PasswordMoveToSharedFolder_HuntingQueries')]", + "version": "1.0.0" + }, + { + "kind": "Workbook", + "contentId": "[variables('_LastPassWorkbook_workbook')]", + "version": "1.0.0" + } + ] + }, + "firstPublishDate": "2021-10-20", + "providers": [ + "providers_providers" + ], + "categories": { + "domains": [ + "domains_domains" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/LastPass/SolutionMetadata.json b/Solutions/LastPass/SolutionMetadata.json new file mode 100644 index 0000000000..26bc7a94e7 --- /dev/null +++ b/Solutions/LastPass/SolutionMetadata.json @@ -0,0 +1,15 @@ +{ + "publisherId": "publisherId_publisherId", + "offerId": "offerId_offerId", + "firstPublishDate": "2021-10-20", + "providers": ["providers_providers"], + "categories": { + "domains" : ["domains_domains"] + }, + "support": { + "name": "name_name", + "email": "email_email", + "tier": "Partner", + "link": "link_link" + } +} \ No newline at end of file diff --git a/Solutions/OracleDatabaseAudit/Package/1.0.3.zip b/Solutions/OracleDatabaseAudit/Package/1.0.3.zip new file mode 100644 index 0000000000..acd509b784 Binary files /dev/null and b/Solutions/OracleDatabaseAudit/Package/1.0.3.zip differ diff --git a/Solutions/OracleDatabaseAudit/Package/createUiDefinition.json b/Solutions/OracleDatabaseAudit/Package/createUiDefinition.json new file mode 100644 index 0000000000..e6cd03117f --- /dev/null +++ b/Solutions/OracleDatabaseAudit/Package/createUiDefinition.json @@ -0,0 +1,472 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Oracle Database](https://www.oracle.com/database/technologies/security/db-auditing.html) provides robust audit support in both the Enterprise and Standard Edition of the database. Oracle Database Unified Auditing enables selective and effective auditing inside the Oracle database using policies and conditions.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Oracle Database Audit. You can get Oracle Database Audit Syslog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the Syslog table in your Azure Sentinel / Azure Log Analytics workspace." + } + }, + { + "name": "dataconnectors-parser-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The Solution installs a parser that transforms the ingested data into Azure Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Azure Sentinel." + } + }, + { + "name": "dataconnectors-link1", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about normalized format", + "uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema" + } + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Oracle Database Audit", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Gain insights into Oracle database audit logs." + } + }, + { + "name": "workbook1-name", + "type": "Microsoft.Common.TextBox", + "label": "Display Name", + "defaultValue": "Oracle Database Audit", + "toolTip": "Display name for the workbook.", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a workbook name" + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Azure Sentinel Solution installs analytic rules for Oracle Database Audit that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Connection to database from external IP", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects when connection to database is from external IP source." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Multiple tables dropped in short time", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects when user drops many tables in short period of time." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Connection to database from unknown IP", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects when user connects to a database from IP address which is not present in AllowList." + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - User connected to database from new IP", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects when a user connects to database from new IP address." + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - New user account", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects when an action was made by new user." + } + } + ] + }, + { + "name": "analytic6", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Query on Sensitive Table", + "elements": [ + { + "name": "analytic6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects when user queries sensitive tables." + } + } + ] + }, + { + "name": "analytic7", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - User activity after long inactivity time", + "elements": [ + { + "name": "analytic7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects when an action was made by a user which last activity was observed more than 30 days ago." + } + } + ] + }, + { + "name": "analytic8", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - SQL injection patterns", + "elements": [ + { + "name": "analytic8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects common known SQL injection patterns used in automated scripts." + } + } + ] + }, + { + "name": "analytic9", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Unusual user activity on multiple tables", + "elements": [ + { + "name": "analytic9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects when user queries many tables in short period of time." + } + } + ] + }, + { + "name": "analytic10", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Shutdown Server", + "elements": [ + { + "name": "analytic10-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects when \"SHUTDOWN\" command was sent to server." + } + } + ] + } + ] + }, + { + "name": "huntingqueries", + "label": "Hunting Queries", + "bladeTitle": "Hunting Queries", + "elements": [ + { + "name": "huntingqueries-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Azure Sentinel Solution installs hunting queries for Oracle Database Audit that you can run in Azure Sentinel. These hunting queries will be deployed in the Hunting gallery of your Azure Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/hunting" + } + } + }, + { + "name": "huntingquery1", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Action by Ip", + "elements": [ + { + "name": "huntingquery1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches sources from which DbActions were made. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser." + } + } + ] + }, + { + "name": "huntingquery2", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Action by user", + "elements": [ + { + "name": "huntingquery2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches actions made by user. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser." + } + } + ] + }, + { + "name": "huntingquery3", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Active Users", + "elements": [ + { + "name": "huntingquery3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query for searching active database user accounts. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser." + } + } + ] + }, + { + "name": "huntingquery4", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Users connected to databases during non-operational hours.", + "elements": [ + { + "name": "huntingquery4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches for users who have connected to databases during non-operational hours. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser." + } + } + ] + }, + { + "name": "huntingquery5", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Dropped Tables", + "elements": [ + { + "name": "huntingquery5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches for dropped tables. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser." + } + } + ] + }, + { + "name": "huntingquery6", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Inactive Users", + "elements": [ + { + "name": "huntingquery6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query for searching user accounts which last activity was more than 30 days ago. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser." + } + } + ] + }, + { + "name": "huntingquery7", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Users with new privileges", + "elements": [ + { + "name": "huntingquery7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query for searching user accounts whith new privileges. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser." + } + } + ] + }, + { + "name": "huntingquery8", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Top tables queries 'Query searches for tables queries.'", + "elements": [ + { + "name": "huntingquery8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser." + } + } + ] + }, + { + "name": "huntingquery9", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Users with new privileges", + "elements": [ + { + "name": "huntingquery9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query for searching user accounts whith new privileges. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser." + } + } + ] + }, + { + "name": "huntingquery10", + "type": "Microsoft.Common.Section", + "label": "OracleDBAudit - Users Privileges Review", + "elements": [ + { + "name": "huntingquery10-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches for user accounts and their privileges. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[resourceGroup().location]", + "location": "[location()]", + "workspace": "[basics('workspace')]", + "workbook1-name": "[steps('workbooks').workbook1.workbook1-name]" + } + } +} diff --git a/Solutions/OracleDatabaseAudit/Package/mainTemplate.json b/Solutions/OracleDatabaseAudit/Package/mainTemplate.json new file mode 100644 index 0000000000..a678cf66f3 --- /dev/null +++ b/Solutions/OracleDatabaseAudit/Package/mainTemplate.json @@ -0,0 +1,990 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Amarnath Pamidi - v-ampami@microsoft.com", + "comments": "Solution template for OracleDatabaseAudit" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "minLength": 1, + "defaultValue": "[parameters('location')]", + "metadata": { + "description": "Region to deploy solution resources" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup" + } + }, + "formattedTimeNow": { + "type": "string", + "defaultValue": "[utcNow('g')]", + "metadata": { + "description": "Appended to workbook displayNames to make them unique" + } + }, + "workbook1-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the workbook" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "OracleDatabaseAudit", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "connector1-name": { + "type": "string", + "defaultValue": "b529fc21-7ace-4081-8248-880cb6e8ac73" + }, + "analytic1-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic2-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic3-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic4-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic5-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic6-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic7-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic8-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic9-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic10-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + } + }, + "variables": { + "OracleDatabaseAudit": "OracleDatabaseAudit", + "_OracleDatabaseAudit": "[variables('OracleDatabaseAudit')]", + "workbook-source": "[concat(resourceGroup().id, '/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'))]", + "_workbook-source": "[variables('workbook-source')]", + "OracleDBAuditConnectFromExternalIp": "OracleDBAuditConnectFromExternalIp", + "_OracleDBAuditConnectFromExternalIp": "[variables('OracleDBAuditConnectFromExternalIp')]", + "OracleDBAuditDropManyTables": "OracleDBAuditDropManyTables", + "_OracleDBAuditDropManyTables": "[variables('OracleDBAuditDropManyTables')]", + "OracleDBAuditForbiddenSrcIpAddr": "OracleDBAuditForbiddenSrcIpAddr", + "_OracleDBAuditForbiddenSrcIpAddr": "[variables('OracleDBAuditForbiddenSrcIpAddr')]", + "OracleDBAuditNewIpForUser": "OracleDBAuditNewIpForUser", + "_OracleDBAuditNewIpForUser": "[variables('OracleDBAuditNewIpForUser')]", + "OracleDBAuditNewUserDetected": "OracleDBAuditNewUserDetected", + "_OracleDBAuditNewUserDetected": "[variables('OracleDBAuditNewUserDetected')]", + "OracleDBAuditQueryOnSensitiveTable": "OracleDBAuditQueryOnSensitiveTable", + "_OracleDBAuditQueryOnSensitiveTable": "[variables('OracleDBAuditQueryOnSensitiveTable')]", + "OracleDBAuditRareUserActivity": "OracleDBAuditRareUserActivity", + "_OracleDBAuditRareUserActivity": "[variables('OracleDBAuditRareUserActivity')]", + "OracleDBAuditSQLInjectionPatterns": "OracleDBAuditSQLInjectionPatterns", + "_OracleDBAuditSQLInjectionPatterns": "[variables('OracleDBAuditSQLInjectionPatterns')]", + "OracleDBAuditSelectOnManyTables": "OracleDBAuditSelectOnManyTables", + "_OracleDBAuditSelectOnManyTables": "[variables('OracleDBAuditSelectOnManyTables')]", + "OracleDBAuditShutdownServer": "OracleDBAuditShutdownServer", + "_OracleDBAuditShutdownServer": "[variables('OracleDBAuditShutdownServer')]", + "connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]", + "_connector1-source": "[variables('connector1-source')]", + "OracleDatabaseAuditConnector": "OracleDatabaseAuditConnector", + "_OracleDatabaseAuditConnector": "[variables('OracleDatabaseAuditConnector')]", + "workspace-dependency": "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspace'))]", + "OracleDatabaseAuditEvent": "OracleDatabaseAuditEvent", + "_OracleDatabaseAuditEvent": "[variables('OracleDatabaseAuditEvent')]", + "OracleDBAuditActionsByIp": "OracleDBAuditActionsByIp", + "_OracleDBAuditActionsByIp": "[variables('OracleDBAuditActionsByIp')]", + "OracleDBAuditActionsByUser": "OracleDBAuditActionsByUser", + "_OracleDBAuditActionsByUser": "[variables('OracleDBAuditActionsByUser')]", + "OracleDBAuditActiveUsers": "OracleDBAuditActiveUsers", + "_OracleDBAuditActiveUsers": "[variables('OracleDBAuditActiveUsers')]", + "OracleDBAuditDbConnectNonOperationalTime": "OracleDBAuditDbConnectNonOperationalTime", + "_OracleDBAuditDbConnectNonOperationalTime": "[variables('OracleDBAuditDbConnectNonOperationalTime')]", + "OracleDBAuditDroppedTables": "OracleDBAuditDroppedTables", + "_OracleDBAuditDroppedTables": "[variables('OracleDBAuditDroppedTables')]", + "OracleDBAuditInactiveUsers": "OracleDBAuditInactiveUsers", + "_OracleDBAuditInactiveUsers": "[variables('OracleDBAuditInactiveUsers')]", + "OracleDBAuditLargeQueries": "OracleDBAuditLargeQueries", + "_OracleDBAuditLargeQueries": "[variables('OracleDBAuditLargeQueries')]", + "OracleDBAuditListOfTablesQueried": "OracleDBAuditListOfTablesQueried", + "_OracleDBAuditListOfTablesQueried": "[variables('OracleDBAuditListOfTablesQueried')]", + "OracleDBAuditUsersNewPrivilegesAdded": "OracleDBAuditUsersNewPrivilegesAdded", + "_OracleDBAuditUsersNewPrivilegesAdded": "[variables('OracleDBAuditUsersNewPrivilegesAdded')]", + "OracleDBAuditUsersPrivilegesReview": "OracleDBAuditUsersPrivilegesReview", + "_OracleDBAuditUsersPrivilegesReview": "[variables('OracleDBAuditUsersPrivilegesReview')]", + "sourceId": "azuresentinel.azure-sentinel-solution-oracledbaudit", + "_sourceId": "[variables('sourceId')]" + }, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[parameters('workbook1-id')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2020-02-12", + "properties": { + "displayName": "[concat(parameters('workbook1-name'), ' - ', parameters('formattedTimeNow'))]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This workbook depends on a parser based on Kusto Function to work as expected [**OracleDatabaseAuditEvent**](https://aka.ms/sentinel-OracleDatabaseAudit-parser) which is deployed with the Azure Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"88aa96e3-fc48-4b04-836e-fc2ec8ebf37f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\" Time Range\",\"type\":4,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":3600000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OracleDatabaseAuditEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events over time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"70\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OracleDatabaseAuditEvent\\r\\n| where isnotempty(DbAction)\\r\\n| summarize TotalEvents = count() by DbAction\",\"size\":3,\"title\":\"Top Database Actions\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"rowLimit\":7,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"30\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OracleDatabaseAuditEvent\\r\\n| where isnotempty(DstUserName)\\r\\n| summarize TotalEvents = count() by DstUserName\\r\\n| order by TotalEvents\\r\\n| take 10\",\"size\":3,\"title\":\"Database Users Activity (Events)\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OracleDatabaseAuditEvent\\r\\n| where isnotempty(SrcUserName)\\r\\n| summarize TotalEvents = count() by SrcUserName\\r\\n\",\"size\":3,\"title\":\"Source Users Activity (Events)\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalEvents\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blueGreen\"}},{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"turquoise\"}}],\"rowLimit\":10,\"labelSettings\":[{\"columnId\":\"TotalEvents\",\"label\":\"Total Events\"},{\"columnId\":\"Trend\"}]}},\"customWidth\":\"31\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OracleDatabaseAuditEvent\\r\\n| where isnotempty(SrcDvcHostname)\\r\\n| summarize TotalEvents = count() by SrcDvcHostname\\r\\n| join kind = inner (OracleDatabaseAuditEvent\\r\\n | where isnotempty(SrcDvcHostname)\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SrcDvcHostname)\\r\\n on SrcDvcHostname\\r\\n| project SrcDvcHostname, TotalEvents, Trend\\r\\n| order by TotalEvents\\r\\n| top 10 by TotalEvents\",\"size\":3,\"title\":\"Top Source Hosts\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalEvents\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"}},{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SrcDvcHostname\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"33\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OracleDatabaseAuditEvent\\n| where DbAction =~ 'SELECT'\\n| extend TableName = replace(@'[,\\\\(\\\\)]', '', extract(@'(?i)SELECT(.*?)FROM\\\\s(.*?)\\\\s', 2, Action))\\n| where isnotempty(TableName)\\n| where TableName !in ('select', 'SELECT')\\n| summarize count() by TableName\\n| order by count_\\n\\n\\n\",\"size\":0,\"title\":\"Database Tables Queried\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventCategory\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false,\"rowLimit\":10},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"TableName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"nodeIdField\":\"TableName\",\"sourceIdField\":\"TableName\",\"targetIdField\":\"count_\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"hivesMargin\":5},\"chartSettings\":{\"xSettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OracleDatabaseAuditEvent\\r\\n| where TimeGenerated > ago(30d)\\r\\n| order by TimeGenerated\\r\\n| where isnotempty(SrcUserName)\\r\\n| where isnotempty(DbAction)\\r\\n| summarize EventTime = max(TimeGenerated) by SrcUserName, DbAction\\r\\n| order by EventTime desc\\r\\n| join (OracleDatabaseAuditEvent\\r\\n | where TimeGenerated > ago(30d)\\r\\n | order by TimeGenerated\\r\\n | where isnotempty(SrcUserName)\\r\\n | where isnotempty(DbAction)\\r\\n | summarize by SrcUserName) on SrcUserName\\r\\n| project EventTime, SrcUserName, DbAction\\r\\n\\r\\n\",\"size\":1,\"title\":\"Latest User Actions\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":100,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OracleDatabaseAuditEvent\\r\\n| where isnotempty(SrcUserName)\\r\\n| where isnotempty(Privilege)\\r\\n| summarize Privileges = makeset(Privilege) by SrcUserName\",\"size\":1,\"title\":\"Users' Privileges\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":100,\"filter\":true},\"graphSettings\":{\"type\":0,\"leftContent\":{\"columnMatch\":\"SrcUserName\"},\"centerContent\":{\"columnMatch\":\"SrcUserName\",\"formatter\":1},\"bottomContent\":{\"columnMatch\":\"set_Privilege\",\"formatter\":1},\"nodeIdField\":\"set_Privilege\",\"sourceIdField\":\"SrcUserName\",\"targetIdField\":\"SrcUserName\",\"graphOrientation\":1,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"groupByField\":\"SrcUserName\",\"hivesMargin\":5},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"customWidth\":\"39\",\"name\":\"query - 8\"}],\"fromTemplateId\":\"sentinel-OracleDatabaseAudit\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('_workbook-source')]", + "category": "sentinel" + } + }, + { + "id": "[variables('_connector1-source')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector1-name'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Oracle Database Audit (Preview)", + "publisher": "Oracle", + "descriptionMarkdown": "The Oracle DB Audit data connector provides the capability to ingest [Oracle Database](https://www.oracle.com/database/technologies/) audit events into Azure Sentinel through the syslog. Refer to [documentation](https://docs.oracle.com/en/database/oracle/oracle-database/21/dbseg/introduction-to-auditing.html#GUID-94381464-53A3-421B-8F13-BD171C867405) for more information.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "OracleDatabaseAudit", + "baseQuery": "OracleDatabaseAuditEvent" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Sources", + "query": "OracleDatabaseAuditEvent\n | summarize count() by SrcDvcHostname\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "Syslog (OracleDatabaseAudit)", + "lastDataReceivedQuery": "OracleDatabaseAuditEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "OracleDatabaseAuditEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "write permission is required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "delete": true + } + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**OracleDatabaseAuditEvent**](https://aka.ms/sentinel-OracleDatabaseAudit-parser) which is deployed with the Azure Sentinel Solution." + }, + { + "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.", + "instructions": [ + { + "parameters": { + "title": "Choose where to install the agent:", + "instructionSteps": [ + { + "title": "Install agent on Azure Linux Virtual Machine", + "description": "Select the machine to install the agent on and then click **Connect**.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxVirtualMachine" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "Install agent on a non-Azure Linux Machine", + "description": "Download the agent on the relevant machine and follow the instructions.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Install and onboard the agent for Linux" + }, + { + "description": "Configure the facilities you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n2. Select **Apply below configuration to my machines** and select the facilities and severities.\n3. Click **Save**.", + "instructions": [ + { + "parameters": { + "linkType": "OpenAdvancedWorkspaceSettings" + }, + "type": "InstallAgent" + } + ], + "title": "2. Configure the logs to be collected" + }, + { + "description": "[Follow these instructions](https://docs.oracle.com/en/database/oracle/oracle-database/21/dbseg/administering-the-audit-trail.html#GUID-662AA54B-D878-4B78-94D3-733256B3F37C) to configure Oracle Database Audit events to be sent to Syslog.\nFor more information please refer to [documentation](https://docs.oracle.com/en/database/oracle/oracle-database/21/dbseg/administering-the-audit-trail.html)", + "title": "3. Configure Oracle Database Audit events to be sent to Syslog" + } + ], + "additionalRequirementBanner": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**OracleDatabaseAuditEvent**](https://aka.ms/sentinel-OracleDatabaseAudit-parser) which is deployed with the Azure Sentinel Solution." + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic1-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when connection to database is from external IP source.", + "displayName": "OracleDBAudit - Connection to database from external IP", + "enabled": false, + "query": "OracleDatabaseAuditEvent\n| where isnotempty(SrcIpAddr)\n| where isnotempty(Action)\n| where DbAction =~ 'connect'\n| where ipv4_is_private(SrcIpAddr) == 'false'\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT30M", + "queryPeriod": "PT30M", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess", + "Collection", + "Exfiltration" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic2-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when user drops many tables in short period of time.", + "displayName": "OracleDBAudit - Multiple tables dropped in short time", + "enabled": false, + "query": "let tbl_threshold = 10;\nOracleDatabaseAuditEvent\n| where isnotempty(DstUserName)\n| where DbAction =~ 'DROP'\n| extend TableName = replace(@'[,\\(\\)]', '', extract(@'(?i)SELECT(.*?)FROM\\s(.*?)\\s', 2, Action))\n| where isnotempty(TableName)\n| where TableName !~ 'SELECT'\n| summarize tbl_count = dcount(TableName) by DstUserName\n| where tbl_count > tbl_threshold\n| extend AccountCustomEntity = DstUserName\n", + "queryFrequency": "PT30M", + "queryPeriod": "PT30M", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Impact" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic3-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when user connects to a database from IP address which is not present in AllowList.", + "displayName": "OracleDBAudit - Connection to database from unknown IP", + "enabled": false, + "query": "let ip_allowlist = dynamic(['127.0.0.2']);\nOracleDatabaseAuditEvent\n| where isnotempty(SrcIpAddr)\n| where DbAction =~ 'CONNECT'\n| where SrcIpAddr !in (ip_allowlist)\n| project SrcIpAddr, DstUserName\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic4-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when a user connects to database from new IP address.", + "displayName": "OracleDBAudit - User connected to database from new IP", + "enabled": false, + "query": "let lbtime_d = 14d;\nlet lbtime_24h = 24h;\nOracleDatabaseAuditEvent\n| where TimeGenerated between (ago(lbtime_d) .. ago(lbtime_24h))\n| where isnotempty(SrcIpAddr)\n| where isnotempty(DstUserName)\n| summarize knownIPs = make_set(SrcIpAddr) by DstUserName\n| join (OracleDatabaseAuditEvent\n | where isnotempty(SrcIpAddr)\n | where isnotempty(DstUserName)\n | where DbAction =~ 'connect'\n ) on DstUserName\n| where knownIPs !contains SrcIpAddr\n| project DstUserName, SrcIpAddr\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic5-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when an action was made by new user.", + "displayName": "OracleDBAudit - New user account", + "enabled": false, + "query": "let lbtime_d = 14d;\nlet lbtime_24h = 24h;\nlet known_users = OracleDatabaseAuditEvent\n| where TimeGenerated between (ago(lbtime_d) .. ago(lbtime_24h))\n| where isnotempty(DstUserName)\n| where isnotempty(Action)\n| summarize makeset(DstUserName);\nOracleDatabaseAuditEvent\n| where isnotempty(DstUserName)\n| where isnotempty(Action)\n| where DstUserName !in (known_users)\n| project DstUserName\n| extend AccountCustomEntity = DstUserName\n", + "queryFrequency": "PT3H", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess", + "Persistence" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic6-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when user queries sensitive tables.", + "displayName": "OracleDBAudit - Query on Sensitive Table", + "enabled": false, + "query": "let sensitive_tbls = dynamic(['table_name1', 'table_name2']);\nOracleDatabaseAuditEvent\n| where isnotempty(DstUserName)\n| where isnotempty(Action)\n| extend TableName = replace(@'[,\\(\\)]', '', extract(@'(?i)SELECT(.*?)FROM\\s(.*?)\\s', 2, Action))\n| where isnotempty(TableName)\n| where TableName in (sensitive_tbls)\n| project TableName, DstUserName, DbAction\n| extend AccountCustomEntity = DstUserName\n", + "queryFrequency": "PT30M", + "queryPeriod": "PT30M", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Collection" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic7-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when an action was made by a user which last activity was observed more than 30 days ago.", + "displayName": "OracleDBAudit - User activity after long inactivity time", + "enabled": false, + "query": "let lbtime_14d = 14d;\nlet lbtime_7d = 7d;\nlet lbtime_24h = 24h;\nlet known_users_14d = OracleDatabaseAuditEvent\n| where TimeGenerated between (ago(lbtime_14d) .. ago(lbtime_14d))\n| where isnotempty(DstUserName)\n| where isnotempty(Action)\n| summarize makeset(DstUserName);\nlet known_users_7d = OracleDatabaseAuditEvent\n| where TimeGenerated between (ago(lbtime_7d) .. ago(lbtime_24h))\n| where isnotempty(DstUserName)\n| where isnotempty(Action)\n| summarize makeset(DstUserName);\nOracleDatabaseAuditEvent\n| where isnotempty(DstUserName)\n| where isnotempty(Action)\n| where DstUserName !in (known_users_7d)\n| where DstUserName in (known_users_14d)\n| project DstUserName\n| extend AccountCustomEntity = DstUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess", + "Persistence" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic8-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects common known SQL injection patterns used in automated scripts.", + "displayName": "OracleDBAudit - SQL injection patterns", + "enabled": false, + "query": "OracleDatabaseAuditEvent\n| where isnotempty(DstUserName)\n| where Action has_any (\"admin' --\" ,\"admin' #\", \"admin'/*\", \"0=1\", \"1=0\", \"1=1\", \"1=2\", \"' or 1=1--\", \"' or 1=1#\", \"' or 1=1/*\", \"') or '1'='1--\", \"') or ('1'='1--\")\n| project SrcIpAddr, DstUserName, Action\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic9-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when user queries many tables in short period of time.", + "displayName": "OracleDBAudit - Unusual user activity on multiple tables", + "enabled": false, + "query": "let tbl_threshold = 10;\nOracleDatabaseAuditEvent\n| where isnotempty(DstUserName)\n| where DbAction =~ 'SELECT'\n| extend TableName = replace(@'[,\\(\\)]', '', extract(@'(?i)SELECT(.*?)FROM\\s(.*?)\\s', 2, Action))\n| where isnotempty(TableName)\n| where TableName !~ 'SELECT'\n| summarize tbl_count = dcount(TableName) by DstUserName, bucket = bin(TimeGenerated, 5m)\n| where tbl_count > tbl_threshold\n| extend AccountCustomEntity = DstUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Collection" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic10-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when \"SHUTDOWN\" command was sent to server.", + "displayName": "OracleDBAudit - Shutdown Server", + "enabled": false, + "query": "OracleDatabaseAuditEvent\n| where isnotempty(SrcIpAddr)\n| where DbAction =~ 'SHUTDOWN'\n| project SrcIpAddr, DstUserName\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Impact" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2020-08-01", + "name": "[parameters('workspace')]", + "location": "[parameters('workspace-location')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "OracleDatabaseAudit Data Parser", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "OracleDatabaseAudit Data Parser", + "category": "Samples", + "functionAlias": "OracleDatabaseAuditEvent", + "query": "\nlet oracledb_type_1 =() {\nSyslog\n| where SyslogMessage matches regex @\".*ACTION(\\s)?:\\[\\d+\\]\\s\\'(.*?)\\s\"\n| extend EventVendor = 'Oracle'\n| extend EventProduct = 'Oracle Audit'\n| extend MessageLength = extract(@\"LENGTH(\\s)?: \\'(\\d+)\\'\", 2, SyslogMessage)\n| extend Action = extract(@\"ACTION(\\s)?:\\[\\d+\\] \\'(.*?)\\'\\s+DATABASE USER\", 2, SyslogMessage)\n| extend ActionLength = extract(@\"ACTION(\\s)?:\\[(\\d+)\\] \\'(.*?)\\'\\s+DATABASE USER\", 2, SyslogMessage)\n| extend DbAction = toupper(extract(@\"ACTION(\\s)?:\\[\\d+\\] \\'(?i)(SELECT|CREATE|ALTER|DROP|read|declare|BEGIN|Copy|CONNECT|COMMIT)(\\s|\\')\", 2, SyslogMessage))\n| extend DstUserName = extract(@\"DATABASE USER(\\s)?:\\[\\d+\\]\\s\\'(.*?)\\'\\s+PRIVILEGE\", 2, SyslogMessage)\n| extend Privilege = extract(@\"PRIVILEGE(\\s)?:\\[\\d+\\]\\s\\'(.*?)\\'\", 2, SyslogMessage)\n| extend SrcUserName = extract(@\"CLIENT USER(\\s)?:\\[\\d+\\]\\s\\'(.*?)\\'\", 2, SyslogMessage)\n| extend ClientTerminal = extract(@\"CLIENT TERMINAL(\\s)?:\\[\\d+\\] \\'(.*?)\\'\", 2, SyslogMessage)\n| extend Status = extract(@\"STATUS(\\s)?:\\[\\d+\\]\\s\\'(.*?)\\'\" , 2, SyslogMessage)\n| extend DbId = extract(@\"DBID(\\s)?:\\[\\d+\\]\\s\\'(.*?)\\'\" , 2, SyslogMessage)\n| extend SrcIpAddr = extract(@'HOST=(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, SyslogMessage)\n| extend SrcPortNumber = extract(@'PORT=(\\d{1,5})', 1, SyslogMessage)\n};\nlet oracledb_type_2 =() {\nSyslog\n| where SyslogMessage matches regex @\"STATEMENT(\\s)?:\\[\\d+\\]\"\n| extend EventVendor = 'Oracle'\n| extend EventProduct = \"Oracle Audit\"\n| extend MessageLength = extract(@'LENGTH(\\s)?:(\\s)?(\\d+)\\s+', 3, SyslogMessage)\n| extend SessionId = extract(@'SESSIONID(\\s)?:\\[\\d+\\]\\s+(\\d+)\\s+', 2, SyslogMessage)\n| extend EntryId = extract(@'ENTRYID(\\s)?:\\[\\d+\\]\\s+(\\d+)\\s+', 2, SyslogMessage)\n| extend Statement = extract(@'STATEMENT(\\s)?:\\[\\d+\\]\\s+(\\d+)\\s+', 2, SyslogMessage)\n| extend SrcUserName = extract(@'USERID(\\s)?:\\[\\d+\\]\\s+(.*?)\\s+USERHOST\"', 2, SyslogMessage)\n| extend SrcDvcHostname = extract(@'USERHOST(\\s)?:\\[\\d+\\]\\s+(.*?)\\s+(ACTION|TERMINAL)', 2, SyslogMessage)\n| extend Action = extract(@'ACTION(\\s)?:\\[\\d+\\]\\s+(.*?)\\s+RETURNCODE', 2, SyslogMessage)\n| extend ActionLength = extract(@'ACTION(\\s)?:\\[(\\d+)\\]\\s+(.*?)\\s+RETURNCODE', 2, SyslogMessage)\n| extend DbAction = case(Action == '1', 'CREATE TABLE',\n Action == '2', 'INSERT',\n Action == '3', 'SELECT',\n Action == '4', 'CREATE CLUSTER',\n Action == '5', 'ALTER CLUSTER',\n Action == '6', 'UPDATE',\n Action == '7', 'DELETE',\n Action == '8', 'DROP CLUSTER',\n Action == '9', 'CREATE INDEX',\n Action == '10', 'DROP INDEX',\n Action == '11', 'ALTER INDEX',\n Action == '12', 'DROP TABLE',\n Action == '13', 'CREATE SEQUENCE',\n Action == '14', 'ALTER SEQUENCE',\n Action == '15', 'ALTER TABLE',\n Action == '16', 'DROP SEQUENCE',\n Action == '17', 'GRANT OBJECT',\n Action == '18', 'REVOKE OBJECT',\n Action == '19', 'CREATE SYNONYM',\n Action == '20', 'DROP SYNONYM',\n Action == '21', 'CREATE VIEW',\n Action == '22', 'DROP VIEW',\n Action == '23', 'VALIDATE INDEX',\n Action == '24', 'CREATE PROCEDURE',\n Action == '25', 'ALTER PROCEDURE',\n Action == '26', 'LOCK',\n Action == '27', 'NO-OP',\n Action == '28', 'RENAME',\n Action == '29', 'COMMENT',\n Action == '30', 'AUDIT OBJECT',\n Action == '31', 'NOAUDIT OBJECT',\n Action == '32', 'CREATE DATABASE LINK',\n Action == '33', 'DROP DATABASE LINK',\n Action == '34', 'CREATE DATABASE',\n Action == '35', 'ALTER DATABASE',\n Action == '36', 'CREATE ROLLBACK SEG',\n Action == '37', 'ALTER ROLLBACK SEG',\n Action == '38', 'DROP ROLLBACK SEG',\n Action == '39', 'CREATE TABLESPACE',\n Action == '40', 'ALTER TABLESPACE',\n Action == '41', 'DROP TABLESPACE',\n Action == '42', 'ALTER SESSION',\n Action == '43', 'ALTER USER',\n Action == '44', 'COMMIT',\n Action == '45', 'ROLLBACK',\n Action == '46', 'SAVEPOINT',\n Action == '47', 'PL/SQL EXECUTE',\n Action == '48', 'SET TRANSACTION',\n Action == '49', 'ALTER SYSTEM',\n Action == '50', 'EXPLAIN',\n Action == '51', 'CREATE USER',\n Action == '52', 'CREATE ROLE',\n Action == '53', 'DROP USER',\n Action == '54', 'DROP ROLE',\n Action == '55', 'SET ROLE',\n Action == '56', 'CREATE SCHEMA',\n Action == '57', 'CREATE CONTROL FILE',\n Action == '59', 'CREATE TRIGGER',\n Action == '60', 'ALTER TRIGGER',\n Action == '61', 'DROP TRIGGER',\n Action == '62', 'ANALYZE TABLE',\n Action == '63', 'ANALYZE INDEX',\n Action == '64', 'ANALYZE CLUSTER',\n Action == '65', 'CREATE PROFILE',\n Action == '66', 'DROP PROFILE',\n Action == '67', 'ALTER PROFILE',\n Action == '68', 'DROP PROCEDURE',\n Action == '70', 'ALTER RESOURCE COST',\n Action == '71', 'CREATE MATERIALIZED VIEW LOG',\n Action == '72', 'ALTER MATERIALIZED VIEW LOG',\n Action == '73', 'DROP MATERIALIZED VIEW LOG',\n Action == '74', 'CREATE MATERIALIZED VIEW',\n Action == '75', 'ALTER MATERIALIZED VIEW',\n Action == '76', 'DROP MATERIALIZED VIEW',\n Action == '77', 'CREATE TYPE',\n Action == '78', 'DROP TYPE',\n Action == '79', 'ALTER ROLE',\n Action == '80', 'ALTER TYPE',\n Action == '81', 'CREATE TYPE BODY',\n Action == '82', 'ALTER TYPE BODY',\n Action == '83', 'DROP TYPE BODY',\n Action == '84', 'DROP LIBRARY',\n Action == '85', 'TRUNCATE TABLE',\n Action == '86', 'TRUNCATE CLUSTER',\n Action == '91', 'CREATE FUNCTION',\n Action == '92', 'ALTER FUNCTION',\n Action == '93', 'DROP FUNCTION',\n Action == '94', 'CREATE PACKAGE',\n Action == '95', 'ALTER PACKAGE',\n Action == '96', 'DROP PACKAGE',\n Action == '97', 'CREATE PACKAGE BODY',\n Action == '98', 'ALTER PACKAGE BODY',\n Action == '99', 'DROP PACKAGE BODY',\n Action == '100', 'LOGON',\n Action == '101', 'LOGOFF',\n Action == '102', 'LOGOFF BY CLEANUP',\n Action == '103', 'SESSION REC',\n Action == '104', 'SYSTEM AUDIT',\n Action == '105', 'SYSTEM NOAUDIT',\n Action == '106', 'AUDIT DEFAULT',\n Action == '107', 'NOAUDIT DEFAULT',\n Action == '108', 'SYSTEM GRANT',\n Action == '109', 'SYSTEM REVOKE',\n Action == '110', 'CREATE PUBLIC SYNONYM',\n Action == '111', 'DROP PUBLIC SYNONYM',\n Action == '112', 'CREATE PUBLIC DATABASE LINK',\n Action == '113', 'DROP PUBLIC DATABASE LINK',\n Action == '114', 'GRANT ROLE',\n Action == '115', 'REVOKE ROLE',\n Action == '116', 'EXECUTE PROCEDURE',\n Action == '117', 'USER COMMENT',\n Action == '118', 'ENABLE TRIGGER',\n Action == '119', 'DISABLE TRIGGER',\n Action == '120', 'ENABLE ALL TRIGGERS',\n Action == '121', 'DISABLE ALL TRIGGERS',\n Action == '122', 'NETWORK ERROR',\n Action == '123', 'EXECUTE TYPE',\n Action == '128', 'FLASHBACK',\n Action == '129', 'CREATE SESSION',\n Action == '157', 'CREATE DIRECTORY',\n Action == '158', 'DROP DIRECTORY',\n Action == '159', 'CREATE LIBRARY',\n Action == '160', 'CREATE JAVA',\n Action == '161', 'ALTER JAVA',\n Action == '162', 'DROP JAVA',\n Action == '163', 'CREATE OPERATOR',\n Action == '164', 'CREATE INDEXTYPE',\n Action == '165', 'DROP INDEXTYPE',\n Action == '167', 'DROP OPERATOR',\n Action == '168', 'ASSOCIATE STATISTICS',\n Action == '169', 'DISASSOCIATE STATISTICS',\n Action == '170', 'CALL METHOD',\n Action == '171', 'CREATE SUMMARY',\n Action == '172', 'ALTER SUMMARY',\n Action == '173', 'DROP SUMMARY',\n Action == '174', 'CREATE DIMENSION',\n Action == '175', 'ALTER DIMENSION',\n Action == '176', 'DROP DIMENSION',\n Action == '177', 'CREATE CONTEXT',\n Action == '178', 'DROP CONTEXT',\n Action == '179', 'ALTER OUTLINE',\n Action == '180', 'CREATE OUTLINE',\n Action == '181', 'DROP OUTLINE',\n Action == '182', 'UPDATE INDEXES',\n Action == '183', 'ALTER OPERATOR',\n Action == '197', 'PURGE USER_RECYCLEBIN',\n Action == '198', 'PURGE DBA_RECYCLEBIN',\n Action == '199', 'PURGE TABLESAPCE',\n Action == '200', 'PURGE TABLE',\n Action == '201', 'PURGE INDEX',\n Action == '202', 'UNDROP OBJECT',\n Action == '204', 'FLASHBACK DATABASE',\n Action == '205', 'FLASHBACK TABLE',\n Action == '206', 'CREATE RESTORE POINT',\n Action == '207', 'DROP RESTORE POINT',\n Action == '208', 'PROXY AUTHENTICATION ONLY',\n Action == '209', 'DECLARE REWRITE EQUIVALENCE',\n Action == '210', 'ALTER REWRITE EQUIVALENCE',\n Action == '211', 'DROP REWRITE EQUIVALENCE',\n 'UNKNOWN ACTION'\n )\n| extend ReturnCode = extract(@'RETURNCODE(\\s)?:\\[\\d+\\]\\s+(\\d+)\\s+', 2, SyslogMessage)\n| extend ObjCreator = extract(@'OBJ(\\s)?:\\[\\d+\\]\\s+(.*?)\\s+OBJ', 2, SyslogMessage)\n| extend ObjName = extract(@'OBJ.*?OBJ(\\s)?:\\[\\d+\\]\\s+(.*?)\\s+OS', 2, SyslogMessage)\n| extend OsUserId = extract(@'OS(\\s)?:\\[\\d+\\]\\s+(.*?)\\s+', 2, SyslogMessage)\n| extend ClientTerminal = extract(@'TERMINAL(\\s)?:\\[\\d+\\]\\s+(.*?)\\s+ACTION', 2, SyslogMessage)\n| extend DbId = extract(@'DBID(\\s)?:\\[\\d+\\]\\s+(\\d+)', 2, SyslogMessage)\n| extend SrcIpAddr = extract(@'HOST=(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, SyslogMessage)\n| extend SrcPortNumber = extract(@'PORT=(\\d{1,5})', 1, SyslogMessage)\n};\nunion isfuzzy=true oracledb_type_1, oracledb_type_2\n| project TimeGenerated\n , EventVendor\n , EventProduct\n , SeverityLevel\n , MessageLength\n , Action\n , ActionLength\n , DbAction\n , DstUserName\n , Privilege\n , SrcUserName\n , ClientTerminal\n , Status\n , DbId\n , SessionId\n , EntryId\n , Statement\n , SrcDvcHostname\n , SrcIpAddr\n , SrcPortNumber\n , ReturnCode\n , ObjCreator\n , ObjName\n , OsUserId\n", + "version": 1 + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "OracleDatabaseAudit Hunting Query 1", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "OracleDBAudit - Action by Ip", + "category": "Hunting Queries", + "query": "let lbtime = 24h;\nOracleDatabaseAuditEvent\n| where TimeGenerated > ago(lbtime)\n| where isnotempty(DbAction)\n| where isnotempty(SrcIpAddr)\n| where DbAction in~ ('SELECT', 'DROP', 'INSERT')\n| extend TableName = replace(@'[,\\(\\)]', '', extract(@'(?i)SELECT(.*?)FROM\\s(.*?)\\s', 2, Action))\n| where isnotempty(TableName)\n| where TableName !~ 'select'\n| summarize TablesAffected = makeset(TableName) by SrcIpAddr, DbAction\n| extend IPCustomEntity = SrcIpAddr\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches sources from which DbActions were made." + }, + { + "name": "tactics", + "value": "InitialAccess,DefenseEvasion,Collection,Impact" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "OracleDatabaseAudit Hunting Query 2", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "OracleDBAudit - Action by user", + "category": "Hunting Queries", + "query": "let lbtime = 24h;\nOracleDatabaseAuditEvent\n| where TimeGenerated > ago(lbtime)\n| where isnotempty(DbAction)\n| where isnotempty(DstUserName)\n| where DbAction in~ ('SELECT', 'DROP', 'INSERT')\n| extend TableName = replace(@'[,\\(\\)]', '', extract(@'(?i)SELECT(.*?)FROM\\s(.*?)\\s', 2, Action))\n| where isnotempty(TableName)\n| where TableName !~ 'select'\n| summarize TablesAffected = makeset(TableName) by DstUserName, DbAction\n| extend AccountCustomEntity = DstUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches actions made by user." + }, + { + "name": "tactics", + "value": "InitialAccess,DefenseEvasion,Collection,Impact" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "OracleDatabaseAudit Hunting Query 3", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "OracleDBAudit - Active Users", + "category": "Hunting Queries", + "query": "OracleDatabaseAuditEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(Action) and isnotempty(DstUserName) and isnotempty(SrcIpAddr)\n| summarize count() by DstUserName\n| order by count_\n| extend AccountCustomEntity = DstUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query for searching active database user accounts." + }, + { + "name": "tactics", + "value": "InitialAccess,DefenseEvasion" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "OracleDatabaseAudit Hunting Query 4", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "OracleDBAudit - Users connected to databases during non-operational hours.", + "category": "Hunting Queries", + "query": "let lbtime = 24h;\nOracleDatabaseAuditEvent\n| where TimeGenerated > ago(lbtime)\n| where DbAction =~ 'CONNECT'\n| where isnotempty(DstUserName)\n| extend day_of_week = dayofweek(TimeGenerated)\n| extend hour_of_day = hourofday(TimeGenerated)\n| where day_of_week in~ ('0.00:00:00', '6.00:00:00') or hour_of_day between (18 .. 8)\n| project TimeGenerated, DstUserName, SrcIpAddr\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches for users who have connected to databases during non-operational hours." + }, + { + "name": "tactics", + "value": "InitialAccess,DefenseEvasion,Collection,Impact" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "OracleDatabaseAudit Hunting Query 5", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "OracleDBAudit - Dropped Tables", + "category": "Hunting Queries", + "query": "let lbtime = 24h;\nOracleDatabaseAuditEvent\n| where TimeGenerated > ago(lbtime)\n| where DbAction =~ 'DROP'\n| extend TableName = replace(@'[,\\(\\)]', '', extract(@'(?i)SELECT(.*?)FROM\\s(.*?)\\s', 2, Action))\n| where isnotempty(TableName)\n| where TableName !~ 'select'\n| project TimeGenerated, DstUserName, TableName\n| extend AccountCustomEntity = DstUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches for dropped tables." + }, + { + "name": "tactics", + "value": "Impact" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "OracleDatabaseAudit Hunting Query 6", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "OracleDBAudit - Inactive Users", + "category": "Hunting Queries", + "query": "let lbtime_30d = 30d;\nlet lbtime_1d = 1d;\nlet known_users_gt_30d = OracleDatabaseAuditEvent\n| where TimeGenerated < ago(lbtime_30d)\n| where isnotempty(DstUserName)\n| where isnotempty(Action)\n| summarize makeset(DstUserName);\nlet known_users_ls_30d = OracleDatabaseAuditEvent\n| where TimeGenerated between (ago(lbtime_30d) .. ago(lbtime_1d))\n| where isnotempty(DstUserName)\n| where isnotempty(Action)\n| summarize makeset(DstUserName);\nOracleDatabaseAuditEvent\n| where TimeGenerated > ago(lbtime_1d)\n| where isnotempty(DstUserName)\n| where DbAction =~ 'CONNECT'\n| where DstUserName in (known_users_gt_30d)\n| where DstUserName !in (known_users_ls_30d)\n| project DstUserName\n| extend AccountCustomEntity = DstUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query for searching user accounts which last activity was more than 30 days ago." + }, + { + "name": "tactics", + "value": "InitialAccess" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "OracleDatabaseAudit Hunting Query 7", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "OracleDBAudit - Users with new privileges", + "category": "Hunting Queries", + "query": "let lbtime_30d = 30d;\nlet lbtime_1d = 1d;\nOracleDatabaseAuditEvent\n| where TimeGenerated > ago(lbtime_30d)\n| where isnotempty(ActionLength)\n| summarize avg_action_length = avg(toint(ActionLength))\n| extend a = 1\n| join (OracleDatabaseAuditEvent\n | where TimeGenerated > ago(lbtime_1d)\n | where isnotempty(ActionLength)\n | extend a = 1) on a\n| where toint(ActionLength) > 2*avg_action_length\n| project avg_action_length, ActionLength, Action, DstUserName\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query for searching user accounts whith new privileges." + }, + { + "name": "tactics", + "value": "InitialAccess,DefenseEvasion" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "OracleDatabaseAudit Hunting Query 8", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "OracleDBAudit - Top tables queries 'Query searches for tables queries.'", + "category": "Hunting Queries", + "query": "let lbtime = 24h;\nOracleDatabaseAuditEvent\n| where TimeGenerated > ago(lbtime)\n| where DbAction =~ 'SELECT'\n| extend TableName = replace(@'[,\\(\\)]', '', extract(@'(?i)SELECT(.*?)FROM\\s(.*?)\\s', 2, Action))\n| where isnotempty(TableName)\n| where TableName !~ 'select'\n| summarize count() by TableName, DstUserName\n| order by count_\n| extend AccountCustomEntity = DstUserName\n", + "version": 1, + "tags": [ + { + "name": "tactics", + "value": "Collection" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "OracleDatabaseAudit Hunting Query 9", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "OracleDBAudit - Users with new privileges", + "category": "Hunting Queries", + "query": "let lbtime_30d = 30d;\nlet lbtime_1d = 1d;\n| where TimeGenerated between (ago(lbtime_30d) .. ago(lbtime_1d))\n| where isnotempty(Privilege) and isnotempty(DstUserName)\n| summarize Privileges = makeset(Privilege) by DstUserName;\n| join (OracleDatabaseAuditEvent\n | where TimeGenerated > ago(lbtime_1d)\n | where isnotempty(DstUserName) and isnotempty(Privilege)\n | project DstUserName, Privilege\n ) on DstUserName\n| where Privilege !in (Privileges)\n| extend AccountCustomEntity = DstUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query for searching user accounts whith new privileges." + }, + { + "name": "tactics", + "value": "InitialAccess,PrivilegeEscalation" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "OracleDatabaseAudit Hunting Query 10", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "OracleDBAudit - Users Privileges Review", + "category": "Hunting Queries", + "query": "let lbtime = 30d;\nOracleDatabaseAuditEvent\n| where TimeGenerated > ago(lbtime)\n| where isnotempty(DstUserName)\n| where isnotempty(Privilege)\n| summarize makeset(Privilege) by DstUserName;\n| extend AccountCustomEntity = DstUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches for user accounts and their privileges." + }, + { + "name": "tactics", + "value": "InitialAccess,PrivilegeEscalation" + } + ] + } + } + ] + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]", + "apiVersion": "2021-03-01-preview", + "properties": { + "contentId": "[variables('_sourceId')]", + "version": "1.0.3", + "kind": "Solution", + "parentId": "[variables('_sourceId')]", + "source": { + "kind": "Solution", + "name": "Oracle Database Audit", + "sourceId": "[variables('_sourceId')]" + }, + "author": { + "name": "Amarnath Pamidi", + "email": "v-ampami@microsoft.com" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Workbook", + "contentId": "[variables('_OracleDatabaseAudit')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_OracleDBAuditConnectFromExternalIp')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_OracleDBAuditDropManyTables')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_OracleDBAuditForbiddenSrcIpAddr')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_OracleDBAuditNewIpForUser')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_OracleDBAuditNewUserDetected')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_OracleDBAuditQueryOnSensitiveTable')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_OracleDBAuditRareUserActivity')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_OracleDBAuditSQLInjectionPatterns')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_OracleDBAuditSelectOnManyTables')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_OracleDBAuditShutdownServer')]", + "version": "1.0.3" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_OracleDatabaseAuditConnector')]", + "version": "1.0.3" + }, + { + "kind": "Parser", + "contentId": "[variables('_OracleDatabaseAuditEvent')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_OracleDBAuditActionsByIp')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_OracleDBAuditActionsByUser')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_OracleDBAuditActiveUsers')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_OracleDBAuditDbConnectNonOperationalTime')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_OracleDBAuditDroppedTables')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_OracleDBAuditInactiveUsers')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_OracleDBAuditLargeQueries')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_OracleDBAuditListOfTablesQueried')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_OracleDBAuditUsersNewPrivilegesAdded')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_OracleDBAuditUsersPrivilegesReview')]", + "version": "1.0.3" + } + ] + }, + "categories": { + "domains": [ + "Application" + ] + }, + "firstPublishDate": "2021-03-26", + "providers": [ + "Oracle" + ] + } + } + ], + "outputs": {} +} diff --git a/Solutions/README.md b/Solutions/README.md index 69f5a885a8..f543bc347a 100644 --- a/Solutions/README.md +++ b/Solutions/README.md @@ -1,68 +1,112 @@ -# Guide to Building Microsoft Sentinel Solutions +# Guide to building Microsoft Sentinel solutions -This guide provides an overview of Microsoft Sentinel Solutions and how one can build and publish a solution for Microsoft Sentinel. +This guide provides an overview of Microsoft Sentinel solutions, and how to build and publish a solution for Microsoft Sentinel. -Microsoft Sentinel Solutions provide an in-product experience for central discoverability, single-step deployment, and enablement of end-to-end product and/or domain and/or vertical scenarios in Microsoft Sentinel. This experience is powered by [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/) for Solutions’ discoverability, deployment and enablement and [Microsoft Partner Center](https://docs.microsoft.com/partner-center/overview) for Solutions’ authoring and publishing. Providers or partners can deliver combined product or domain or vertical value via solutions in Microsoft Sentinel and be able to productize investments. More details are covered in [Azure Sentinel documentation](https://aka.ms/azuresentinelsolutionsdoc) and review the [catalog](https://aka.ms/sentinelsolutionscatalog) for complete list of Microsoft Sentinel solutions. +Microsoft Sentinel solutions provide an in-product experience for central discoverability, single-step deployment, and enablement of end-to-end product, domain, and/or vertical scenarios in Microsoft Sentinel. This experience is powered by: -Microsoft Sentinel Solutions include packaged content or integrations or service offerings for Microsoft Sentinel. This guide focuses on building packages content type solutions that includes combination of one or many data connectors, workbooks, analytic rules, playbooks, hunting queries, parsers, watchlists, and more for Microsoft Sentinel. Reach out to [Azure Sentinel Solutions Onboarding Team](mailto:AzureSentinelPartner@microsoft.com) if you plan to build an integration type or service offering type or want to build any other type of Solution not covered above. +- [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/) for solution discoverability, deployment, and enablement +- The [Microsoft Partner Center](https://docs.microsoft.com/partner-center/overview) for solution authoring and publishing + +Providers and partners can deliver combined product, domain, or vertical value via solutions in Microsoft Sentinel in order to productize investments. More details are covered in the [Microsoft Sentinel documentation](https://aka.ms/azuresentinelsolutionsdoc). Review the [catalog](https://aka.ms/sentinelsolutionscatalog) for complete list of out-of-the-box Microsoft Sentinel solutions. + +Microsoft Sentinel solutions include packaged content, integrations, or service offerings for Microsoft Sentinel. This guide focuses on how to build packaged content into solutions, including combinations of data connectors, workbooks, analytic rules, playbooks, hunting queries, parsers, watchlists, and more for Microsoft Sentinel. Reach out to the [Microsoft Sentinel Solutions Onboarding Team](mailto:AzureSentinelPartner@microsoft.com) if you are planning or building another type of integration or service offering, or want to include other types of content in your solution that isn't listed here. + +The following image shows the steps in the solution building process, including content creation, packaging, and publishing: ![Microsoft Sentinel solutions build process](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Images/solutions_steps.png) -## Step 1 – Create Content for Microsoft Sentinel -Start with the [Get started documentation](https://github.com/Azure/Azure-Sentinel/wiki#get-started) on the Microsoft Sentinel GitHub Wiki to identify the content types you plan to include in your Solution package. This includes data connectors, workbooks, analytic rules, playbooks, hunting queries, and more. Each of the content type has its own contribution guidance which you can follow to develop and validate the content. +## Step 1 – Create your content -**Hold off** on submitting the content to the respective folders as pointed to in the contribution guidance for each contribution. Instead, have your content in the [Solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions) folder of the GitHub repo. -* Create a folder with your Solution name under [Solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions) folder. -* Within that create a folder structure within your Solutions folder as follows to submit your content developed above. See [example](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cisco%20ISE). - * Data Connectors – the data connector json files or Azure Functions, etc. goes in this folder. +Start with the [Get started documentation](https://github.com/Azure/Azure-Sentinel/wiki#get-started) on the Microsoft Sentinel GitHub Wiki to identify the content types you plan to include in your solution package. For example, supported content types include data connectors, workbooks, analytic rules, playbooks, hunting queries, and more. Each content type has its own contribution guidance for development and validation. + +The guidance for each content type in the Wiki describes how to contribute individual pieces of content. However, you want to contribute your content in a packaged solution. Therefore, **hold off** on submitting your content to the relevant folders as described in the Wiki guidance, and instead place your content in the [Solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions) folder of the Microsoft Sentinel GitHub repo. + +Use the following steps to create your content structure: + +1. In the Microsoft Sentinel [Solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions) folder, create a new folder with your solution name. + +2. In your solution folder, create a blank folder structure as follows to store the content you've developed: + * Data Connectors – the data connector json files or Azure Functions, etc. goes in this folder. * Workbooks – workbook json files and black and white preview images of the workbook goes here. * Analytic Rules – yaml file templates of analytic rules goes in this folder. * Hunting queries – yaml file templates of hunting queries goes in this folder. * Playbooks – json playbook and Azure Logic Apps custom connectors can go in this folder. * Parser – txt file for Kusto Functions or Parsers can go in this folder. -* Logo – SVG format logo can go to the central [Logos](https://github.com/Azure/Azure-Sentinel/tree/master/Logos) folder. -* Sample data – Check this into the [sample data folder](https://github.com/Azure/Azure-Sentinel/tree/master/Sample%20Data) within the respective folder depending on data connector type. -* Submit a PR with all of your Solution content. -* The PR will go through automated GitHub validation and [address potential errors](https://github.com/Azure/Azure-Sentinel/wiki#test-your-contribution) as needed. -* Upon successful content validation, the Microsoft Sentinel team will review your PR and get back with feedback (as needed). Expect an initial response within 5 business days. -* The PR gets approved and merged upon successful review/feedback incorporation process. + + For example, see the folder structure for our [Cisco ISE solution](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cisco%20ISE). -## Step 2 – Package Content -The Solutions content package is called a Solution template and has two files listed as follows. Refer to the [Solution template documentation](https://docs.microsoft.com/azure/marketplace/plan-azure-app-solution-template) (deployment package) for details on these ARM (Azure Resource Manager) files. -1. mainTemplate.json - ARM template of the resources the Solution offer includes. -2. createUIDefinition.json – Deployment experience definition that the customer installing a Solution goes through - this is a step-by-step wizard experience. -All the content you plan to package needs to be converted to ARM format and the mainTemplate file is the overall ARM template file combining these individual ARM content files. After you create the two json files for your Solution, validate these. Finally, package these two json files in a .zip file that you can upload as part of the publish process (Step 3). +3. Store your logo, in SVG format, in the central [Logos](https://github.com/Azure/Azure-Sentinel/tree/master/Logos) folder. -Use the [package creation tool](https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Create-Azure-Sentinel-Solution) to help you create and validate the package - follow the [solutions packaging tool guidance](https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Create-Azure-Sentinel-Solution#azure-sentinel-solutions-packaging-tool-guidance) to use the tool and package your content. -* If you already have an Microsoft Sentinel solution and want to update the package, use the tool with updated content to create a new version of the package using the tool. -* Versioning format of package - Always use {Major}.{Minor}.{Revision} schematic versioning format (for e.g. 1.0.1) for solutions that aligns with Azure Marketplace recommendation and versioning support. -* Version for updates - If you update you package, please always remmeber to increment the version value, irrespective of how trivial the change is (could be just fixing a typo in a content or solution definition file). -For e.g. If original package version is 1.0.1 and you make a: - * Major update, new version can be 2.0.0 - * Minor update like changes applying to a few content in the package, new version can be 1.1.0 - * Very minor revisions scoped to one content, new version can be 1.0.2 -* Since solutions use ARM template, you can customize the solution text as well as tabs if needed for catering to specific scenarios. +4. Store sample data in the [sample data folder](https://github.com/Azure/Azure-Sentinel/tree/master/Sample%20Data), within the relevant content type folder, depending on your data connector type. + +5. Submit a PR with all of your solution content. The PR will go through automated GitHub validation. [Address potential errors](https://github.com/Azure/Azure-Sentinel/wiki#test-your-contribution) as needed. + +After your content has been succesfully validated, the Microsoft Sentinel team will review your PR and reply with any feedback as needed. You can expect an initial response within five business days. + +The PR will be approved and merged after any feedback has been incorportated and the full review is successful. + +## Step 2 – Package your content + +The solution content package is called a *solution template*, and has the following files: + +* **mainTemplate.json**: The Azure Resource Manager (ARM) template that includes the resources offered by the solution. Each piece of content that you want to package in your solution must first be converted to ARM format. The `mainTemplate` file is the overall ARM template file that combines each invididual ARM content file. + +* **createUIDefinition.json**: The deployment experience definition provided to customers installing your solution. This is a step-by-step wizard experience. + +For more information, see the [solution template documentation](https://docs.microsoft.com/azure/marketplace/plan-azure-app-solution-template) (deployment package). + +After creating both the `mainTemplate.json` and the `createUIDefinition.json` files, validate them, and package them into a .zip file that you can upload as part of the publishing process (Step 3). + +Use the [package creation tool](https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Create-Azure-Sentinel-Solution) to help you create and validate the package, following the [solutions packaging tool guidance](https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Create-Azure-Sentinel-Solution#azure-sentinel-solutions-packaging-tool-guidance) to use the tool and package your content. + +### Updating your solution + +If you already have an Microsoft Sentinel solution and want to update your package, use the package creation tool with updated content to create a new version of the package. + +For your solution's versioning format, always use `{Major}.{Minor}.{Revision}` syntax, such as `1.0.1`, to align with the Azure Marketplace recommendation and versioning support. + +When updating your package, make sure to raise the version value, regardless of how small or trivial the change is, including typo fixes in a content or solution definition file. + +For example, if your original package version is `1.0.1`, you might update your versions as follows: + +* **Major updates** might have a new version of 2.0.0 +* **Minor updates**, like changes in a few pieces of content in the package, might have a new version of `1.1.0` +* **Very minor revisions**, such as those scoped to a single piece of content, might have a new version of `1.0.2` + +Since solutions use ARM templates, you can customize the solution text as well as tabs as needed to cater to specific scenarios. + +## Step 3 – Publish your solution + +The Microsoft Sentinel solution publishing experience is powered by the [Microsoft Partner Center](https://docs.microsoft.com/partner-center/overview). -## Step 3 – Publish Solution -Microsoft Sentinel Solutions publish experience is powered by [Microsoft Partner Center](https://docs.microsoft.com/partner-center/overview). ### Registration (one-time) -If you/your company are a first-time app publisher on Azure Marketplace, [follow the steps](https://docs.microsoft.com/azure/marketplace/partner-center-portal/create-account) to register and create a [Commercial Marketplace](https://docs.microsoft.com/azure/marketplace/overview) account in Partner Center. This process will give you a unique Publisher ID and access to the Commercial Marketplace authoring and publishing experience on Partner Center to create, certify and publish a Solution offer. -### Author and Publish Solutions Offer -For the following steps we’ll rely on Partner Center’s detailed documentation. -1. [Create an Azure application type offer](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer) and configure the offer setup details per guidance. + +If you or your company is a first-time app publisher on Azure Marketplace, [follow the steps](https://docs.microsoft.com/azure/marketplace/partner-center-portal/create-account) to register and create a [Commercial Marketplace](https://docs.microsoft.com/azure/marketplace/overview) account in Partner Center. This process provides you with a unique **Publisher ID** and access to the Commercial Marketplace authoring and publishing experience, where you'll create, certify, and publish your solution. + +### Author and publish a solution offer + +The following steps reference the Partner Center's more detailed documentation. + +1. [Create an Azure application type offer](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer) and configure the offer setup details as per the relevant guidance. + 2. [Configure](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-properties) the Offer properties. -3. Configure the [Offer listing details](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-listing) – this includes the title, description, pictures, videos, support information, etc. aspects. Enter one of the search keywords value as f1de974b-f438-4719-b423-8bf704ba2aef – to display your Solution in the Microsoft Sentinel Solutions gallery. -4. [Create a plan](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-plans) and select plan type as Solution Template. -5. [Configure](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-solution) the Solutions template plan. This is where you’ll upload the Solutions zip created in Step 2 and set a version for the package. Follow versioning guidance mentioned in Step 2. -6. [Validate and Test](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-test-publish) the offer once done. -7. Once you’ve validated the offer, [publish the offer live](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-test-publish#publish-your-offer-live). This will trigger the certification process (can take up to 3 business days). -**Note:** The Microsoft Sentinel team will need to make a change so that your Solution shows up in the Microsoft Sentinel Solutions gallery, hence before going live, email [Azure Sentinel Solutions Onboarding Team](mailto:AzureSentinelPartner@microsoft.com) with your Solutions offer ID and Publisher ID so that we can make the necessary changes. +3. Configure the [Offer listing details](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-listing), including the title, description, pictures, videos, support information, and so on. As one of your search keywords, add `f1de974b-f438-4719-b423-8bf704ba2aef` to have your solution appear in the Microsoft Sentinel content hub. -**Note:** Making the offer public is very important for it to show up in the Microsoft Sentinel Solutions gallery. - +5. [Create a plan](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-plans) and select **Solution Template** as the plan type. + +6. [Configure](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-solution) the **Solutions template** plan. This is where you’ll upload the zip file that you'd created in step two and set a version for your package. Make sure to follow the versioning guidance described in step 2, above. + +7. [Validate and test](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-test-publish) your solution offer. + +8. After the validation passes, [publish the offer live](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-test-publish#publish-your-offer-live). This will trigger the certification process, which can take up to 3 business days. + +**Note:** The Microsoft Sentinel team will need to modify your files so that your solution appears in the Microsoft Sentinel content hub. Therefore, before going live, email the [Azure Sentinel Solutions Onboarding Team](mailto:AzureSentinelPartner@microsoft.com) with your solutions offer ID and your **Publisher ID** so that we can make the required changes. + +**Note:** You must make the offer public in order for it to show up in the Microsoft Sentinel content hub so that customers can find it. ## Feedback -[Email Microsoft Sentinel Solutions Onboarding Team](mailto:AzureSentinelPartner@microsoft.com) with any feedback on this process or for new scenarios not covered in this guide or with any constraints you may encounter. + +[Email Azure Sentinel Solutions Onboarding Team](mailto:AzureSentinelPartner@microsoft.com) with any feedback on this process, for new scenarios not covered in this guide, or with any constraints you may encounter. diff --git a/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml b/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml new file mode 100755 index 0000000000..0656cbd302 --- /dev/null +++ b/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml @@ -0,0 +1,43 @@ +id: 382f37b3-b49a-492f-b436-a4717c8c5c3e +name: Sentinel One - Admin login from new location +description: | + 'Detects admin user login from new location (IP address).' +severity: Medium +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess + - PrivilegeEscalation +relevantTechniques: + - T1078 +query: | + SentinelOne + | where ActivityType == 27 + | where DataRole =~ 'Admin' + | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage) + | where isnotempty(SrcIpAddr) + | summarize ip_lst = makeset(SrcIpAddr) by SrcUserName + | join (SentinelOne + | where ActivityType == 27 + | where DataRole =~ 'Admin' + | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage) + | where isnotempty(SrcIpAddr)) on SrcUserName + | where ip_lst !has SrcIpAddr + | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/SentinelOne/Analytic Rules/SentinelOneAgentUninstalled.yaml b/Solutions/SentinelOne/Analytic Rules/SentinelOneAgentUninstalled.yaml new file mode 100755 index 0000000000..ce6c30cbce --- /dev/null +++ b/Solutions/SentinelOne/Analytic Rules/SentinelOneAgentUninstalled.yaml @@ -0,0 +1,28 @@ +id: 4ad87e4a-d045-4c6b-9652-c9de27fcb442 +name: Sentinel One - Agent uninstalled from host +description: | + 'Detects when agent was uninstalled from host.' +severity: Medium +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - DefenseEvasion +relevantTechniques: + - T1070 +query: | + SentinelOne + | where ActivityType == 31 + | extend HostCustomEntity = DataComputerName +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/SentinelOne/Analytic Rules/SentinelOneAlertFromCustomRule.yaml b/Solutions/SentinelOne/Analytic Rules/SentinelOneAlertFromCustomRule.yaml new file mode 100755 index 0000000000..0f7a023e90 --- /dev/null +++ b/Solutions/SentinelOne/Analytic Rules/SentinelOneAlertFromCustomRule.yaml @@ -0,0 +1,30 @@ +id: 5f37de91-ff2b-45fb-9eda-49e9f76a3942 +name: Sentinel One - Alert from custom rule +description: | + 'Detects when alert from custom rule received.' +severity: Medium +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1204 +query: | + SentinelOne + | where ActivityType == 3608 + | extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage) + | extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage) + | extend HostCustomEntity = DstHostname +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/SentinelOne/Analytic Rules/SentinelOneBlacklistHashDeleted.yaml b/Solutions/SentinelOne/Analytic Rules/SentinelOneBlacklistHashDeleted.yaml new file mode 100755 index 0000000000..54a565fe79 --- /dev/null +++ b/Solutions/SentinelOne/Analytic Rules/SentinelOneBlacklistHashDeleted.yaml @@ -0,0 +1,35 @@ +id: de339761-2298-4b37-8f1b-80ebd4f0b5f6 +name: Sentinel One - Blacklist hash deleted +description: | + 'Detects when blacklist hash was deleted.' +severity: Medium +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - DefenseEvasion +relevantTechniques: + - T1070 +query: | + SentinelOne + | where ActivityType == 3020 + | project EventCreationTime, SrcUserName, Hash=EventSubStatus + | extend AccountCustomEntity = SrcUserName, HashCustomEntity = Hash, HashAlgorithmCustomEntity = "SHA1" +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: FileHash + fieldMappings: + - identifier: Value + columnName: HashCustomEntity + - identifier: Algorithm + columnName: HashAlgorithmCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/SentinelOne/Analytic Rules/SentinelOneExclusionAdded.yaml b/Solutions/SentinelOne/Analytic Rules/SentinelOneExclusionAdded.yaml new file mode 100755 index 0000000000..c9b8de7fa1 --- /dev/null +++ b/Solutions/SentinelOne/Analytic Rules/SentinelOneExclusionAdded.yaml @@ -0,0 +1,29 @@ +id: 4224409f-a7bf-45eb-a931-922d79575a05 +name: Sentinel One - Exclusion added +description: | + 'Detects when new exclusion added.' +severity: Medium +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - DefenseEvasion +relevantTechniques: + - T1070 +query: | + SentinelOne + | where EventOriginalMessage has_all ('added', 'exclusion') + | project EventCreationTime, SrcUserName, EventOriginalMessage + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/SentinelOne/Analytic Rules/SentinelOneMultipleAlertsOnHost.yaml b/Solutions/SentinelOne/Analytic Rules/SentinelOneMultipleAlertsOnHost.yaml new file mode 100755 index 0000000000..f7a5d3796c --- /dev/null +++ b/Solutions/SentinelOne/Analytic Rules/SentinelOneMultipleAlertsOnHost.yaml @@ -0,0 +1,32 @@ +id: 47e427e6-61bc-4e24-8d16-a12871b9f939 +name: Sentinel One - Multipl alerts on host +description: | + 'Detects when multiple alerts received from same host.' +severity: Medium +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T11204 +query: | + SentinelOne + | where ActivityType == 3608 + | extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage) + | extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage) + | summarize count() by DstHostname, bin(TimeGenerated, 15m) + | where count_ > 1 + | extend HostCustomEntity = DstHostname +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/SentinelOne/Analytic Rules/SentinelOneNewAdmin.yaml b/Solutions/SentinelOne/Analytic Rules/SentinelOneNewAdmin.yaml new file mode 100755 index 0000000000..60d793fcae --- /dev/null +++ b/Solutions/SentinelOne/Analytic Rules/SentinelOneNewAdmin.yaml @@ -0,0 +1,28 @@ +id: e73d293d-966c-47ec-b8e0-95255755f12c +name: Sentinel One - New admin created +description: | + 'Detects when new admin user is created.' +severity: Medium +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - PrivilegeEscalation +relevantTechniques: + - T1078 +query: | + SentinelOne + | where ActivityType == 23 + | extend AccountCustomEntity = SrcUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/SentinelOne/Analytic Rules/SentinelOneRuleDeleted.yaml b/Solutions/SentinelOne/Analytic Rules/SentinelOneRuleDeleted.yaml new file mode 100755 index 0000000000..74721287d4 --- /dev/null +++ b/Solutions/SentinelOne/Analytic Rules/SentinelOneRuleDeleted.yaml @@ -0,0 +1,29 @@ +id: e171b587-22bd-46ec-b96c-7c99024847a7 +name: Sentinel One - Rule deleted +description: | + 'Detects when a rule was deleted.' +severity: Medium +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - DefenseEvasion +relevantTechniques: + - T1070 +query: | + SentinelOne + | where ActivityType == 3602 + | project EventCreationTime, DataRuleName, DataRuleQueryDetails, DataUserName + | extend AccountCustomEntity = DataUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/SentinelOne/Analytic Rules/SentinelOneRuleDisabled.yaml b/Solutions/SentinelOne/Analytic Rules/SentinelOneRuleDisabled.yaml new file mode 100755 index 0000000000..71593b9768 --- /dev/null +++ b/Solutions/SentinelOne/Analytic Rules/SentinelOneRuleDisabled.yaml @@ -0,0 +1,29 @@ +id: 84e210dd-8982-4398-b6f3-264fd72d036c +name: Sentinel One - Rule disabled +description: | + 'Detects when a rule was disabled.' +severity: Medium +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - DefenseEvasion +relevantTechniques: + - T1070 +query: | + SentinelOne + | where ActivityType == 3603 + | project EventCreationTime, DataRuleName, DataRuleQueryDetails, DataUserName + | extend AccountCustomEntity = DataUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml b/Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml new file mode 100755 index 0000000000..fff112ba11 --- /dev/null +++ b/Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml @@ -0,0 +1,32 @@ +id: 5586d378-1bce-4d9b-9ac8-e7271c9d5a9a +name: Sentinel One - Same custom rule triggered on different hosts +description: | + 'Detects when same custom rule was triggered on different hosts.' +severity: Medium +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T11204 +query: | + SentinelOne + | where ActivityType == 3608 + | extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage) + | extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage) + | summarize hosts = makeset(DstHostname) by RuleName, bin(TimeGenerated, 15m) + | where array_length(hosts) > 1 + | extend HostCustomEntity = hosts +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/SentinelOne/Analytic Rules/SentinelOneViewAgentPassphrase.yaml b/Solutions/SentinelOne/Analytic Rules/SentinelOneViewAgentPassphrase.yaml new file mode 100755 index 0000000000..591334a70e --- /dev/null +++ b/Solutions/SentinelOne/Analytic Rules/SentinelOneViewAgentPassphrase.yaml @@ -0,0 +1,32 @@ +id: 51999097-60f4-42c0-bee8-fa28160e5583 +name: Sentinel One - User viewed agent's passphrase +description: | + 'Detects when a user viewed agent's passphrase.' +severity: Medium +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - CredentialAccess +relevantTechniques: + - T1555 +query: | + SentinelOne + | where ActivityType == 64 + | extend AccountCustomEntity = SrcUserName, HostCustomEntity = DataComputerName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/SentinelOne/Hunting Queries/SentinelOneAgentNotUpdated.yaml b/Solutions/SentinelOne/Hunting Queries/SentinelOneAgentNotUpdated.yaml new file mode 100755 index 0000000000..b72f97dad5 --- /dev/null +++ b/Solutions/SentinelOne/Hunting Queries/SentinelOneAgentNotUpdated.yaml @@ -0,0 +1,26 @@ +id: 7fc83c11-1d80-4d1e-9d4b-4f48bbf77abe +name: Sentinel One - Agent not updated +description: | + 'Query shows agent which are not updated to the latest version.' +severity: Low +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +tactics: + - DefenseEvasion +relevantTechniques: + - T1070 +query: | + //Latest agent version can be checked in Management Console>Sentinels>Packages + let upd_ver = dynamic(['21.7.4.1043', '21.7.4.5853', '21.10.3.3', '21.12.1.5913']); + SentinelOne + | where TimeGenerated > ago(24h) + | where EventType =~ 'Agents.' + | where AgentVersion !in (upd_ver) + | extend HostCustomEntity = ComputerName +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostCustomEntity diff --git a/Solutions/SentinelOne/Hunting Queries/SentinelOneAgentStatus.yaml b/Solutions/SentinelOne/Hunting Queries/SentinelOneAgentStatus.yaml new file mode 100755 index 0000000000..f24fa1b3c2 --- /dev/null +++ b/Solutions/SentinelOne/Hunting Queries/SentinelOneAgentStatus.yaml @@ -0,0 +1,25 @@ +id: 4b2ed4b6-10bf-4b2c-b31e-ae51b575dfd4 +name: Sentinel One - Agent status +description: | + 'Query shows agent properties.' +severity: Low +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +tactics: + - DefenseEvasion +relevantTechniques: + - T1070 +query: | + SentinelOne + | where TimeGenerated > ago(24h) + | where EventType =~ 'Agents.' + | extend Properties = pack('IsActive', IsActive,'ActiveThreats',ActiveThreats,'FirewallEnabled',FirewallEnabled,'Infected',Infected,'IsUpToDate',IsUpToDate,'MitigationMode',MitigationMode,'MitigationModeSuspicious',MitigationModeSuspicious,'NetworkStatus',NetworkStatus) + | summarize max(TimeGenerated) by ComputerName, tostring(Properties) + | extend HostCustomEntity = ComputerName +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostCustomEntity diff --git a/Solutions/SentinelOne/Hunting Queries/SentinelOneAlertTriggers.yaml b/Solutions/SentinelOne/Hunting Queries/SentinelOneAlertTriggers.yaml new file mode 100755 index 0000000000..c1db198334 --- /dev/null +++ b/Solutions/SentinelOne/Hunting Queries/SentinelOneAlertTriggers.yaml @@ -0,0 +1,25 @@ +id: 660e92b5-1ef6-471f-b753-44a34af82c41 +name: Sentinel One - Alert triggers (files, processes, strings) +description: | + 'Query shows alert triggers (e.g. files, processes, etc.).' +severity: High +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +tactics: + - InitialAccess +relevantTechniques: + - T1204 +query: | + SentinelOne + | where TimeGenerated > ago(24h) + | where ActivityType == 3608 + | order by EventCreationTime + | extend trigger = extract(@'Alert created for\s+(.*?)\sfrom Custom', 1, EventOriginalMessage) + | extend MalwareCustomEntity = trigger +entityMappings: + - entityType: Malware + fieldMappings: + - identifier: Name + columnName: MalwareCustomEntity diff --git a/Solutions/SentinelOne/Hunting Queries/SentinelOneHostNotScanned.yaml b/Solutions/SentinelOne/Hunting Queries/SentinelOneHostNotScanned.yaml new file mode 100755 index 0000000000..fd67f88bad --- /dev/null +++ b/Solutions/SentinelOne/Hunting Queries/SentinelOneHostNotScanned.yaml @@ -0,0 +1,29 @@ +id: e45ff570-e8a6-4f8e-9c08-7ee92ef86060 +name: Sentinel One - Hosts not scanned recently +description: | + 'Query searches for hosts wich were not scanned recently.' +severity: Low +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +tactics: + - DefenseEvasion +relevantTechniques: + - T1070 +query: | + let scanned_agents = SentinelOne + | where TimeGenerated > ago(24h) + | where ActivityType == 92 + | order by TimeGenerated + | summarize makeset(DataComputerName); + SentinelOne + | where TimeGenerated > ago(24h) + | where EventType =~ 'Agents.' + | where ComputerName !in (scanned_agents) + | extend HostCustomEntity = ComputerName +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostCustomEntity diff --git a/Solutions/SentinelOne/Hunting Queries/SentinelOneNewRules.yaml b/Solutions/SentinelOne/Hunting Queries/SentinelOneNewRules.yaml new file mode 100755 index 0000000000..e58d96da60 --- /dev/null +++ b/Solutions/SentinelOne/Hunting Queries/SentinelOneNewRules.yaml @@ -0,0 +1,25 @@ +id: 9c3a38e4-0975-4f96-82ee-90ce68bec76a +name: Sentinel One - New rules +description: | + 'Query shows new rules.' +severity: Low +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +tactics: + - DefenseEvasion +relevantTechniques: + - T1562 +query: | + SentinelOne + | where TimeGenerated > ago(24h) + | where ActivityType == 3600 + | order by EventCreationTime + | project EventCreationTime, DataRuleName, DataRuleQueryDetails, DataStatus, DataUserName + | extend AccountCustomEntity = DataUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/SentinelOne/Hunting Queries/SentinelOneRulesDeleted.yaml b/Solutions/SentinelOne/Hunting Queries/SentinelOneRulesDeleted.yaml new file mode 100755 index 0000000000..162809fb72 --- /dev/null +++ b/Solutions/SentinelOne/Hunting Queries/SentinelOneRulesDeleted.yaml @@ -0,0 +1,25 @@ +id: 8d1ca735-e29a-4bea-a2ec-93162790b686 +name: Sentinel One - Deleted rules +description: | + 'Query shows deleted rules.' +severity: Low +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +tactics: + - DefenseEvasion +relevantTechniques: + - T1070 +query: | + SentinelOne + | where TimeGenerated > ago(24h) + | where ActivityType == 3602 + | order by EventCreationTime + | project EventCreationTime, DataRuleName, DataRuleQueryDetails, DataStatus, DataUserName + | extend AccountCustomEntity = DataUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/SentinelOne/Hunting Queries/SentinelOneScannedHosts.yaml b/Solutions/SentinelOne/Hunting Queries/SentinelOneScannedHosts.yaml new file mode 100755 index 0000000000..594869d66f --- /dev/null +++ b/Solutions/SentinelOne/Hunting Queries/SentinelOneScannedHosts.yaml @@ -0,0 +1,25 @@ +id: 17c77743-8bdb-4d29-a3cb-a7a08676122f +name: Sentinel One - Scanned hosts +description: | + 'Query searches for hosts with completed full scan.' +severity: Low +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +tactics: + - DefenseEvasion +relevantTechniques: + - T1070 +query: | + SentinelOne + | where TimeGenerated > ago(24h) + | where ActivityType == 92 + | order by TimeGenerated + | project EventCreationTime, DataComputerName + | extend HostCustomEntity = DataComputerName +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostCustomEntity diff --git a/Solutions/SentinelOne/Hunting Queries/SentinelOneSourcesByAlertCount.yaml b/Solutions/SentinelOne/Hunting Queries/SentinelOneSourcesByAlertCount.yaml new file mode 100755 index 0000000000..71f0fa9536 --- /dev/null +++ b/Solutions/SentinelOne/Hunting Queries/SentinelOneSourcesByAlertCount.yaml @@ -0,0 +1,25 @@ +id: acd0a127-461e-48c8-96fa-27d14595abe0 +name: Sentinel One - Sources by alert count +description: | + 'Query shows sources (hosts) by alert count.' +severity: High +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +tactics: + - InitialAccess +relevantTechniques: + - T1204 +query: | + SentinelOne + | where TimeGenerated > ago(24h) + | where ActivityType == 3608 + | extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage) + | summarize count() by DstHostname + | extend HostCustomEntity = DstHostname +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostCustomEntity diff --git a/Solutions/SentinelOne/Hunting Queries/SentinelOneUninstalledAgents.yaml b/Solutions/SentinelOne/Hunting Queries/SentinelOneUninstalledAgents.yaml new file mode 100755 index 0000000000..2c304f6647 --- /dev/null +++ b/Solutions/SentinelOne/Hunting Queries/SentinelOneUninstalledAgents.yaml @@ -0,0 +1,23 @@ +id: f3a7cedd-6fc3-4661-a0ad-c1738e531917 +name: Sentinel One - Uninstalled agents +description: | + 'Query shows uninstalled agents.' +severity: Low +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +tactics: + - DefenseEvasion +relevantTechniques: + - T1070 +query: | + SentinelOne + | where TimeGenerated > ago(24h) + | where ActivityType == 31 + | extend HostCustomEntity = DataComputerName +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostCustomEntity diff --git a/Solutions/SentinelOne/Hunting Queries/SentinelOneUsersByAlertCount.yaml b/Solutions/SentinelOne/Hunting Queries/SentinelOneUsersByAlertCount.yaml new file mode 100755 index 0000000000..a302c202b8 --- /dev/null +++ b/Solutions/SentinelOne/Hunting Queries/SentinelOneUsersByAlertCount.yaml @@ -0,0 +1,29 @@ +id: 56500e23-4e64-45a5-a444-98a1acb2f700 +name: Sentinel One - Users by alert count +description: | + 'Query shows users by alert count.' +severity: High +requiredDataConnectors: + - connectorId: SentinelOne + dataTypes: + - SentinelOne +tactics: + - InitialAccess +relevantTechniques: + - T1204 +query: | + SentinelOne + | where TimeGenerated > ago(24h) + | where ActivityType == 3608 + | extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage) + | join (SentinelOne + | where EventType =~ 'Agents.' + | where isnotempty(LastLoggedInUserName) + | project DstHostname=ComputerName, LastLoggedInUserName) on DstHostname + | summarize count() by LastLoggedInUserName + | extend AccountCustomEntity = LastLoggedInUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/SentinelOne/Workbooks/Images/SentinelOneBlack.png b/Solutions/SentinelOne/Workbooks/Images/SentinelOneBlack.png new file mode 100644 index 0000000000..fb76025814 Binary files /dev/null and b/Solutions/SentinelOne/Workbooks/Images/SentinelOneBlack.png differ diff --git a/Solutions/SentinelOne/Workbooks/Images/SentinelOneWhite.png b/Solutions/SentinelOne/Workbooks/Images/SentinelOneWhite.png new file mode 100644 index 0000000000..2b332487fd Binary files /dev/null and b/Solutions/SentinelOne/Workbooks/Images/SentinelOneWhite.png differ diff --git a/Solutions/SentinelOne/Workbooks/SentinelOne.json b/Solutions/SentinelOne/Workbooks/SentinelOne.json new file mode 100644 index 0000000000..a777686316 --- /dev/null +++ b/Solutions/SentinelOne/Workbooks/SentinelOne.json @@ -0,0 +1,335 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "**NOTE**: This data connector depends on a parser based on Kusto Function **SentinelOne** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-sentinelone-parser)" + }, + "name": "text - 8" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "cd8447d9-b096-4673-92d8-2a1e8291a125", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "description": "Sets the time name for analysis", + "value": { + "durationMs": 604800000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 900000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SentinelOne\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};", + "size": 0, + "title": "Events over time", + "color": "orange", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "graphSettings": { + "type": 0 + } + }, + "customWidth": "50", + "name": "query - 12", + "styleSettings": { + "maxWidth": "55" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SentinelOne\r\n| where EventType =~ 'Agents.'\r\n| summarize count() by AgentVersion\r\n\r\n", + "size": 3, + "title": "Agents by version", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "tileSettings": { + "titleContent": { + "columnMatch": "Title", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "e_count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "purple" + } + }, + "showBorder": false + } + }, + "customWidth": "35", + "name": "query - 0", + "styleSettings": { + "maxWidth": "30" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let usr1 = SentinelOne\n| where isnotempty(SrcUserName)\n| project usr=SrcUserName;\nlet usr2 = SentinelOne\n| where isnotempty(DataUserName)\n| project usr=DataUserName;\nlet all_usr =\nunion isfuzzy=true usr1, usr2\n| summarize cnt = dcount(usr)\n| extend title = 'Users';\nlet agnt = SentinelOne\n| where isnotempty(AgentId)\n| summarize cnt = dcount(AgentId)\n| extend title = 'Agents';\nlet alerts = SentinelOne\n| where ActivityType == 3608\n| summarize cnt = count()\n| extend title = 'Alerts';\nunion isfuzzy=true all_usr, agnt, alerts", + "size": 3, + "title": "SentinelOne Summary", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "title", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "cnt", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": false + } + }, + "customWidth": "15", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SentinelOne\r\n | where ActivityType == 27\r\n | where DataRole =~ 'Admin'\r\n | extend SrcIpAddr = extract(@'Address\\s(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, EventOriginalMessage)\r\n | where isnotempty(SrcIpAddr)\r\n | summarize Events=count() by SrcIpAddr", + "size": 3, + "title": "Admin Sources", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "35", + "name": "query - 3", + "styleSettings": { + "margin": "10", + "padding": "10" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SentinelOne\r\n| where isnotempty(DataRole)\r\n| where DataRole =~ 'Admin'\r\n| order by EventCreationTime\r\n| limit 100\r\n| project EventCreationTime, User=case(isnotempty(SrcUserName), SrcUserName, DataUserName), Action=EventOriginalMessage", + "size": 1, + "title": "Admin activities", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "filter": true + }, + "sortBy": [] + }, + "customWidth": "55", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SentinelOne\r\n| where ActivityType == 3608\r\n| extend RuleName = extract(@'Custom Rule:\\s(.*?)\\sin Group', 1, EventOriginalMessage)\r\n| summarize Hits=count() by RuleName\r\n| top 10 by Hits\r\n", + "size": 1, + "title": "Top rules fired", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Hits", + "formatter": 8, + "formatOptions": { + "palette": "redGreen" + } + } + ], + "rowLimit": 50 + } + }, + "customWidth": "40", + "name": "query - 8" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SentinelOne\r\n| where ActivityType == 3608\r\n| extend AlertTrigger = extract(@'Alert created for\\s+(.*?)\\sfrom Custom', 1, EventOriginalMessage)\r\n| summarize Events=count() by AlertTrigger\r\n", + "size": 3, + "title": "Alert triggers", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "30", + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SentinelOne\n| where ActivityType == 3608\n| extend Host = extract(@'detected on\\s(\\S+)\\.', 1, EventOriginalMessage)\n| summarize AlertCount=count() by Host\n", + "size": 1, + "title": "Hosts by alert count", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table" + }, + "customWidth": "30", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SentinelOne\r\n| where ActivityType == 3002\r\n| order by EventCreationTime\r\n| project Hash=EventSubStatus", + "size": 1, + "title": "Recent black hashes", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Hash", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "100%" + } + } + ], + "rowLimit": 100, + "filter": true + } + }, + "customWidth": "30", + "name": "query - 12" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SentinelOne\n| where ActivityType == 3608\n| order by EventCreationTime\n| extend AlertRule = extract(@'Custom Rule:\\s(.*?)\\sin Group', 1, EventOriginalMessage)\n| extend AffectedHost = extract(@'detected on\\s(\\S+)\\.', 1, EventOriginalMessage)\n| project EventCreationTime, AffectedHost, AlertRule", + "size": 1, + "title": "Latest alerts", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table" + }, + "customWidth": "70", + "name": "query - 11" + } + ], + "fromTemplateId": "sentinel-SentinelOneWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/ShadowByte Aria/Data/Solution_ShadowByteAria.json b/Solutions/ShadowByte Aria/Data/Solution_ShadowByteAria.json new file mode 100644 index 0000000000..3b94ea95a6 --- /dev/null +++ b/Solutions/ShadowByte Aria/Data/Solution_ShadowByteAria.json @@ -0,0 +1,13 @@ +{ + "Name": "ShadowByte Aria", + "Author": "Eli Forbes - v-eliforbes@microsoft.com", + "Logo": "", + "Description": "", + "Playbooks": [ + "ShadowByte_Aria_Custom_Connector/azuredeploy.json", + "ShadowByte_Aria_Enrich_Incidents/azuredeploy.json", + "ShadowByte_Aria_Search_for_Breaches/azuredeploy.json" + ], + "BasePath": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ShadowByte Aria/Playbooks/", + "Version": "1.0.0" +} \ No newline at end of file diff --git a/Solutions/ShadowByte Aria/Package/1.0.0.zip b/Solutions/ShadowByte Aria/Package/1.0.0.zip new file mode 100644 index 0000000000..b8cd588507 Binary files /dev/null and b/Solutions/ShadowByte Aria/Package/1.0.0.zip differ diff --git a/Solutions/ShadowByte Aria/Package/createUiDefinition.json b/Solutions/ShadowByte Aria/Package/createUiDefinition.json new file mode 100644 index 0000000000..d2fdc7aae4 --- /dev/null +++ b/Solutions/ShadowByte Aria/Package/createUiDefinition.json @@ -0,0 +1,242 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "playbook1", + "type": "Microsoft.Common.Section", + "label": "ShadowByte_Aria_Custom_Connector", + "elements": [ + { + "name": "playbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook ingests events from ShadowByte Aria into Log Analytics using the API." + } + }, + { + "name": "playbook1-ConnectorName", + "type": "Microsoft.Common.TextBox", + "label": "Connector Name", + "defaultValue": "ShadowByteAriaConnector", + "toolTip": "Please enter Connector Name", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Connector Name" + } + } + ] + }, + { + "name": "playbook2", + "type": "Microsoft.Common.Section", + "label": "ShadowByte_Aria_Enrich_Incidents", + "elements": [ + { + "name": "playbook2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook ingests events from ShadowByte Aria into Log Analytics using the API." + } + }, + { + "name": "playbook2-PlaybookName", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "ShadowByte_Aria_Enrich_Incidents", + "toolTip": "Resource name for the logic app playbook. No spaces are allowed", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a playbook resource name" + } + }, + { + "name": "playbook2-ShadowByteAriaConnectorName", + "type": "Microsoft.Common.TextBox", + "label": "Shadow Byte Aria Connector Name", + "defaultValue": "ShadowByteAriaConnector", + "toolTip": "Please enter Shadow Byte Aria Connector Name", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Shadow Byte Aria Connector Name" + } + } + ] + }, + { + "name": "playbook3", + "type": "Microsoft.Common.Section", + "label": "ShadowByte_Aria_Search_for_Breaches", + "elements": [ + { + "name": "playbook3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook ingests events from ShadowByte Aria into Log Analytics using the API." + } + }, + { + "name": "playbook3-PlaybookName", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "ShadowByte_Aria_Search_for_Breaches", + "toolTip": "Resource name for the logic app playbook. No spaces are allowed", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a playbook resource name" + } + }, + { + "name": "playbook3-ShadowByteAriaConnectorName", + "type": "Microsoft.Common.TextBox", + "label": "Shadow Byte Aria Connector Name", + "defaultValue": "ShadowByteAriaConnector", + "toolTip": "Please enter Shadow Byte Aria Connector Name", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Shadow Byte Aria Connector Name" + } + }, + { + "name": "playbook3-WorkspaceId", + "type": "Microsoft.Common.TextBox", + "label": "Workspace Id", + "defaultValue": "", + "toolTip": "Please enter Workspace Id", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Workspace Id" + } + }, + { + "name": "playbook3-WorkspaceKey", + "type": "Microsoft.Common.TextBox", + "label": "Workspace Key", + "defaultValue": "", + "toolTip": "Please enter Workspace Key", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Workspace Key" + } + }, + { + "name": "playbook3-Search", + "type": "Microsoft.Common.TextBox", + "label": "Search", + "defaultValue": "phrase", + "toolTip": "Please enter Search", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Search" + } + }, + { + "name": "playbook3-SearchType", + "type": "Microsoft.Common.TextBox", + "label": "Search Type", + "defaultValue": "search-all", + "toolTip": "Please enter Search Type", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Search Type" + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(filter.id, toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]", + "playbook1-ConnectorName": "[steps('playbooks').playbook1.playbook1-ConnectorName]", + "playbook2-PlaybookName": "[steps('playbooks').playbook2.playbook2-PlaybookName]", + "playbook2-ShadowByteAriaConnectorName": "[steps('playbooks').playbook2.playbook2-ShadowByteAriaConnectorName]", + "playbook3-PlaybookName": "[steps('playbooks').playbook3.playbook3-PlaybookName]", + "playbook3-ShadowByteAriaConnectorName": "[steps('playbooks').playbook3.playbook3-ShadowByteAriaConnectorName]", + "playbook3-WorkspaceId": "[steps('playbooks').playbook3.playbook3-WorkspaceId]", + "playbook3-WorkspaceKey": "[steps('playbooks').playbook3.playbook3-WorkspaceKey]", + "playbook3-Search": "[steps('playbooks').playbook3.playbook3-Search]", + "playbook3-SearchType": "[steps('playbooks').playbook3.playbook3-SearchType]" + } + } +} diff --git a/Solutions/ShadowByte Aria/Package/mainTemplate.json b/Solutions/ShadowByte Aria/Package/mainTemplate.json new file mode 100644 index 0000000000..2eff49f9a6 --- /dev/null +++ b/Solutions/ShadowByte Aria/Package/mainTemplate.json @@ -0,0 +1,1859 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Eli Forbes - v-eliforbes@microsoft.com", + "comments": "Solution template for ShadowByte Aria" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup" + } + }, + "playbook1-ConnectorName": { + "defaultValue": "ShadowByteAriaConnector", + "type": "string", + "minLength": 1 + }, + "playbook2-PlaybookName": { + "defaultValue": "shadowbyte-aria-enrich-alerts", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Resource name for the logic app playbook. No spaces are allowed" + } + }, + "playbook2-ShadowByteAriaConnectorName": { + "defaultValue": "ShadowByteAriaConnector", + "type": "string", + "minLength": 1 + }, + "playbook3-PlaybookName": { + "defaultValue": "shadowbyte-aria-search-for-breaches", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Resource name for the logic app playbook. No spaces are allowed" + } + }, + "playbook3-ShadowByteAriaConnectorName": { + "defaultValue": "ShadowByteAriaConnector", + "type": "string", + "minLength": 1 + }, + "playbook3-WorkspaceId": { + "defaultValue": "", + "type": "string" + }, + "playbook3-WorkspaceKey": { + "defaultValue": "", + "type": "string" + }, + "playbook3-Search": { + "defaultValue": "phrase", + "type": "string", + "minLength": 1 + }, + "playbook3-SearchType": { + "defaultValue": "search-all", + "type": "string", + "minLength": 1 + } + }, + "variables": { + "playbook1-ShadowByte_Aria_Custom_Connector": "playbook1-ShadowByte_Aria_Custom_Connector", + "_playbook1-ShadowByte_Aria_Custom_Connector": "[variables('playbook1-ShadowByte_Aria_Custom_Connector')]", + "playbook1-Api Endpoint": "https://api.ariaintel.io", + "operationId-getBreachSearch": "getBreachSearch", + "_operationId-getBreachSearch": "[variables('operationId-getBreachSearch')]", + "operationId-getForumSearch": "getForumSearch", + "_operationId-getForumSearch": "[variables('operationId-getForumSearch')]", + "operationId-getNosqlSearch": "getNosqlSearch", + "_operationId-getNosqlSearch": "[variables('operationId-getNosqlSearch')]", + "operationId-getPasteSearch": "getPasteSearch", + "_operationId-getPasteSearch": "[variables('operationId-getPasteSearch')]", + "operationId-getReleaseSearch": "getReleaseSearch", + "_operationId-getReleaseSearch": "[variables('operationId-getReleaseSearch')]", + "playbook2-ShadowByte_Aria_Enrich_Incidents": "playbook2-ShadowByte_Aria_Enrich_Incidents", + "_playbook2-ShadowByte_Aria_Enrich_Incidents": "[variables('playbook2-ShadowByte_Aria_Enrich_Incidents')]", + "playbook2-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook2-PlaybookName'))]", + "playbook2-ShadowByteAriaConnectionName": "[concat('shadowbyteariaconnector-', parameters('playbook2-PlaybookName'))]", + "playbook-2-connection-1": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('playbook1-ConnectorName'))]", + "_playbook-2-connection-1": "[variables('playbook-2-connection-1')]", + "playbook-2-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azuresentinel')]", + "_playbook-2-connection-2": "[variables('playbook-2-connection-2')]", + "playbook3-ShadowByte_Aria_Search_for_Breaches": "playbook3-ShadowByte_Aria_Search_for_Breaches", + "_playbook3-ShadowByte_Aria_Search_for_Breaches": "[variables('playbook3-ShadowByte_Aria_Search_for_Breaches')]", + "playbook3-AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('playbook3-PlaybookName'))]", + "playbook3-ShadowByteAriaConnectionName": "[concat('shadowbyteariaconnector-', parameters('playbook3-PlaybookName'))]", + "playbook-3-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azureloganalyticsdatacollector')]", + "_playbook-3-connection-2": "[variables('playbook-3-connection-2')]", + "sourceId": "publisherId_publisherId.offerId_offerId", + "_sourceId": "[variables('sourceId')]" + }, + "resources": [ + { + "type": "Microsoft.Web/customApis", + "apiVersion": "2016-06-01", + "name": "[parameters('playbook1-ConnectorName')]", + "location": "[parameters('workspace-location')]", + "metadata": { + "workspace": "[parameters('workspace')]" + }, + "properties": { + "connectionParameters": { + "api_key": { + "type": "securestring" + } + }, + "backendService": { + "serviceUrl": "[variables('playbook1-Api Endpoint')]" + }, + "brandColor": "#ffffff", + "description": "Shadow Byte's Aria Custom Connector", + "displayName": "[parameters('playbook1-ConnectorName')]", + "iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAgAAAAIACAMAAADDpiTIAAAC73pUWHRSYXcgcHJvZmlsZSB0eXBlIGV4aWYAAHja7ZZtjtwgDIb/c4oeIbYxNschEKTeoMfv63x1ZzqVtur+qTSgAAvktfHjMJu2H99n+oZC1XLKal5qKQtKrrlyw8CXo7S9pSXv7VX4nH2YT/cCY0rQy7Hg5ejpmr+Ezp4aRvpByPu5sD4u1Hya9yeh05CER+HCOIXqKSR8LNAp0I5jLaW6fTzCuh39uA7qx5OiETuOd4k8/50N0RuKSWHehGRBy8KHAxIPJWmxsLcIR7QYR2mSpZyeICCv4rR88Cq9oEKvqNyjJygwRgc1eQpmufuX86Svg5/2EH+wLP22/DBvcpt4CHI8cw5Pc27H6VouCGk5D3UdZR9h44qQy/5aQTU8irHttaJ6QvZ20BlLX1bUTpUY0Z+UaVCjSdved+pwMfPGhp65A1TMuRhX7rIkUMpRabJJlSEOmB14BbN8+0K73bqb6+QwPAg7mSBGkQopmq+ofxSaM1KeaPE7VvCLIwnhRpCLFrsAhOaVR7oH+KrPJbgKCOoeZscB27IeEqvSmVuRR7KDFmxU9MdnQTZOAYQIthXOIOszLYVEqdBizEaEODr4NAg5S+YVCEiVB7zkLFIAxzls4x2jfS8rH9O4swBCpYgBTZUGVnGxIX8sO3KoqWhW1aKmrlVbkZKLllKsxOXXTCybWjEzt2rNxbOrFzf35NVb5Sq4HLWWatVrra3BaINyw9sNG1pbeZU1r7qW1VZf69o60qfnrr1065567W3wkIF7YpRhw0cdbaMNqbTlTbey2eZb3dpEqk2Zeeos06bPOttNjdKB9bf6eWp0UeOdVGy0mxpeNbskKK4TDWYgxplA3IIAEpqD2eKUM6dAF8yWyvgqlOGlBpxBQQwE80ask252v8g9cEs5/xM3vsilQPcV5FKg+wO537m9oDbi16YvknZC8RlGUBfB54cNmzf2Fj9qn+7T377wFnoLvYXeQm+ht9Bb6P8RmvjnoeKf9J/m/qK6y9Yp1AAAAYRpQ0NQSUNDIHByb2ZpbGUAAHicfZE9SMNAHMVfU0WtFQc7qHTIUJ0siIo4ahWKUKHUCq06mFz6BU0akhQXR8G14ODHYtXBxVlXB1dBEPwAcXNzUnSREv+XFFrEeHDcj3f3HnfvAKFeZqrZMQ6ommWk4jExk10Vu14RQC96EMaQxEx9LplMwHN83cPH17soz/I+9+foU3ImA3wi8SzTDYt4g3h609I57xOHWFFSiM+Jxwy6IPEj12WX3zgXHBZ4ZshIp+aJQ8RioY3lNmZFQyWeIo4oqkb5QsZlhfMWZ7VcZc178hcGc9rKMtdphhHHIpaQhAgZVZRQhoUorRopJlK0H/PwDzv+JLlkcpXAyLGAClRIjh/8D353a+YnJ9ykYAzofLHtjxGgaxdo1Gz7+9i2GyeA/xm40lr+Sh2Y+SS91tIiR0D/NnBx3dLkPeByBxh80iVDciQ/TSGfB97P6JuywMAtEFhze2vu4/QBSFNXiRvg4BAYLVD2use7u9t7+/dMs78fPBtykRuE4z0AAA+LaVRYdFhNTDpjb20uYWRvYmUueG1wAAAAAAA8P3hwYWNrZXQgYmVnaW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/Pgo8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJYTVAgQ29yZSA0LjQuMC1FeGl2MiI+CiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogIDxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiCiAgICB4bWxuczppcHRjRXh0PSJodHRwOi8vaXB0Yy5vcmcvc3RkL0lwdGM0eG1wRXh0LzIwMDgtMDItMjkvIgogICAgeG1sbnM6eG1wTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iCiAgICB4bWxuczpzdEV2dD0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlRXZlbnQjIgogICAgeG1sbnM6cGx1cz0iaHR0cDovL25zLnVzZXBsdXMub3JnL2xkZi94bXAvMS4wLyIKICAgIHhtbG5zOkdJTVA9Imh0dHA6Ly93d3cuZ2ltcC5vcmcveG1wLyIKICAgIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIKICAgIHhtbG5zOnRpZmY9Imh0dHA6Ly9ucy5hZG9iZS5jb20vdGlmZi8xLjAvIgogICAgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIgogICB4bXBNTTpEb2N1bWVudElEPSJnaW1wOmRvY2lkOmdpbXA6NmRiZDdhZmMtZDk0MS00NjhhLWJlMDMtM2I5MjQ1MmFhNTVhIgogICB4bXBNTTpJbnN0YW5jZUlEPSJ4bXAuaWlkOjdkMzM2NjBmLWY2ODYtNDhiMS04ZDdmLTRhOTJhOGUyNjkwOCIKICAgeG1wTU06T3JpZ2luYWxEb2N1bWVudElEPSJ4bXAuZGlkOjFjZTE3YzFhLWFhYmEtNDJhNC04OTFkLTkzNDJkNmQ1NGFmNiIKICAgR0lNUDpBUEk9IjIuMCIKICAgR0lNUDpQbGF0Zm9ybT0iTGludXgiCiAgIEdJTVA6VGltZVN0YW1wPSIxNjMzOTQ0ODI2NTExOTkxIgogICBHSU1QOlZlcnNpb249IjIuMTAuMjIiCiAgIGRjOkZvcm1hdD0iaW1hZ2UvcG5nIgogICB0aWZmOk9yaWVudGF0aW9uPSIxIgogICB4bXA6Q3JlYXRvclRvb2w9IkdJTVAgMi4xMCI+CiAgIDxpcHRjRXh0OkxvY2F0aW9uQ3JlYXRlZD4KICAgIDxyZGY6QmFnLz4KICAgPC9pcHRjRXh0OkxvY2F0aW9uQ3JlYXRlZD4KICAgPGlwdGNFeHQ6TG9jYXRpb25TaG93bj4KICAgIDxyZGY6QmFnLz4KICAgPC9pcHRjRXh0OkxvY2F0aW9uU2hvd24+CiAgIDxpcHRjRXh0OkFydHdvcmtPck9iamVjdD4KICAgIDxyZGY6QmFnLz4KICAgPC9pcHRjRXh0OkFydHdvcmtPck9iamVjdD4KICAgPGlwdGNFeHQ6UmVnaXN0cnlJZD4KICAgIDxyZGY6QmFnLz4KICAgPC9pcHRjRXh0OlJlZ2lzdHJ5SWQ+CiAgIDx4bXBNTTpIaXN0b3J5PgogICAgPHJkZjpTZXE+CiAgICAgPHJkZjpsaQogICAgICBzdEV2dDphY3Rpb249InNhdmVkIgogICAgICBzdEV2dDpjaGFuZ2VkPSIvIgogICAgICBzdEV2dDppbnN0YW5jZUlEPSJ4bXAuaWlkOmI0YWVlMjMyLWNjODktNDYxZi04MGEzLTVmN2YyMWQ2OGI1MyIKICAgICAgc3RFdnQ6c29mdHdhcmVBZ2VudD0iR2ltcCAyLjEwIChMaW51eCkiCiAgICAgIHN0RXZ0OndoZW49IiswMjowMCIvPgogICAgPC9yZGY6U2VxPgogICA8L3htcE1NOkhpc3Rvcnk+CiAgIDxwbHVzOkltYWdlU3VwcGxpZXI+CiAgICA8cmRmOlNlcS8+CiAgIDwvcGx1czpJbWFnZVN1cHBsaWVyPgogICA8cGx1czpJbWFnZUNyZWF0b3I+CiAgICA8cmRmOlNlcS8+CiAgIDwvcGx1czpJbWFnZUNyZWF0b3I+CiAgIDxwbHVzOkNvcHlyaWdodE93bmVyPgogICAgPHJkZjpTZXEvPgogICA8L3BsdXM6Q29weXJpZ2h0T3duZXI+CiAgIDxwbHVzOkxpY2Vuc29yPgogICAgPHJkZjpTZXEvPgogICA8L3BsdXM6TGljZW5zb3I+CiAgPC9yZGY6RGVzY3JpcHRpb24+CiA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgCjw/eHBhY2tldCBlbmQ9InciPz75myotAAAC8VBMVEUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADF5N8AAAAAXRSTlMAQObYZgAAAAFiS0dEAIgFHUgAAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflCgsJIS5IdJySAAAI3UlEQVR42u3di7Kjxg4FUPT/P32rkpsZA42f3WoBa1Wq5hGOAWkjMMbJsgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAOdHPiO3QoJ69HhyAn3qWFYC49cGek4Cv2pYWgLhx/9MC8EXnkgIQ9w5AZgI+rHReAOLG/W/ufJRIQE4AQgBSExAlAxA37n/yCPig2CkBCAHIHgFvlzsjAHe+u/C0pFEgAQIwMQAVEpAQgDvfYHxR05ifAAGYGYDhCYhiAYgb939OAGJ+AEIAKo+A5ADEjftfcwQMD0AIwMzLwJclzw5A3Lj/k0ZATA1ACMD0ERClAhA37n/FBAwOQAiAANw0AW8Xdm4CxgYgBKDGdWDMCcCdHzmOpJ0XgJsH4N0YVApA3Lj/43a+YABCAFJ3/qsETAlA3Lj/sUxKQH4AQgDSd/7z9c4JQNy4/1Fr9IzbyBCAMyRgUgDixv2PWSvPDUAIQLUElApA3Lj/s04CqQEIATjHCJgWgLhx/yuNgEEbGAJQcATUCkDcuP+TRkBeAEIAzjICJgYgbtz/iwcgBOA054CZAYgb93/OCEgKQAhA0RFQLQBx4/5fOAAhANN3/iwBiBv3/7IBCAGYv/OnCUDcuP8XDUAIQIGdP08A4sb9H7jz8wIQAiAAN01ACECtIpQJQP43ZKJeAK7/NaFnO3ibAFQqQp0BkP4luagXgOXy3xR8vns1ArCMDkClIlQaANnprxeACUUoNQBy0z/tqeBKRag1AFLTH/UCkF+EagMgM/3TvhlUqQjVBkBi+qNeAPKLUG8ApKV/3tfDCxWh4ADISv/Ht1wTApBehJIDICf9MS8AdYpQcwCkpD8qBiC7CFUHQEL6v/nQrdcmlSlC2QEwPP3ffeo6PAC5Rag8AMam/9tP3TttUY0i1B4AA9P/w2MXowOQV4T6A6DTTbqvLGMDMK4IVxoAnW7TnyoAv9+qvNIA6PNBXdf+9wnAwCJcagB8WKmM/g8OQI9PK640AGaNgMEBGFqESw2ASSNgmRWAToG50ACYMgKWwQEYXIRLDYAZbwSWaQHoGJnLDID8EbCMDsDwIlxqAKSPgGVeADqH5iIDIHkELMMDkFCESw2A3BGwTAzAgNhcYgBkjoBlfABSinCpAZA4ApaZARgUnAsMgLQRsCQEIKkIlxoASSPgt72oVoRLDYCUEbCkBCCtCJcaAAmfCPy8G9WKcK0BMH4EJAUgsQiXGgDjR8DsACTE59QDoNAImNnBSwZgSIDOFoCko+jEA6DOCBhxDo+sw+i8A6DOCJh6EXe1J8QP9nLkzk+8ERT3aN/vo2Js/QoG4PgH7tj+GDz/Bl2JD1nxzabD149FpY6A1Du5dzpDpD0VM+nTwJ++hHCX7uc8FVMsAB0Kc5n2x9DW9clR70/z338Q6PLdH1fFnjnKfpzj4m8Xp3wkPuGZwG6PIV+3+5n3UgoF4Is1XrT9mR+Jpz8W3vmy44rdz/1IvEwAvt3c67U/45mqAafkpPevl/oAYdZj1Z1y1DUAv23vhdofGa3rk6Oe3+uLxLpV7v7wL1ePel+e+cXOG381sNYI+P6G/uwnGap2f+x/Yq17jjoGoF8JT93+gf+V1RE5+viHEna8eAa6PZJfYgT0C0DvSp6z/aP+XyvDcvTNUz3j97xqBnp+JafICOgWgDr1nNj+If/H1bE5+vjBzq67HnGiDIzb1pkjoFcAxhU1Lt//qSPgs5/ov+9XCsDse0ozA1DzwDpL/2eOgI9+YMjOXyUABW4rzwtA4WPrFP2fOAI+WX7U3gvAxDcCXQJQvbr1+z9vBHyw+Iy9P0sARq5hbI56BOAUBS6/eZNGwPtLT9r9MwRg8DqG5qhDAM5T49rbNmcEvL3wvP2vHoDxaxmZo98DcLIyF96wKSPg3WWnFqByAFLWUzkAZ6x01a2aMQLeXDQEIGGjZoyAXwNw1oOtYv+njID3lkwrwbkCkLiuqgE49fFWrv8zRsBbC2bW4DwBqLu2vACc/5Cr1f8JI+Cd5ZKLcOsAdPrWbFIAlspHAQAAAAAAAAAAwNseH1F682mlvz/y+LvWUv/99s9frRb4YjXPFm6teb9YY7efvFjjufKl8a+evGqlJ8A2Dfn3jw/bvH5gLXZt2i32d/mjB/Ae17v5i9Xi6xQ9vPh2NQeRit1u7F5vvVSzVbumPSzfWuGzyjRKuv21RgC2v27Cvz6wlqM92bf0nz+tXuOfv9j8q2Wzsk1iDo+6zZbs1rPe4n3h2w+WP/Tzzyv+l6XWChvjZ5f5/Z+mBeAhiuv6Nrsa655sftvuzPqgjieNWXbj4nELPw1AK0yr19vP7FhenLJisw9PVnhcme2x1fzpMgHYjuPYVCWWVwFYXgTg+FpjfTr6OABPRnl8F4D4IACPeX4xTRuTMvUE8F4AHuLaqsr2nHcwGfcXiKtTazsAq9PD8Un9RQAeF1+feJrXvrvT0vrS5p3EvQjA0tq9KQGI9wPw/3/WF2YfTYDDI/hZAB7K+eEE2E/YP6/XCMCuPOvEtYdmMwDrq75X11P701/m273WNdOum/H3gH+cGqvr2S8DsJmFzQAsjcnx5jVAMwDNa6+jrw03j4UXp4DjyjQvqGe9L/z3gna9JU8uAv/GOh7G3IsAbC8CN5fEy/7U2vz5zgHYvhk4CkBjwaMALLHrf/MNx8EvMekEsJ7+jWJuL8AiDt5iNToTS7zzNjAO7gN8GoDGW5ZovdtYv97D5X3szwCP0+9ozftp8qwyf66k598HiObl9nZ3D8/b+/PD8vpG0L6vj1V6diPo+FozNu+olnduBDV2cLO9cRCA3QmtsZJ2ZZ7V1JdDAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPje/wAwD1VrVv3I1gAAAABJRU5ErkJggg==", + "apiType": "Rest", + "swagger": { + "swagger": "2.0", + "info": { + "description": "Shadow Byte's Aria", + "title": "ARIA API", + "version": "2.0.14" + }, + "host": "[substring(variables('playbook1-Api Endpoint'),8)]", + "basePath": "/", + "schemes": [ + "https" + ], + "paths": { + "/v2/breach/search": { + "get": { + "produces": [ + "application/json" + ], + "parameters": [ + { + "description": "Search criteria", + "enum": [ + "username", + "password", + "email", + "name", + "phone", + "hash", + "domain", + "ipaddress", + "netblock", + "address", + "crypto", + "social", + "all" + ], + "in": "query", + "name": "searchType", + "required": true, + "type": "string" + }, + { + "description": "Search term for querying the database", + "in": "query", + "name": "search", + "required": true, + "type": "string" + }, + { + "collectionFormat": "multi", + "description": "Breaches not to include in the search results", + "in": "query", + "items": { + "type": "string" + }, + "name": "excludedBreaches", + "required": false, + "type": "array" + }, + { + "default": false, + "description": "Include marketing data", + "in": "query", + "name": "marketingData", + "required": false, + "type": "boolean" + }, + { + "default": false, + "description": "Perform a fuzzy search", + "in": "query", + "name": "fuzzySearch", + "required": false, + "type": "boolean" + }, + { + "description": "Return results created after a given date in YYYY:MM:DD HH:MM:SS format", + "format": "date", + "in": "query", + "name": "dateFrom", + "required": false, + "type": "string" + }, + { + "description": "Return results created before a given date in YYYY:MM:DD HH:MM:SS format", + "format": "date", + "in": "query", + "name": "dateTo", + "required": false, + "type": "string" + }, + { + "default": 0, + "description": "Search results offset. Only the results after the given number (position) will be returned.", + "in": "query", + "name": "start", + "required": false, + "type": "number" + }, + { + "default": 100, + "description": "Search results length. How many results to return.", + "in": "query", + "name": "length", + "required": false, + "type": "number" + }, + { + "default": "breach", + "description": "Sort criteria", + "enum": [ + "amazon", + "breach", + "btc", + "company", + "device", + "deviceid", + "dob", + "domain", + "email", + "hash", + "importdate", + "ip", + "phone", + "mobile", + "name", + "other", + "password", + "salt", + "url", + "userid", + "username", + "wallet", + "fbid", + "fb_user", + "tdid", + "twitter", + "liid", + "linkedin", + "instaid", + "insta" + ], + "in": "query", + "name": "sortBy", + "required": false, + "type": "string" + }, + { + "default": "asc", + "description": "Sort direction", + "enum": [ + "asc", + "desc" + ], + "in": "query", + "name": "sortType", + "required": false, + "type": "string" + } + ], + "responses": { + "200": { + "description": "A list of search results", + "schema": { + "$ref": "#/definitions/breach_success_response" + } + }, + "422": { + "description": "Validation failure", + "schema": { + "$ref": "#/definitions/validation_response" + } + } + }, + "tags": [ + "Breach" + ], + "description": "Search for credentials.", + "operationId": "[variables('_operationId-getBreachSearch')]", + "summary": "Breach Search" + } + }, + "/v2/forums/search": { + "get": { + "produces": [ + "application/json" + ], + "parameters": [ + { + "description": "Search criteria", + "enum": [ + "all", + "content", + "author" + ], + "in": "query", + "name": "searchType", + "required": true, + "type": "string" + }, + { + "description": "Search term. Searches author name to get forum list for that author. You can also search like `data AND aria` to search 2 words.", + "in": "query", + "name": "search", + "required": true, + "type": "string" + }, + { + "default": false, + "description": "Search provided author forum list with fuzzy data", + "in": "query", + "name": "fuzzySearch", + "required": false, + "type": "boolean" + }, + { + "description": "Return results created after a given date in YYYY:MM:DD HH:MM:SS format", + "format": "date", + "in": "query", + "name": "dateFrom", + "required": false, + "type": "string" + }, + { + "description": "Return results created before a given date in YYYY:MM:DD HH:MM:SS format", + "format": "date", + "in": "query", + "name": "dateTo", + "required": false, + "type": "string" + }, + { + "default": 0, + "description": "It will start the result after provided counts", + "format": "int32", + "in": "query", + "name": "start", + "required": false, + "type": "number" + }, + { + "default": 100, + "description": "Returns given number of results", + "format": "int32", + "in": "query", + "name": "length", + "required": false, + "type": "number" + }, + { + "description": "Sort criteria", + "enum": [ + "pid", + "author", + "date" + ], + "in": "query", + "name": "sortBy", + "required": false, + "type": "string" + }, + { + "default": "asc", + "description": "Sort direction", + "enum": [ + "asc", + "desc" + ], + "in": "query", + "name": "sortType", + "required": false, + "type": "string" + } + ], + "responses": { + "200": { + "description": "A list of search results", + "schema": { + "$ref": "#/definitions/forums_search_success_response" + } + }, + "422": { + "description": "Validation failure", + "schema": { + "$ref": "#/definitions/validation_response" + } + } + }, + "tags": [ + "Forum Search" + ], + "description": "Search for forum messages.", + "operationId": "[variables('_operationId-getForumSearch')]", + "summary": "Forums Search" + } + }, + "/v2/nosql/search": { + "get": { + "produces": [ + "application/json" + ], + "parameters": [ + { + "description": "Search term", + "in": "query", + "name": "search", + "required": false, + "type": "string" + }, + { + "default": false, + "description": "Search provided NoSQL list with fuzzy data", + "in": "query", + "name": "fuzzySearch", + "required": false, + "type": "boolean" + }, + { + "description": "Database type", + "enum": [ + "elastic", + "mongodb", + "cassandra" + ], + "in": "query", + "name": "databaseType", + "required": false, + "type": "string" + }, + { + "description": "Return results created after a given date in YYYY:MM:DD HH:MM:SS format", + "format": "date", + "in": "query", + "name": "dateFrom", + "required": false, + "type": "string" + }, + { + "description": "Return results created before a given date in YYYY:MM:DD HH:MM:SS format", + "format": "date", + "in": "query", + "name": "dateTo", + "required": false, + "type": "string" + }, + { + "default": 0, + "description": "It will start the result after provided counts", + "format": "int32", + "in": "query", + "name": "start", + "required": false, + "type": "number" + }, + { + "default": 100, + "description": "Returns given number of results", + "format": "int32", + "in": "query", + "name": "length", + "required": false, + "type": "number" + }, + { + "default": "ip", + "description": "Sort criteria", + "enum": [ + "date", + "ip", + "type", + "totalSize", + "recordsCount", + "indexesCount" + ], + "in": "query", + "name": "sortBy", + "required": false, + "type": "string" + }, + { + "default": "asc", + "description": "Sort direction", + "enum": [ + "asc", + "desc" + ], + "in": "query", + "name": "sortType", + "required": false, + "type": "string" + } + ], + "responses": { + "200": { + "description": "A list of search results", + "schema": { + "$ref": "#/definitions/nosql_success_response" + } + }, + "422": { + "description": "Validation failure", + "schema": { + "$ref": "#/definitions/validation_response" + } + } + }, + "tags": [ + "NoSQL" + ], + "description": "Search through NoSQL metadata.", + "operationId": "[variables('_operationId-getNosqlSearch')]", + "summary": "NoSQL Search" + } + }, + "/v2/pastes/search": { + "get": { + "produces": [ + "application/json" + ], + "parameters": [ + { + "description": "Search criteria", + "enum": [ + "content", + "pid" + ], + "in": "query", + "name": "searchType", + "required": true, + "type": "string" + }, + { + "description": "Search provided keyword in the whole paste database", + "in": "query", + "name": "search", + "required": true, + "type": "string" + }, + { + "default": false, + "description": "Search provided pastes list with fuzzy data", + "in": "query", + "name": "fuzzySearch", + "required": false, + "type": "boolean" + }, + { + "default": 0, + "description": "It will start the result after provided counts", + "format": "int32", + "in": "query", + "name": "start", + "required": false, + "type": "number" + }, + { + "default": 100, + "description": "Returns given number of results", + "format": "int32", + "in": "query", + "name": "length", + "required": false, + "type": "number" + } + ], + "responses": { + "200": { + "description": "A list of search results", + "schema": { + "$ref": "#/definitions/paste_success_response" + } + }, + "422": { + "description": "Validation failure", + "schema": { + "$ref": "#/definitions/validation_response" + } + } + }, + "tags": [ + "Paste Search" + ], + "description": "Search for matching pastes.", + "operationId": "[variables('_operationId-getPasteSearch')]", + "summary": "Paste Search" + } + }, + "/v2/release/search": { + "get": { + "produces": [ + "application/json" + ], + "parameters": [ + { + "in": "query", + "name": "search", + "type": "string" + }, + { + "default": 0, + "in": "query", + "name": "start", + "required": false, + "type": "number" + }, + { + "default": 100, + "in": "query", + "name": "length", + "required": false, + "type": "number" + }, + { + "enum": [ + "name", + "size", + "breachDate", + "importDate" + ], + "in": "query", + "name": "sortBy", + "required": false, + "type": "string" + }, + { + "default": "asc", + "enum": [ + "asc", + "desc" + ], + "in": "query", + "name": "sortType", + "required": false, + "type": "string" + } + ], + "responses": { + "200": { + "description": "A list", + "schema": { + "$ref": "#/definitions/release_success_response" + } + }, + "422": { + "description": "Validation failure", + "schema": { + "$ref": "#/definitions/validation_response" + } + } + }, + "tags": [ + "Release" + ], + "description": "Search through breach releases.", + "operationId": "[variables('_operationId-getReleaseSearch')]", + "summary": "Breach Release Search" + } + } + }, + "definitions": { + "breach": { + "properties": { + "address": { + "type": "string" + }, + "amazon": { + "type": "string" + }, + "breach": { + "type": "string" + }, + "btc": { + "type": "string" + }, + "company": { + "type": "string" + }, + "device": { + "type": "string" + }, + "deviceid": { + "type": "string" + }, + "dob": { + "type": "string" + }, + "domain": { + "type": "string" + }, + "email": { + "type": "string" + }, + "fb_user": { + "type": "string" + }, + "fbid": { + "type": "string" + }, + "hash": { + "type": "string" + }, + "id": { + "type": "string" + }, + "importdate": { + "type": "string" + }, + "insta": { + "type": "string" + }, + "instaid": { + "type": "string" + }, + "ip": { + "type": "string" + }, + "liid": { + "type": "string" + }, + "linkedin": { + "type": "string" + }, + "mobile": { + "type": "string" + }, + "name": { + "type": "string" + }, + "other": { + "type": "string" + }, + "password": { + "type": "string" + }, + "phone": { + "type": "string" + }, + "salt": { + "type": "string" + }, + "tdid": { + "type": "string" + }, + "twitter": { + "type": "string" + }, + "url": { + "type": "string" + }, + "userid": { + "type": "string" + }, + "username": { + "type": "string" + }, + "wallet": { + "type": "string" + } + }, + "type": "object" + }, + "breach_field": { + "enum": [ + "username", + "password", + "email", + "name", + "phone", + "hash", + "domain", + "ipaddress", + "netblock", + "address", + "crypto", + "social", + "all" + ], + "type": "string" + }, + "breach_sort_field": { + "default": "breach", + "enum": [ + "amazon", + "breach", + "btc", + "company", + "device", + "deviceid", + "dob", + "domain", + "email", + "hash", + "importdate", + "ip", + "phone", + "mobile", + "name", + "other", + "password", + "salt", + "url", + "userid", + "username", + "wallet", + "fbid", + "fb_user", + "tdid", + "twitter", + "liid", + "linkedin", + "instaid", + "insta" + ], + "type": "string" + }, + "breach_success_response": { + "properties": { + "data": { + "items": { + "$ref": "#/definitions/breach" + }, + "type": "array" + }, + "message": { + "type": "string" + }, + "pagination": { + "$ref": "#/definitions/pagination" + }, + "success": { + "type": "boolean" + } + }, + "type": "object" + }, + "forum": { + "properties": { + "author": { + "type": "string" + }, + "dateTime": { + "example": "March 29, 2019, 05:00:00", + "type": "string" + }, + "forum": { + "type": "string" + }, + "id": { + "type": "string" + }, + "message": { + "type": "string" + }, + "pid": { + "type": "string" + }, + "subject": { + "type": "string" + } + }, + "type": "object" + }, + "forum_details": { + "properties": { + "author": { + "type": "string" + }, + "cid": { + "type": "string" + }, + "dateTime": { + "example": "March 29, 2019, 05:00:00", + "type": "string" + }, + "forum": { + "type": "string" + }, + "id": { + "type": "string" + }, + "img": { + "type": "string" + }, + "message": { + "type": "string" + }, + "pid": { + "type": "string" + }, + "subject": { + "type": "string" + } + }, + "type": "object" + }, + "forum_field": { + "enum": [ + "all", + "content", + "author" + ], + "type": "string" + }, + "forum_sort_field": { + "enum": [ + "pid", + "author", + "date" + ], + "type": "string" + }, + "forums_search_details_success_response": { + "properties": { + "data": { + "items": { + "$ref": "#/definitions/forum_details" + }, + "type": "array" + }, + "message": { + "type": "string" + }, + "pagination": { + "$ref": "#/definitions/pagination" + }, + "success": { + "type": "boolean" + } + }, + "type": "object" + }, + "forums_search_success_response": { + "properties": { + "data": { + "items": { + "$ref": "#/definitions/forum" + }, + "type": "array" + }, + "message": { + "type": "string" + }, + "pagination": { + "$ref": "#/definitions/pagination" + }, + "success": { + "type": "boolean" + } + }, + "type": "object" + }, + "nosql": { + "properties": { + "date": { + "type": "string" + }, + "id": { + "type": "string" + }, + "indexes": { + "items": { + "$ref": "#/definitions/nosql_index" + }, + "type": "array" + }, + "indexesCount": { + "type": "string" + }, + "ip": { + "type": "string" + }, + "recordsCount": { + "type": "string" + }, + "totalSize": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "nosql_database_type": { + "enum": [ + "elastic", + "mongodb", + "cassandra" + ], + "type": "string" + }, + "nosql_index": { + "properties": { + "count": { + "type": "number" + }, + "fields": { + "items": { + "type": "string" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "size": { + "type": "string" + } + }, + "type": "object" + }, + "nosql_sort_field": { + "default": "ip", + "enum": [ + "date", + "ip", + "type", + "totalSize", + "recordsCount", + "indexesCount" + ], + "type": "string" + }, + "nosql_success_response": { + "properties": { + "data": { + "items": { + "$ref": "#/definitions/nosql" + }, + "type": "array" + }, + "message": { + "type": "string" + }, + "pagination": { + "$ref": "#/definitions/pagination" + }, + "success": { + "type": "boolean" + } + }, + "type": "object" + }, + "pagination": { + "properties": { + "count": { + "type": "number" + }, + "length": { + "type": "number" + }, + "start": { + "type": "number" + }, + "total": { + "type": "number" + } + }, + "type": "object" + }, + "paste": { + "properties": { + "date": { + "type": "string" + }, + "pasteid": { + "type": "string" + }, + "size": { + "type": "string" + }, + "source": { + "type": "string" + } + }, + "type": "object" + }, + "paste_details": { + "properties": { + "content": { + "type": "string" + }, + "date": { + "type": "string" + }, + "highlight": { + "additionalProperties": { + "items": { + "type": "string" + }, + "title": "field", + "type": "array" + }, + "example": { + "pasteid": [ + "0V18DJSI4" + ] + }, + "type": "object" + }, + "pasteid": { + "type": "string" + }, + "size": { + "type": "string" + }, + "source": { + "type": "string" + } + }, + "type": "object" + }, + "paste_details_success_response": { + "properties": { + "data": { + "$ref": "#/definitions/paste_details" + }, + "message": { + "type": "string" + }, + "success": { + "type": "boolean" + } + }, + "type": "object" + }, + "paste_field": { + "enum": [ + "pid", + "content" + ], + "type": "string" + }, + "paste_success_response": { + "properties": { + "data": { + "items": { + "$ref": "#/definitions/paste" + }, + "type": "array" + }, + "message": { + "type": "string" + }, + "pagination": { + "$ref": "#/definitions/pagination" + }, + "success": { + "type": "boolean" + } + }, + "type": "object" + }, + "release_record": { + "properties": { + "breachDate": { + "type": "string" + }, + "code": { + "type": "string" + }, + "id": { + "type": "number" + }, + "importDate": { + "type": "string" + }, + "media": { + "type": "object" + }, + "name": { + "type": "string" + }, + "totalRecords": { + "type": "number" + }, + "types": { + "type": "object" + } + }, + "type": "object" + }, + "release_record_sort_field": { + "enum": [ + "name", + "size", + "breachDate", + "importDate" + ], + "type": "string" + }, + "release_success_response": { + "properties": { + "data": { + "items": { + "$ref": "#/definitions/release_record" + }, + "type": "array" + }, + "message": { + "type": "string" + }, + "pagination": { + "$ref": "#/definitions/pagination" + }, + "success": { + "type": "boolean" + } + }, + "type": "object" + }, + "sort_direction": { + "default": "asc", + "enum": [ + "asc", + "desc" + ], + "type": "string" + }, + "validation_response": { + "properties": { + "errors": { + "additionalProperties": { + "items": { + "type": "string" + }, + "title": "field", + "type": "array" + }, + "example": { + "field": [ + "string" + ] + }, + "type": "object" + }, + "message": { + "type": "string" + }, + "success": { + "example": false, + "type": "boolean" + } + }, + "type": "object" + } + }, + "securityDefinitions": { + "API Key": { + "type": "apiKey", + "in": "header", + "name": "apiKey" + } + }, + "security": [ + {} + ], + "tags": [ + { + "name": "Breach" + }, + { + "name": "Forum Search" + }, + { + "name": "NoSQL" + }, + { + "name": "Paste Search" + }, + { + "name": "Release" + } + ], + "x-components": { + "responses": { + "validation_failure": { + "content": { + "application/json": { + "schema": { + "$ref": "#/definitions/validation_response" + } + } + }, + "description": "Validation failure" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook2-ShadowByteAriaConnectionName')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[resourceId('Microsoft.Web/customApis', parameters('playbook1-ConnectorName'))]" + ], + "properties": { + "api": { + "id": "[variables('_playbook-2-connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook2-AzureSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook2-AzureSentinelConnectionName')]", + "parameterValueType": "alternative", + "api": { + "id": "[variables('_playbook-2-connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('playbook2-PlaybookName')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook2-ShadowByteAriaConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook2-AzureSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/customApis', parameters('playbook1-ConnectorName'))]" + ], + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "EnrichIncidentsShadowByteAria", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

The following breaches were found to be associated with the affected accounts:
@{outputs('Compose')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Compose": { + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@variables('Breaches')" + }, + "Entities_-_Get_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "If_the_Account_Name_is_not_an_empty_string": { + "actions": { + "Breach_Search": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['ShadowByteAriaConnector']['connectionId']" + } + }, + "method": "get", + "path": "/v2/breach/search", + "queries": { + "fuzzySearch": false, + "length": 1000, + "marketingData": false, + "search": "@items('For_each')?['Name']", + "searchType": "all", + "sortBy": "breach", + "sortType": "asc", + "start": 0 + } + } + }, + "If_the_request_returned_any_results": { + "actions": { + "Append_to_string_variable": { + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "Breaches", + "value": "@body('Create_HTML_table')" + } + }, + "Create_HTML_table": { + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@body('Breach_Search')?['data']" + } + } + }, + "runAfter": { + "Breach_Search": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Breach_Search')?['success']", + true + ] + }, + { + "greater": [ + "@body('Breach_Search')?['pagination']?['count']", + 0 + ] + } + ] + }, + "type": "If" + } + }, + "expression": { + "and": [ + { + "greater": [ + "@length(items('For_each')?['Name'])", + 0 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Initialize_Breaches": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Initialize_Breaches": { + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Breaches", + "type": "string" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "ShadowByteAriaConnector": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-ShadowByteAriaConnectionName'))]", + "connectionName": "[variables('playbook2-ShadowByteAriaConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('playbook2-ShadowByteAriaConnectorName'))]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-AzureSentinelConnectionName'))]", + "connectionName": "[variables('playbook2-AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook3-ShadowByteAriaConnectionName')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[resourceId('Microsoft.Web/customApis', parameters('playbook1-ConnectorName'))]" + ], + "properties": { + "api": { + "id": "[variables('_playbook-2-connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook3-AzureLogAnalyticsDataCollectorConnectionName')]", + "location": "[parameters('workspace-location')]", + "properties": { + "displayName": "[variables('playbook3-AzureLogAnalyticsDataCollectorConnectionName')]", + "api": { + "id": "[variables('_playbook-3-connection-2')]" + }, + "parameterValues": { + "username": "[parameters('playbook3-WorkspaceId')]", + "password": "[parameters('playbook3-WorkspaceKey')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('playbook3-PlaybookName')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook3-ShadowByteAriaConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook3-AzureLogAnalyticsDataCollectorConnectionName'))]", + "[resourceId('Microsoft.Web/customApis', parameters('playbook1-ConnectorName'))]" + ], + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "SearchForBreachesShadowByteAria", + "hidden-SentinelTemplateVersion": "1.0" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "search": { + "defaultValue": " ", + "type": "String" + }, + "type": { + "defaultValue": "search-all", + "type": "String" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Day", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Day", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "Initialize_variable": { + "runAfter": { + "Set_End_Date": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "nextStart", + "type": "integer", + "value": 0 + } + ] + } + }, + "Set_End_Date": { + "runAfter": { + "Set_Start_Date": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "formattedEndDate", + "type": "string", + "value": "@{formatDateTime(utcNow(), 'yyyy-MM-dd')}" + } + ] + } + }, + "Set_Start_Date": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "formattedStartDate", + "type": "string", + "value": "@{formatDateTime(addDays(utcNow(), -1), 'yyyy-MM-dd')}" + } + ] + } + }, + "Until": { + "actions": { + "Breach_Search": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['ShadowByteAriaConnector']['connectionId']" + } + }, + "method": "get", + "path": "/v2/breach/search", + "queries": { + "dateFrom": "@variables('formattedStartDate')", + "dateTo": "@variables('formattedEndDate')", + "fuzzySearch": false, + "length": 100, + "marketingData": false, + "search": "@parameters('search')", + "searchType": "@parameters('type')", + "sortBy": "breach", + "sortType": "asc", + "start": "@variables('nextStart')" + } + } + }, + "For_each": { + "foreach": "@body('Breach_Search')?['data']", + "actions": { + "Send_Data": { + "type": "ApiConnection", + "inputs": { + "body": "@{items('For_each')}", + "headers": { + "Log-Type": "ShadowByteAriaForums" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Set_variable": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Set_variable": { + "runAfter": { + "Breach_Search": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "nextStart", + "value": "@add(body('Breach_Search').pagination.start, body('Breach_Search').pagination.length)" + } + } + }, + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "expression": "@greaterOrEquals(variables('nextStart'), body('Breach_Search')?['pagination']?['total'])", + "limit": { + "count": 100, + "timeout": "PT1H" + }, + "type": "Until" + } + } + }, + "parameters": { + "search": { + "type": "String", + "value": "[parameters('playbook3-Search')]" + }, + "type": { + "type": "String", + "value": "[parameters('playbook3-SearchType')]" + }, + "$connections": { + "value": { + "ShadowByteAriaConnector": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook3-ShadowByteAriaConnectionName'))]", + "connectionName": "[variables('playbook3-ShadowByteAriaConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('playbook3-ShadowByteAriaConnectorName'))]" + }, + "azureloganalyticsdatacollector": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook3-AzureLogAnalyticsDataCollectorConnectionName'))]", + "connectionName": "[variables('playbook3-AzureLogAnalyticsDataCollectorConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azureloganalyticsdatacollector')]" + } + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]", + "apiVersion": "2021-03-01-preview", + "properties": { + "contentId": "[variables('_sourceId')]", + "version": "1.0.0", + "kind": "Solution", + "parentId": "[variables('_sourceId')]", + "source": { + "kind": "Solution", + "name": "ShadowByte Aria", + "sourceId": "[variables('_sourceId')]" + }, + "author": { + "name": "Eli Forbes", + "email": "v-eliforbes@microsoft.com" + }, + "support": { + "name": "name_name", + "email": "email_email", + "tier": "Partner", + "link": "link_link" + }, + "providers": ["Microsoft"], + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Playbook", + "contentId": "[variables('_playbook1-ShadowByte_Aria_Custom_Connector')]", + "version": "1.0.0" + }, + { + "kind": "Playbook", + "contentId": "[variables('_playbook2-ShadowByte_Aria_Enrich_Incidents')]", + "version": "1.0.0" + }, + { + "kind": "Playbook", + "contentId": "[variables('_playbook3-ShadowByte_Aria_Search_for_Breaches')]", + "version": "1.0.0" + } + ] + }, + "categories": { + "domains": [ + "Security - Threat Intelligence" + ] + } + } + } + ], + "outputs": {} +} diff --git a/Solutions/SlackAudit/Package/1.0.3.zip b/Solutions/SlackAudit/Package/1.0.3.zip new file mode 100644 index 0000000000..ef4881074f Binary files /dev/null and b/Solutions/SlackAudit/Package/1.0.3.zip differ diff --git a/Solutions/SlackAudit/Package/1.0.4.zip b/Solutions/SlackAudit/Package/1.0.4.zip new file mode 100644 index 0000000000..b20f43a08b Binary files /dev/null and b/Solutions/SlackAudit/Package/1.0.4.zip differ diff --git a/Solutions/SlackAudit/Package/1.0.5.zip b/Solutions/SlackAudit/Package/1.0.5.zip new file mode 100644 index 0000000000..11400c6abb Binary files /dev/null and b/Solutions/SlackAudit/Package/1.0.5.zip differ diff --git a/Solutions/SlackAudit/Package/createUiDefinition.json b/Solutions/SlackAudit/Package/createUiDefinition.json new file mode 100644 index 0000000000..eefd8f7b76 --- /dev/null +++ b/Solutions/SlackAudit/Package/createUiDefinition.json @@ -0,0 +1,461 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[Slack](https://slack.com) Audit data connector provides the capability to ingest [Slack Audit Records](https://api.slack.com/admins/audit-logs) events into Azure Sentinel through the REST API. Refer to [API documentation](https://api.slack.com/admins/audit-logs#the_audit_event) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 9, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for SlackAudit. You can get SlackAudit custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) SlackAudit_CL in your Azure Sentinel / Azure Log Analytics workspace." + } + }, + { + "name": "dataconnectors2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for SlackAuditNativePoller. You can get SlackAuditNativePoller custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) SlackAuditNativePoller_CL in your Azure Sentinel / Azure Log Analytics workspace." + } + }, + { + "name": "dataconnectors-parser-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The Solution installs a parser that transforms the ingested data into Azure Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Azure Sentinel." + } + }, + { + "name": "dataconnectors-link1", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about normalized format", + "uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema" + } + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "SlackAudit", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock" + }, + { + "name": "workbook1-name", + "type": "Microsoft.Common.TextBox", + "label": "Display Name", + "defaultValue": "SlackAudit", + "toolTip": "Display name for the workbook.", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a workbook name" + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Azure Sentinel Solution installs analytic rules for SlackAudit that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - Empty User Agent", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query shows connections to the Slack Workspace with empty User Agent." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - Multiple archived files uploaded in short period of time", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps to detect when a user uploads multiple archived files in short period of time." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - Multiple failed logins for user", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps to detect bruteforce of a user account." + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - Public link created for file which can contain sensitive information.", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects public links for files which potentialy may contain sensitive data such as passwords, authentication tokens, secret keys." + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - Suspicious file downloaded.", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects potentialy suspicious downloads." + } + } + ] + }, + { + "name": "analytic6", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - Unknown User Agent", + "elements": [ + { + "name": "analytic6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps to detect who trying to connect to the Slack Workspace with unknown User Agent." + } + } + ] + }, + { + "name": "analytic7", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - User role changed to admin or owner", + "elements": [ + { + "name": "analytic7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps to detect a change in the users role to admin or owner." + } + } + ] + }, + { + "name": "analytic8", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - User email linked to account changed.", + "elements": [ + { + "name": "analytic8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects when user email linked to account changes." + } + } + ] + }, + { + "name": "analytic9", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - User login after deactivated.", + "elements": [ + { + "name": "analytic9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects when user email linked to account changes." + } + } + ] + } + ] + }, + { + "name": "huntingqueries", + "label": "Hunting Queries", + "bladeTitle": "Hunting Queries", + "elements": [ + { + "name": "huntingqueries-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Azure Sentinel Solution installs hunting queries for SlackAudit that you can run in Azure Sentinel. These hunting queries will be deployed in the Hunting gallery of your Azure Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/hunting" + } + } + }, + { + "name": "huntingquery1", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - Applications installed", + "elements": [ + { + "name": "huntingquery1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query searches for application installation events. It depends on the SlackAuditAPI data connector and SlackAudit_CL data type and SlackAuditAPI parser." + } + } + ] + }, + { + "name": "huntingquery2", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - Deactivated users", + "elements": [ + { + "name": "huntingquery2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query searches for deactivated user accounts. It depends on the SlackAuditAPI data connector and SlackAudit_CL data type and SlackAuditAPI parser." + } + } + ] + }, + { + "name": "huntingquery3", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - Downloaded files stats", + "elements": [ + { + "name": "huntingquery3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query shows top users by downloads over time. It depends on the SlackAuditAPI data connector and SlackAudit_CL data type and SlackAuditAPI parser." + } + } + ] + }, + { + "name": "huntingquery4", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - Failed logins with unknown username", + "elements": [ + { + "name": "huntingquery4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query shows failed login attempts where username is unknown. It depends on the SlackAuditAPI data connector and SlackAudit_CL data type and SlackAuditAPI parser." + } + } + ] + }, + { + "name": "huntingquery5", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - New User created", + "elements": [ + { + "name": "huntingquery5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query shows new user created. It depends on the SlackAuditAPI data connector and SlackAudit_CL data type and SlackAuditAPI parser." + } + } + ] + }, + { + "name": "huntingquery6", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - Suspicious files downloaded", + "elements": [ + { + "name": "huntingquery6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query searches for potentialy suspicious files downloads. It depends on the SlackAuditAPI data connector and SlackAudit_CL data type and SlackAuditAPI parser." + } + } + ] + }, + { + "name": "huntingquery7", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - Uploaded files stats", + "elements": [ + { + "name": "huntingquery7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query shows top users by uploads over time. It depends on the SlackAuditAPI data connector and SlackAudit_CL data type and SlackAuditAPI parser." + } + } + ] + }, + { + "name": "huntingquery8", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - User logins by IP", + "elements": [ + { + "name": "huntingquery8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query shows user IP table statistics for login events. It depends on the SlackAuditAPI data connector and SlackAudit_CL data type and SlackAuditAPI parser." + } + } + ] + }, + { + "name": "huntingquery9", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - User Permission Changed", + "elements": [ + { + "name": "huntingquery9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches for user permissions changes events. It depends on the SlackAuditAPI data connector and SlackAudit_CL data type and SlackAuditAPI parser." + } + } + ] + }, + { + "name": "huntingquery10", + "type": "Microsoft.Common.Section", + "label": "SlackAudit - Users joined channels without invites", + "elements": [ + { + "name": "huntingquery10-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches for users which joined channels without invites. It depends on the SlackAuditAPI data connector and SlackAudit_CL data type and SlackAuditAPI parser." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[resourceGroup().location]", + "location": "[location()]", + "workspace": "[basics('workspace')]", + "workbook1-name": "[steps('workbooks').workbook1.workbook1-name]" + } + } +} diff --git a/Solutions/SlackAudit/Package/mainTemplate.json b/Solutions/SlackAudit/Package/mainTemplate.json new file mode 100644 index 0000000000..ec2182e284 --- /dev/null +++ b/Solutions/SlackAudit/Package/mainTemplate.json @@ -0,0 +1,1223 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Eli Forbes - v-eliforbes@microsoft.com", + "comments": "Solution template for SlackAudit" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup" + } + }, + "formattedTimeNow": { + "type": "string", + "defaultValue": "[utcNow('g')]", + "metadata": { + "description": "Appended to workbook displayNames to make them unique" + } + }, + "workbook1-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the workbook" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "SlackAudit", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "analytic1-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic2-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic3-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic4-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic5-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic6-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic7-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic8-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic9-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "connector1-name": { + "type": "string", + "defaultValue": "af4c54c8-84e6-45a8-9566-d7171f02193f" + }, + "connector2-name": { + "type": "string", + "defaultValue": "549ac275-2a8d-4685-8d3e-31fabc3c7c43" + } + }, + "variables": { + "SlackAudit_workbook": "SlackAudit_workbook", + "_SlackAudit_workbook": "[variables('SlackAudit_workbook')]", + "workbook-source": "[concat(resourceGroup().id, '/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'))]", + "_workbook-source": "[variables('workbook-source')]", + "SlackAuditEmptyUA_AnalyticalRules": "SlackAuditEmptyUA_AnalyticalRules", + "_SlackAuditEmptyUA_AnalyticalRules": "[variables('SlackAuditEmptyUA_AnalyticalRules')]", + "SlackAuditMultipleArchivedFilesUploadedInShortTimePeriod_AnalyticalRules": "SlackAuditMultipleArchivedFilesUploadedInShortTimePeriod_AnalyticalRules", + "_SlackAuditMultipleArchivedFilesUploadedInShortTimePeriod_AnalyticalRules": "[variables('SlackAuditMultipleArchivedFilesUploadedInShortTimePeriod_AnalyticalRules')]", + "SlackAuditMultipleFailedLoginsForUser_AnalyticalRules": "SlackAuditMultipleFailedLoginsForUser_AnalyticalRules", + "_SlackAuditMultipleFailedLoginsForUser_AnalyticalRules": "[variables('SlackAuditMultipleFailedLoginsForUser_AnalyticalRules')]", + "SlackAuditSensitiveFile_AnalyticalRules": "SlackAuditSensitiveFile_AnalyticalRules", + "_SlackAuditSensitiveFile_AnalyticalRules": "[variables('SlackAuditSensitiveFile_AnalyticalRules')]", + "SlackAuditSuspiciousFileDownloaded_AnalyticalRules": "SlackAuditSuspiciousFileDownloaded_AnalyticalRules", + "_SlackAuditSuspiciousFileDownloaded_AnalyticalRules": "[variables('SlackAuditSuspiciousFileDownloaded_AnalyticalRules')]", + "SlackAuditUnknownUA_AnalyticalRules": "SlackAuditUnknownUA_AnalyticalRules", + "_SlackAuditUnknownUA_AnalyticalRules": "[variables('SlackAuditUnknownUA_AnalyticalRules')]", + "SlackAuditUserChangedToAdminOrOwner_AnalyticalRules": "SlackAuditUserChangedToAdminOrOwner_AnalyticalRules", + "_SlackAuditUserChangedToAdminOrOwner_AnalyticalRules": "[variables('SlackAuditUserChangedToAdminOrOwner_AnalyticalRules')]", + "SlackAuditUserEmailChanged_AnalyticalRules": "SlackAuditUserEmailChanged_AnalyticalRules", + "_SlackAuditUserEmailChanged_AnalyticalRules": "[variables('SlackAuditUserEmailChanged_AnalyticalRules')]", + "SlackAuditUserLoginAfterDeactivated_AnalyticalRules": "SlackAuditUserLoginAfterDeactivated_AnalyticalRules", + "_SlackAuditUserLoginAfterDeactivated_AnalyticalRules": "[variables('SlackAuditUserLoginAfterDeactivated_AnalyticalRules')]", + "connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]", + "_connector1-source": "[variables('connector1-source')]", + "SlackAuditAPIConnector": "SlackAuditAPIConnector", + "_SlackAuditAPIConnector": "[variables('SlackAuditAPIConnector')]", + "connector2-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector2-name'))]", + "_connector2-source": "[variables('connector2-source')]", + "Connector": "SlackAuditNativePollerConnector", + "_Connector": "[variables('Connector')]", + "workspace-dependency": "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspace'))]", + "SlackAudit_Parser": "SlackAudit_Parser", + "_SlackAudit_Parser": "[variables('SlackAudit_Parser')]", + "SlackAuditApplicationsInstalled_HuntingQueries": "SlackAuditApplicationsInstalled_HuntingQueries", + "_SlackAuditApplicationsInstalled_HuntingQueries": "[variables('SlackAuditApplicationsInstalled_HuntingQueries')]", + "SlackAuditDeactivatedUsers_HuntingQueries": "SlackAuditDeactivatedUsers_HuntingQueries", + "_SlackAuditDeactivatedUsers_HuntingQueries": "[variables('SlackAuditDeactivatedUsers_HuntingQueries')]", + "SlackAuditDownloadedFilesByUser_HuntingQueries": "SlackAuditDownloadedFilesByUser_HuntingQueries", + "_SlackAuditDownloadedFilesByUser_HuntingQueries": "[variables('SlackAuditDownloadedFilesByUser_HuntingQueries')]", + "SlackAuditFailedLoginsUnknownUsername_HuntingQueries": "SlackAuditFailedLoginsUnknownUsername_HuntingQueries", + "_SlackAuditFailedLoginsUnknownUsername_HuntingQueries": "[variables('SlackAuditFailedLoginsUnknownUsername_HuntingQueries')]", + "SlackAuditNewUsers_HuntingQueries": "SlackAuditNewUsers_HuntingQueries", + "_SlackAuditNewUsers_HuntingQueries": "[variables('SlackAuditNewUsers_HuntingQueries')]", + "SlackAuditSuspiciousFilesDownloaded_HuntingQueries": "SlackAuditSuspiciousFilesDownloaded_HuntingQueries", + "_SlackAuditSuspiciousFilesDownloaded_HuntingQueries": "[variables('SlackAuditSuspiciousFilesDownloaded_HuntingQueries')]", + "SlackAuditUploadedFilesByUser_HuntingQueries": "SlackAuditUploadedFilesByUser_HuntingQueries", + "_SlackAuditUploadedFilesByUser_HuntingQueries": "[variables('SlackAuditUploadedFilesByUser_HuntingQueries')]", + "SlackAuditUserLoginsByIP_HuntingQueries": "SlackAuditUserLoginsByIP_HuntingQueries", + "_SlackAuditUserLoginsByIP_HuntingQueries": "[variables('SlackAuditUserLoginsByIP_HuntingQueries')]", + "SlackAuditUserPermissionsChanged_HuntingQueries": "SlackAuditUserPermissionsChanged_HuntingQueries", + "_SlackAuditUserPermissionsChanged_HuntingQueries": "[variables('SlackAuditUserPermissionsChanged_HuntingQueries')]", + "SlackAuditUsersJoinedChannelsWithoutInvites_HuntingQueries": "SlackAuditUsersJoinedChannelsWithoutInvites_HuntingQueries", + "_SlackAuditUsersJoinedChannelsWithoutInvites_HuntingQueries": "[variables('SlackAuditUsersJoinedChannelsWithoutInvites_HuntingQueries')]", + "sourceId": "azuresentinel.azure-sentinel-solution-slackaudit", + "_sourceId": "[variables('sourceId')]" + }, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[parameters('workbook1-id')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2020-02-12", + "properties": { + "displayName": "[concat(parameters('workbook1-name'), ' - ', parameters('formattedTimeNow'))]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\">**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://aka.ms/sentinel-SlackAuditAPI-parser) to create the Kusto function alias **SlackAudit**.\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"e34269c3-8c77-4e2c-aacb-b86537b2fa1d\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Slack User Activity\",\"subTarget\":\"slack_user_activity\",\"preText\":\"Slack User Activity\",\"style\":\"link\"},{\"id\":\"6d5f697d-6098-4196-bba8-843fefeeb2de\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Slack App Activity\",\"subTarget\":\"slack_app_activity\",\"style\":\"link\"},{\"id\":\"0be65784-c532-422e-9086-58b4de769e34\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Slack File Activity\",\"subTarget\":\"slack_file_activity\",\"style\":\"link\"},{\"id\":\"3ea7ee87-1041-4002-8169-8491ff5d0435\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Slack Channels Activity\",\"subTarget\":\"slack_channels_activity\",\"style\":\"link\"}]},\"name\":\"links - 10\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"6b5965ee-e865-485e-b361-22f71c9ae4f1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2419200000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SlackAudit \\n| extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n| where evt_time {TimeRange}\\n | where Action startswith \\\"user\\\" | summarize count() by Action\",\"size\":3,\"title\":\"Users Action Chart\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_user_activity\"},\"customWidth\":\"33\",\"name\":\"Users Action Chart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n| where evt_time {TimeRange}\\n| where Action == \\\"user_login\\\"\\n|make-series Trend = count(SrcUserEmail) on evt_time from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SrcUserEmail;\",\"size\":0,\"title\":\"Successful Logins over Time\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_user_activity\"},\"customWidth\":\"33\",\"name\":\"Successful Logins over Time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n| where evt_time {TimeRange}\\n| where Action == \\\"user_login_failed\\\"\\n|make-series Trend = count(SrcUserEmail) on evt_time from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SrcUserEmail;\",\"size\":3,\"title\":\"Failed Logins over Time\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_user_activity\"},\"customWidth\":\"33\",\"name\":\"Failed Logins over Time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n| where evt_time {TimeRange}\\n| where Action == \\\"user_login\\\"\\n| summarize Login = count() by Time=evt_time, Email=ActorUserEmail, Context_Domain_Location=ContextLocationDomain, IP=ContextIpAddress, ContextLocationName = ContextLocationName | sort by Time \",\"size\":3,\"title\":\"Login Activity\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":20}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_user_activity\"},\"customWidth\":\"50\",\"name\":\"Login Activity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n| where evt_time {TimeRange}\\n| where Action == \\\"user_created\\\"\\n| project Time=evt_time, Email=ActorUserEmail, Context_Domain_Location=ContextLocationDomain, IP=ContextIpAddress, ContextLocationName = ContextLocationName,Created_User=EntityUserEmail, Action, ActionDescription | sort by Time\",\"size\":3,\"title\":\"Users Created\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":20}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_user_activity\"},\"customWidth\":\"50\",\"name\":\"Users Created\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Guest_Created_list = \\nSlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n| where evt_time {TimeRange}\\n| where Action == \\\"guest_created\\\" | summarize make_list(EntityUserEmail);\\nlet Guest_Actions =\\n SlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where ActorUserEmail in (Guest_Created_list)\\n | extend UserAct = strcat(ActorUserEmail,\\\" - \\\",Action);\\n Guest_Actions | make-series Trend = count() on evt_time from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by UserAct\",\"size\":0,\"title\":\"New Guest Users Activity Timechart\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"graphSettings\":{\"type\":0},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_user_activity\"},\"customWidth\":\"50\",\"name\":\"New Guest Users Activity Timechart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n| where evt_time {TimeRange}\\n| where Action == \\\"user_deactivated\\\"\\n| project Time=evt_time, Email=ActorUserEmail, Context_Domain_Location=ContextLocationDomain, IP=ContextIpAddress, ContextLocationName = ContextLocationName,Deactivated_User=EntityUserEmail, Action, ActionDescription | sort by Time\",\"size\":0,\"title\":\"Users Deactivated\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_user_activity\"},\"customWidth\":\"50\",\"name\":\"Users Deactivated\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Guest_Created_list = \\nSlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n| where evt_time {TimeRange}\\n| where Action == \\\"guest_created\\\" | summarize make_list(EntityUserEmail);\\nlet Guest_Actions =\\n SlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n| where ActorUserEmail in (Guest_Created_list);\\n Guest_Actions | project Time=evt_time, GuestEmail=ActorUserEmail, Context_Domain_Location=ContextLocationDomain, IP=ContextIpAddress, ContextLocationName = ContextLocationName, Action, ActionDescription | sort by Time\",\"size\":0,\"title\":\"New Guest Users Activity \",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_user_activity\"},\"customWidth\":\"50\",\"name\":\"New Guest Users Activity \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"app_installed\\\" or Action == \\\"app_approved\\\" or Action == \\\"app_restricted\\\"\\n | extend Action = case(Action == \\\"app_installed\\\", \\\"Applications Installed\\\", \\n Action == \\\"app_approved\\\", \\\"Applications Approved\\\", \\n \\\"Applications Restricted\\\")\\n | summarize count() by Action\",\"size\":1,\"title\":\"Application Actions\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_app_activity\"},\"customWidth\":\"100\",\"name\":\"Application Actions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"app_installed\\\"\\n | project Time=evt_time, ActorUserEmail, Context_Domain_Location=ContextLocationDomain, IP=ContextIpAddress, ContextLocationName = ContextLocationName, Action, ActionDescription, AppScopes =EntityAppScopes, App=EntityAppName \\n | summarize Count=count() by App | sort by Count desc\",\"size\":0,\"title\":\"Apps Installed Chart\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_app_activity\"},\"customWidth\":\"50\",\"name\":\"Apps Installed Chart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"app_installed\\\"\\n | project Time=evt_time, ActorUserEmail, Context_Domain_Location=ContextLocationDomain, IP=ContextIpAddress, ContextLocationName = ContextLocationName, Action, ActionDescription, AppScopes =EntityAppScopes, App=EntityAppName | sort by Time\",\"size\":0,\"title\":\"Apps Installed\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_app_activity\"},\"customWidth\":\"50\",\"name\":\"Apps Installed\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"app_restricted\\\"\\n | project Time=evt_time, ActorUserEmail, Context_Domain_Location=ContextLocationDomain, IP=ContextIpAddress, ContextLocationName = ContextLocationName, Action, ActionDescription, AppScopes =EntityAppScopes, App=EntityAppName | sort by Time\",\"size\":0,\"title\":\"Apps Restricted\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_app_activity\"},\"customWidth\":\"50\",\"name\":\"Apps Restricted\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"app_restricted\\\"\\n | project Time=evt_time, ActorUserEmail, Context_Domain_Location=ContextLocationDomain, IP=ContextIpAddress, ContextLocationName = ContextLocationName, Action, ActionDescription, AppScopes =EntityAppScopes, App=EntityAppName \\n | summarize Count=count() by App | sort by Count desc\",\"size\":0,\"title\":\"Apps Restricted Chart\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_app_activity\"},\"customWidth\":\"50\",\"name\":\"Apps Restricted Chart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"app_approved\\\"\\n | project Time=evt_time, ActorUserEmail, Context_Domain_Location=ContextLocationDomain, IP=ContextIpAddress, ContextLocationName = ContextLocationName, Action, ActionDescription, AppScopes =EntityAppScopes, App=EntityAppName | sort by Time\",\"size\":0,\"title\":\"Apps Approved\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_app_activity\"},\"customWidth\":\"50\",\"name\":\"Apps Approved\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"app_approved\\\"\\n | project Time=evt_time, ActorUserEmail, Context_Domain_Location=ContextLocationDomain, IP=ContextIpAddress, ContextLocationName = ContextLocationName, Action, ActionDescription, AppScopes =EntityAppScopes, App=EntityAppName \\n | summarize Count=count() by App | sort by Count desc\",\"size\":0,\"title\":\"Apps Approved Chart\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_app_activity\"},\"customWidth\":\"50\",\"name\":\"Apps Approved Chart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"file_downloaded\\\" or Action == \\\"file_uploaded\\\" or Action == \\\"file_shared\\\" or Action == \\\"file_public_link_created\\\" or Action == \\\"file_public_link_revoked\\\" or Action == \\\"file_downloaded_blocked\\\"\\n | extend Action = case(Action == \\\"file_downloaded\\\", \\\"Downloaded\\\", Action == \\\"file_uploaded\\\", \\\"Uploaded\\\", Action == \\\"file_shared\\\",\\\"Shared\\\", Action == \\\"file_public_link_created\\\", \\\"Public Link Created\\\",Action == \\\"file_public_link_revoked\\\", \\\"Public Link Revoked\\\",\\\"Download Blocked\\\" )\\n | summarize count() by Action | sort by count_ desc\",\"size\":1,\"title\":\"File Actions\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_file_activity\"},\"name\":\"File Actions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"file_downloaded\\\"\\n | make-series Trend = count() on evt_time from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ActorUserEmail;\",\"size\":0,\"title\":\"File Downloads Activity TImechart\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_file_activity\"},\"customWidth\":\"50\",\"name\":\"File Downloads Activity TImechart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"file_downloaded\\\"\\n | project Time =evt_time, Workspace=ContextLocationName, [\\\"File Title\\\"] = EntityFileTitle, User = ActorUserName, Action, ActionDescription\\n | sort by Time desc | take 100\",\"size\":0,\"title\":\"File Downloads Activity\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_file_activity\"},\"customWidth\":\"50\",\"name\":\"File Downloads Activity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where Action == \\\"file_uploaded\\\"\\n | make-series Trend = count() on evt_time from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ActorUserEmail;\",\"size\":0,\"title\":\"File Uploads Activity Timechart\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_file_activity\"},\"customWidth\":\"50\",\"name\":\"File Uploads Activity Timechart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"file_uploaded\\\"\\n | project Time =evt_time, Workspace=ContextLocationName, [\\\"File Title\\\"] = EntityFileTitle, User = ActorUserName, Action, ActionDescription\\n | sort by Time desc | take 100\",\"size\":0,\"title\":\"File Uploads Activity\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_file_activity\"},\"customWidth\":\"50\",\"name\":\"File Uploads Activity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"file_shared\\\"\\n | make-series Trend = count() on evt_time from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ActorUserEmail;\",\"size\":0,\"title\":\"Shared Files Activity Timechart\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_file_activity\"},\"customWidth\":\"50\",\"name\":\"Shared Files Activity Timechart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"file_shared\\\"\\n | project Time =evt_time, Workspace=ContextLocationName, [\\\"File Title\\\"] = EntityFileTitle, User = ActorUserName, Action, ActionDescription\\n | sort by Time desc | take 100\",\"size\":0,\"title\":\"Shared Files Activity\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_file_activity\"},\"customWidth\":\"50\",\"name\":\"Shared Files Activity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"file_public_link_created\\\"\\n | make-series Trend = count() on evt_time from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ActorUserEmail;\",\"size\":0,\"title\":\"File Public Link Created Activity Timechart\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_file_activity\"},\"customWidth\":\"50\",\"name\":\"File Public Link Created Activity Timechart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"file_public_link_created\\\"\\n | project Time =evt_time, Workspace=ContextLocationName, [\\\"File Title\\\"] = EntityFileTitle, User = ActorUserName, Action, ActionDescription\\n | sort by Time desc | take 100\",\"size\":0,\"title\":\"File Public Link Created Activity\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_file_activity\"},\"customWidth\":\"50\",\"name\":\"File Public Link Created Activity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"file_public_link_revoked\\\"\\n | make-series Trend = count() on evt_time from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ActorUserEmail;\",\"size\":0,\"title\":\"File Public Link Revoked Activity Timechart\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_file_activity\"},\"customWidth\":\"50\",\"name\":\"File Public Link Revoked Activity Timechart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" SlackAudit\\n | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n | where evt_time {TimeRange}\\n | where Action == \\\"file_public_link_revoked\\\"\\n | project Time =evt_time, Workspace=ContextLocationName, [\\\"File Title\\\"] = EntityFileTitle, User = ActorUserName, Action, ActionDescription\\n | sort by Time desc | take 100\",\"size\":0,\"title\":\"File Public Link Revoked Activity\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_file_activity\"},\"customWidth\":\"50\",\"name\":\"File Public Link Revoked Activity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\nSlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n| where Action contains \\\"_channel_\\\"\\n| summarize count() by ActionDescription | sort by count_ desc\",\"size\":1,\"title\":\"Channels Activity\",\"timeContext\":{\"durationMs\":172800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ActionDescription\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_channels_activity\"},\"name\":\"Channels Activity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n| where evt_time {TimeRange}\\n| where Action contains \\\"private_channel\\\"\\n| summarize count() by ActionDescription\",\"size\":0,\"title\":\"Private Channels Activity\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_channels_activity\"},\"customWidth\":\"50\",\"name\":\"Private Channels Activity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n| where evt_time {TimeRange}\\n| where Action contains \\\"private_channel\\\"\\n| project Time=evt_time, ActorUser=ActorUserEmail, Action, ActionDescription, [\\\"Channel Name\\\"]= EntityChannelName, ContextLocationDomain, Ip=ContextIpAddress, EntityChannelIsShared,EntityChannelIsOrgShared\\n| sort by Time\",\"size\":0,\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_channels_activity\"},\"customWidth\":\"50\",\"name\":\"PrivateChannelActivity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n| where evt_time {TimeRange}\\n| where Action contains \\\"public_channel\\\"\\n| summarize count() by ActionDescription\",\"size\":0,\"title\":\"Public Channels Activity\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_channels_activity\"},\"customWidth\":\"50\",\"name\":\"Public Channels Activity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n| where evt_time {TimeRange}\\n| where Action contains \\\"public_channel\\\"\\n| project Time=evt_time, ActorUser=ActorUserEmail, Action, ActionDescription, [\\\"Channel Name\\\"]= EntityChannelName, ContextLocationDomain, Ip=ContextIpAddress, EntityChannelIsShared,EntityChannelIsOrgShared\\n| sort by Time\",\"size\":0,\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_channels_activity\"},\"customWidth\":\"50\",\"name\":\"PublicChannelActivity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n| where evt_time {TimeRange}\\n| where Action contains \\\"guest_channel\\\"\\n| summarize count() by ActionDescription\",\"size\":0,\"title\":\"Guest Channels Activity\",\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_channels_activity\"},\"customWidth\":\"50\",\"name\":\"Guest Channels Activity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SlackAudit | extend evt_time = unixtime_seconds_todatetime(EventEndTime)\\n| where evt_time {TimeRange}\\n| where Action contains \\\"guest_channel\\\"\\n| project Time=evt_time, ActorUser=ActorUserEmail, Action, ActionDescription, [\\\"Channel Name\\\"]= EntityChannelName, ContextLocationDomain, Ip=ContextIpAddress, EntityChannelIsShared,EntityChannelIsOrgShared\\n| sort by Time\",\"size\":0,\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"slack_channels_activity\"},\"customWidth\":\"50\",\"name\":\"GuestChannelActivity\"}],\"fromTemplateId\":\"sentinel-SlackAudit\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('_workbook-source')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic1-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query shows connections to the Slack Workspace with empty User Agent.", + "displayName": "SlackAudit - Empty User Agent", + "enabled": false, + "query": "SlackAudit\n| where isempty(UserAgentOriginal)\n| extend AccountCustomEntity = SrcUserName\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic2-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query helps to detect when a user uploads multiple archived files in short period of time.", + "displayName": "SlackAudit - Multiple archived files uploaded in short period of time", + "enabled": false, + "query": "let threshold = 10;\nSlackAudit\n| where DvcAction =~ 'file_uploaded'\n| extend FE = extract(@'.*\\.(.*)$', 1, EntityFileName)\n| where FE in~ ('tar', 'bz2', 'gz', 'tgz', 'Z', 'tbz2', 'zst', 'zip', 'zipx', '7z', 'rar', 'sfx')\n| summarize count() by SrcUserName, bucket = bin(TimeGenerated, 15m)\n| where count_ > threshold\n| extend AccountCustomEntity = SrcUserName\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Exfiltration" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic3-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query helps to detect bruteforce of a user account.", + "displayName": "SlackAudit - Multiple failed logins for user", + "enabled": false, + "query": "let threshold = 10;\nSlackAudit\n| where DvcAction =~ 'user_login_failed'\n| summarize count() by SrcUserName, bucket = bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend AccountCustomEntity = SrcUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "CredentialAccess" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic4-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects public links for files which potentialy may contain sensitive data such as passwords, authentication tokens, secret keys.", + "displayName": "SlackAudit - Public link created for file which can contain sensitive information.", + "enabled": false, + "query": "SlackAudit\n| where Action =~ 'file_public_link_created'\n| where EntityFileName == 'id_rsa' or EntityFileName contains 'password' or EntityFileName contains 'key' or EntityFileName contains '_key' or EntityFileName contains '.ssh' or EntityFileName endswith '.npmrc' or EntityFileName endswith '.muttrc' or EntityFileName contains 'config.json' or EntityFileName contains '.gitconfig' or EntityFileName endswith '.netrc' or EntityFileName endswith 'package.json' or EntityFileName endswith 'Gemfile' or EntityFileName endswith 'bower.json' or EntityFileName endswith 'config.gypi' or EntityFileName endswith 'travis.yml'\n| extend AccountCustomEntity = SrcUserName\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Exfiltration" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic5-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects potentialy suspicious downloads.", + "displayName": "SlackAudit - Suspicious file downloaded.", + "enabled": false, + "query": "SlackAudit\n| where DvcAction =~ 'file_downloaded'\n| extend fe = split(EntityFileName, '.')\n| where array_length(fe) > 2\n| where fe[1] matches regex @\"\\D+\"\n| where strlen(fe[1]) < 5\n| project EntityFileName, SrcUserName\n| extend AccountCustomEntity = SrcUserName\n| extend FileCustomEntity = EntityFileName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "FileCustomEntity", + "identifier": "Name" + } + ], + "entityType": "File" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic6-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query helps to detect who trying to connect to the Slack Workspace with unknown User Agent.", + "displayName": "SlackAudit - Unknown User Agent", + "enabled": false, + "query": "let lbperiod = 14d;\nlet known_UAs = SlackAudit\n| where TimeGenerated > ago(lbperiod)\n| where isnotempty(UserAgentOriginal)\n| summarize makeset(UserAgentOriginal);\nSlackAudit\n| where UserAgentOriginal !in (known_UAs)\n| extend AccountCustomEntity = SrcUserName\n", + "queryFrequency": "PT24H", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Persistence" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic7-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query helps to detect a change in the users role to admin or owner.", + "displayName": "SlackAudit - User role changed to admin or owner", + "enabled": false, + "query": "SlackAudit\n| where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')\n| extend AccountCustomEntity = SrcUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Persistence", + "PrivilegeEscalation" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic8-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when user email linked to account changes.", + "displayName": "SlackAudit - User email linked to account changed.", + "enabled": false, + "query": "SlackAudit\n| where TimeGenerated between (ago(14d) .. (1d))\n| summarize max(TimeGenerated) by SrcUserName, SrcUserEmail\n| join (SlackAudit \n | where Action =~ 'user_login'\n | project SrcIpAddr, SrcUserName, NewUserEmail = SrcUserEmail) on SrcUserName\n| where NewUserEmail != SrcUserEmail\n| extend AccountCustomEntity = SrcUserName\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic9-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when user email linked to account changes.", + "displayName": "SlackAudit - User login after deactivated.", + "enabled": false, + "query": "let lbperiod_max_d = 14d;\nlet lbperiod_min_d = 1d;\nlet lb_time_max_h = 24h;\nSlackAudit\n| where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))\n| where Action =~ 'user_deactivated'\n| summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId\n| project deactivation_time, EntityUserEmail, EntityUserId\n| join (SlackAudit\n | where TimeGenerated > ago(lb_time_max_h)\n | where Action =~ 'user_login'\n | summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity\n | project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId\n| where EntityUserEmail == SrcUserEmail\n| where deactivation_time < new_login_time\n| extend AccountCustomEntity = SrcUserEmail\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess", + "Persistence", + "PrivilegeEscalation" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "id": "[variables('_connector1-source')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector1-name'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Slack Audit", + "publisher": "Slack", + "descriptionMarkdown": "The [Slack](https://slack.com) Audit data connector provides the capability to ingest [Slack Audit Records](https://api.slack.com/admins/audit-logs) events into Azure Sentinel through the REST API. Refer to [API documentation](https://api.slack.com/admins/audit-logs#the_audit_event) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "SlackAudit_CL", + "baseQuery": "SlackAudit_CL" + } + ], + "sampleQueries": [ + { + "description": "Slack Audit Events - All Activities.", + "query": "SlackAudit\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "SlackAudit_CL", + "lastDataReceivedQuery": "SlackAudit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "SlackAudit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "**SlackAPIBearerToken** is required for REST API. [See the documentation to learn more about API](https://api.slack.com/web#authentication). Check all [requirements and follow the instructions](https://api.slack.com/web#authentication) for obtaining credentials." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Slack REST API to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-SlackAuditAPI-parser) to create the Kusto functions alias, **SlackAudit**" + }, + { + "description": "**STEP 1 - Configuration steps for the Slack API**\n\n [Follow the instructions](https://api.slack.com/web#authentication) to obtain the credentials. \n" + }, + { + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Slack Audit data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Slack Audit data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SlackAuditAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **SlackAPIBearerToken** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the Slack Audit data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SlackAuditAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. SlackAuditXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + }, + { + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSlackAPIBearerToken\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**." + } + ], + "additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. ​Follow the steps to use this Kusto functions alias **SlackAudit** in queries and workbooks [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-SlackAuditAPI-parser)." + } + } + }, + { + "id": "[variables('_connector2-source')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector2-name'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "APIPolling", + "properties": { + "connectorUiConfig": { + "title": "Slack", + "publisher": "Slack", + "descriptionMarkdown": "The [Slack](https://slack.com) data connector provides the capability to ingest [Slack Audit Records](https://api.slack.com/admins/audit-logs) events into Microsoft Sentinel through the REST API. Refer to [API documentation](https://api.slack.com/admins/audit-logs#the_audit_event) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. This data connector uses Microsoft Sentinel native polling capability.", + "graphQueriesTableName": "SlackAuditNativePoller_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Slack audit events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All Slack audit events", + "query": "{{graphQueriesTableName}}\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "SentinelKindsV2", + "value": [] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Slack API credentials", + "description": "**SlackAPIBearerToken** is required for REST API. [See the documentation to learn more about API](https://api.slack.com/web#authentication). Check all [requirements and follow the instructions](https://api.slack.com/web#authentication) for obtaining credentials." + } + ] + }, + "instructionSteps": [ + { + "title": "Connect Slack to Microsoft Sentinel", + "description": "Enable Slack audit Logs.", + "instructions": [ + { + "parameters": { + "enable": "true" + }, + "type": "APIKey" + } + ] + } + ] + }, + "pollingConfig": { + "auth": { + "authType": "APIKey", + "APIKeyName": "Authorization", + "APIKeyIdentifier": "Bearer" + }, + "request": { + "apiEndpoint": "https://api.slack.com/audit/v1/logs", + "httpMethod": "Get", + "queryTimeFormat": "UnixTimestamp", + "startTimeAttributeName": "oldest", + "endTimeAttributeName": "latest", + "queryWindowInMin": 5, + "queryParameters": { + "limit": 1000 + } + }, + "paging": { + "pagingType": "PageToken", + "nextPageParaName": "cursor", + "nextPageTokenJsonPath": "..response_metadata.next_cursor" + }, + "response": { + "eventsJsonPaths": [ + "$..entries" + ] + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2020-08-01", + "name": "[parameters('workspace')]", + "location": "[parameters('workspace-location')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "SlackAudit Data Parser", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "SlackAudit Data Parser", + "category": "Samples", + "functionAlias": "SlackAudit", + "query": "\nlet SlackAudit_view = view () { \n union isfuzzy=true SlackAudit_CL, SlackAuditNativePoller_CL\n | extend \n EventVendor=\"Slack\",\n EventProduct=\"Slack Audit Logs\",\n\t\tDetailsMobileOnly=column_ifexists('details_mobile_only_b', ''),\n\t\tDetailsWebOnly=column_ifexists('details_web_only_b', ''),\n\t\tDetailsKickerId=column_ifexists('details_kicker_id_s', ''),\n\t\tDetailsKickerName=column_ifexists('details_kicker_name_s', ''),\n\t\tDetailsKickerEmail=column_ifexists('details_kicker_email_s', ''),\n\t\tDetailsKickerTeam=column_ifexists('details_kicker_team_s', ''),\n\t\tDetailsAppOwnerId=column_ifexists('details_app_owner_id_s', ''),\n\t\tDetailsGranularBotToken=column_ifexists('details_granular_bot_token_b', ''),\n\t\tDetailsNewScopes=column_ifexists('details_new_scopes_s', ''),\n\t\tDetailsPreviousScopes=column_ifexists('details_previous_scopes_s', ''),\n\t\tEntityUsergroupId=column_ifexists('entity_usergroup_id_s', ''),\n\t\tEntityUsergroupName=column_ifexists('entity_usergroup_name_s', ''),\n\t\tDetailsKickerType=column_ifexists('details_kicker_type_s', ''),\n\t\tDetailsKickerUserId=column_ifexists('details_kicker_user_id_s', ''),\n\t\tDetailsKickerUserName=column_ifexists('details_kicker_user_name_s', ''),\n\t\tDetailsKickerUserEmail=column_ifexists('details_kicker_user_email_s', ''),\n\t\tDetailsKickerUserTeam=column_ifexists('details_kicker_user_team_s', ''),\n\t\tDetailsInviterId=column_ifexists('details_inviter_id_s', ''),\n\t\tDetailsInviterName=column_ifexists('details_inviter_name_s', ''),\n\t\tDetailsInviterEmail=column_ifexists('details_inviter_email_s', ''),\n\t\tDetailsInviterTeam=column_ifexists('details_inviter_team_s', ''),\n\t\tDetailsInviterType=column_ifexists('details_inviter_type_s', ''),\n\t\tDetailsInviterUserId=column_ifexists('details_inviter_user_id_s', ''),\n\t\tDetailsInviterUserName=column_ifexists('details_inviter_user_name_s', ''),\n\t\tDetailsInviterUserEmail=column_ifexists('details_inviter_user_email_s', ''),\n\t\tDetailsInviterUserTeam=column_ifexists('details_inviter_user_team_s', ''),\n\t\tDetailsIsWorkflow=column_ifexists('details_is_workflow_b', ''),\n\t\tEntityAppId=column_ifexists('entity_app_id_s', ''),\n\t\tEntityAppName=column_ifexists('entity_app_name_s', ''),\n\t\tEntityAppIsDistributed=column_ifexists('entity_app_is_distributed_b', ''),\n\t\tEntityAppIsDirectoryApproved=column_ifexists('entity_app_is_directory_approved_b', ''),\n\t\tEntityAppIsWorkflowApp=column_ifexists('entity_app_is_workflow_app_b', ''),\n\t\tEntityAppScopes=column_ifexists('entity_app_scopes_s', ''),\n\t\tDetailsIsInternalIntegration=column_ifexists('details_is_internal_integration_b', ''),\n\t\tDetailsBotScopes=column_ifexists('details_bot_scopes_s', ''),\n\t\tEntityChannelId=column_ifexists('entity_channel_id_s', ''),\n\t\tEntityChannelPrivacy=column_ifexists('entity_channel_privacy_s', ''),\n\t\tEntityChannelName=column_ifexists('entity_channel_name_s', ''),\n\t\tEntityChannelIsShared=column_ifexists('entity_channel_is_shared_b', ''),\n\t\tEntityChannelIsOrgShared=column_ifexists('entity_channel_is_org_shared_b', ''),\n\t\tDetailsType=column_ifexists('details_type_s', ''),\n\t\tEntityUserId=column_ifexists('entity_user_id_s', ''),\n\t\tEntityUserName=column_ifexists('entity_user_name_s', ''),\n\t\tEntityUserEmail=column_ifexists('entity_user_email_s', ''),\n\t\tEntityUserTeam=column_ifexists('entity_user_team_s', ''),\n\t\tId=column_ifexists('id_g', ''),\n\t\tDateCreate=column_ifexists('date_create_d', ''),\n\t\tAction=column_ifexists('action_s', ''),\n\t\tActorType=column_ifexists('actor_type_s', ''),\n\t\tActorUserId=column_ifexists('actor_user_id_s', ''),\n\t\tActorUserName=column_ifexists('actor_user_name_s', ''),\n\t\tActorUserEmail=column_ifexists('actor_user_email_s', ''),\n\t\tActorUserTeam=column_ifexists('actor_user_team_s', ''),\n\t\tEntityType=column_ifexists('entity_type_s', ''),\n\t\tEntityFileId=column_ifexists('entity_file_id_s', ''),\n\t\tEntityFileName=column_ifexists('entity_file_name_s', ''),\n\t\tEntityFileFiletype=column_ifexists('entity_file_filetype_s', ''),\n\t\tEntityFileTitle=column_ifexists('entity_file_title_s', ''),\n\t\tContextLocationType=column_ifexists('context_location_type_s', ''),\n\t\tContextLocationId=column_ifexists('context_location_id_s', ''),\n\t\tContextLocationName=column_ifexists('context_location_name_s', ''),\n\t\tContextLocationDomain=column_ifexists('context_location_domain_s', ''),\n\t\tContextUA=column_ifexists('context_ua_s', ''),\n\t\tContextIpAddress=column_ifexists('context_ip_address_s', ''),\n\t\tContextSessionId=column_ifexists('context_session_id_d', ''),\n\t\tActionDescription=column_ifexists('action_description_s', ''),\n EventId=column_ifexists('id_g', ''),\n EventEndTime=column_ifexists('date_create_d', ''),\n DvcAction=column_ifexists('action_s', ''),\n SrcUserIdentity=column_ifexists('actor_user_id_s', ''),\n SrcUserName=column_ifexists('actor_user_name_s', ''),\n SrcUserEmail=column_ifexists('actor_user_email_s', ''),\n UserAgentOriginal=column_ifexists('context_ua_s', ''),\n SrcIpAddr=column_ifexists('context_ip_address_s', ''),\n DvcActionDesc=column_ifexists('action_description_s', '')\n | project\n TimeGenerated, \n EventVendor,\n EventProduct,\n DetailsMobileOnly,\n\t\tDetailsWebOnly,\n\t\tDetailsKickerId,\n\t\tDetailsKickerName,\n\t\tDetailsKickerEmail,\n\t\tDetailsKickerTeam,\n\t\tDetailsAppOwnerId,\n\t\tDetailsGranularBotToken,\n\t\tDetailsNewScopes,\n\t\tDetailsPreviousScopes,\n\t\tEntityUsergroupId,\n\t\tEntityUsergroupName,\n\t\tDetailsKickerType,\n\t\tDetailsKickerUserId,\n\t\tDetailsKickerUserName,\n\t\tDetailsKickerUserEmail,\n\t\tDetailsKickerUserTeam,\n\t\tDetailsInviterId,\n\t\tDetailsInviterName,\n\t\tDetailsInviterEmail,\n\t\tDetailsInviterTeam,\n\t\tDetailsInviterType,\n\t\tDetailsInviterUserId,\n\t\tDetailsInviterUserName,\n\t\tDetailsInviterUserEmail,\n\t\tDetailsInviterUserTeam,\n\t\tDetailsIsWorkflow,\n\t\tEntityAppId,\n\t\tEntityAppName,\n\t\tEntityAppIsDistributed,\n\t\tEntityAppIsDirectoryApproved,\n\t\tEntityAppIsWorkflowApp,\n\t\tEntityAppScopes,\n\t\tDetailsIsInternalIntegration,\n\t\tDetailsBotScopes,\n\t\tEntityChannelId,\n\t\tEntityChannelPrivacy,\n\t\tEntityChannelName,\n\t\tEntityChannelIsShared,\n\t\tEntityChannelIsOrgShared,\n\t\tDetailsType,\n\t\tEntityUserId,\n\t\tEntityUserName,\n\t\tEntityUserEmail,\n\t\tEntityUserTeam,\n\t\tId,\n\t\tDateCreate,\n\t\tAction,\n\t\tActorType,\n\t\tActorUserId,\n\t\tActorUserName,\n\t\tActorUserEmail,\n\t\tActorUserTeam,\n\t\tEntityType,\n\t\tEntityFileId,\n\t\tEntityFileName,\n\t\tEntityFileFiletype,\n\t\tEntityFileTitle,\n\t\tContextLocationType,\n\t\tContextLocationId,\n\t\tContextLocationName,\n\t\tContextLocationDomain,\n\t\tContextUA,\n\t\tContextIpAddress,\n\t\tContextSessionId,\n\t\tActionDescription,\n EventId,\n EventEndTime,\n DvcAction,\n SrcUserIdentity,\n SrcUserName,\n SrcUserEmail,\n UserAgentOriginal,\n SrcIpAddr,\n DvcActionDesc\n};\nSlackAudit_view", + "version": 1 + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "SlackAudit Hunting Query 1", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "SlackAudit - Applications installed", + "category": "Hunting Queries", + "query": "SlackAudit\n| where TimeGenerated > ago(24h)\n| where DvcAction =~ 'app_installed'\n| summarize by SrcUserName, EntityAppName\n| extend AccountCustomEntity = SrcUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This query searches for application installation events." + }, + { + "name": "tactics", + "value": "InitialAccess" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "SlackAudit Hunting Query 2", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "SlackAudit - Deactivated users", + "category": "Hunting Queries", + "query": "SlackAudit\n| where TimeGenerated > ago(24h)\n| where DvcAction =~ 'user_deactivated'\n| summarize by SrcUserName\n| extend AccountCustomEntity = SrcUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This query searches for deactivated user accounts." + }, + { + "name": "tactics", + "value": "Impact" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "SlackAudit Hunting Query 3", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "SlackAudit - Downloaded files stats", + "category": "Hunting Queries", + "query": "SlackAudit\n| where TimeGenerated > ago(24h)\n| where Action =~ 'file_downloaded'\n| summarize filelist = makeset(EntityFileName) by SrcUserName\n| project filelist, fcount = array_length(filelist), SrcUserName\n| top 10 by fcount\n| extend AccountCustomEntity = SrcUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This query shows top users by downloads over time." + }, + { + "name": "tactics", + "value": "InitialAccess" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "SlackAudit Hunting Query 4", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "SlackAudit - Failed logins with unknown username", + "category": "Hunting Queries", + "query": "let lbtime = 24h;\nlet lbperiod = 30d;\nlet known_users = SlackAudit\n| where TimeGenerated > ago(lbperiod)\n| where DvcAction =~ 'user_login'\n| where isnotempty(SrcUserName)\n| summarize makeset(SrcUserName);\nSlackAudit\n| where TimeGenerated > ago(lbtime)\n| where DvcAction =~ 'user_login_failed'\n| where isnotempty(SrcUserName)\n| where SrcUserName !in (known_users)\n| project SrcUserName, SrcIpAddr\n| extend AccountCustomEntity = SrcUserName\n| extend IPCustomEntity = SrcIpAddr\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This query shows failed login attempts where username is unknown." + }, + { + "name": "tactics", + "value": "CredentialAccess" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "SlackAudit Hunting Query 5", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "SlackAudit - New User created", + "category": "Hunting Queries", + "query": "SlackAudit\n| where TimeGenerated > ago(24h)\n| where DvcAction =~ 'user_created'\n| extend AccountCustomEntity = SrcUserName\n| extend IPCustomEntity = SrcIpAddr\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This query shows new user created." + }, + { + "name": "tactics", + "value": "Persistence" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "SlackAudit Hunting Query 6", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "SlackAudit - Suspicious files downloaded", + "category": "Hunting Queries", + "query": "SlackAudit\n| where TimeGenerated > ago(lbtime)\n| where DvcAction =~ 'file_downloaded'\n| extend fe = split(EntityFileName, '.')\n| where array_length(fe) > 2\n| where fe[1] matches regex @\"\\D+\"\n| where strlen(fe[1]) < 5\n| project EntityFileName, SrcUserName\n| extend AccountCustomEntity = SrcUserName\n| extend FileCustomEntity = EntityFileName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This query searches for potentialy suspicious files downloads." + }, + { + "name": "tactics", + "value": "InitialAccess" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "SlackAudit Hunting Query 7", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "SlackAudit - Uploaded files stats", + "category": "Hunting Queries", + "query": "SlackAudit\n| where TimeGenerated > ago(24h)\n| where Action =~ 'file_uploaded'\n| summarize filelist = makeset(EntityFileName) by SrcUserName\n| project filelist, fcount = array_length(filelist), SrcUserName\n| top 10 by fcount\n| extend AccountCustomEntity = SrcUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This query shows top users by uploads over time." + }, + { + "name": "tactics", + "value": "Exfiltration" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "SlackAudit Hunting Query 8", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "SlackAudit - User logins by IP", + "category": "Hunting Queries", + "query": "SlackAudit\n| where TimeGenerated > ago(24h)\n| where DvcAction =~ 'user_login'\n| summarize makeset(SrcIpAddr) by SrcUserName\n| extend AccountCustomEntity = SrcUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "This query shows user IP table statistics for login events." + }, + { + "name": "tactics", + "value": "InitialAccess,Persistence" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "SlackAudit Hunting Query 9", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "SlackAudit - User Permission Changed", + "category": "Hunting Queries", + "query": "SlackAudit\n| where TimeGenerated > ago(24h)\n| where DvcAction in~ ('user_added_to_usergroup', 'user_removed_from_usergroup')\n| extend AccountCustomEntity = SrcUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches for user permissions changes events." + }, + { + "name": "tactics", + "value": "PrivilegeEscalation" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "SlackAudit Hunting Query 10", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "SlackAudit - Users joined channels without invites", + "category": "Hunting Queries", + "query": "SlackAudit\n| where TimeGenerated > ago(24h)\n| where DvcAction =~ 'user_channel_join'\n| where DetailsType =~ 'JOINED'\n| extend AccountCustomEntity = SrcUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches for users which joined channels without invites." + }, + { + "name": "tactics", + "value": "InitialAccess,Persistence" + } + ] + } + } + ] + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2021-03-01-preview", + "properties": { + "version": "1.0.5", + "kind": "Solution", + "contentId": "[variables('_sourceId')]", + "parentId": "[variables('_sourceId')]", + "source": { + "kind": "Solution", + "name": "SlackAudit", + "sourceId": "[variables('_sourceId')]" + }, + "author": { + "name": "Nikhil Tripathi", + "email": "v-ntripathi@microsoft.com" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Workbook", + "contentId": "[variables('_SlackAudit_workbook')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_SlackAuditEmptyUA_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_SlackAuditMultipleArchivedFilesUploadedInShortTimePeriod_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_SlackAuditMultipleFailedLoginsForUser_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_SlackAuditSensitiveFile_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_SlackAuditSuspiciousFileDownloaded_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_SlackAuditUnknownUA_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_SlackAuditUserChangedToAdminOrOwner_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_SlackAuditUserEmailChanged_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_SlackAuditUserLoginAfterDeactivated_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_SlackAuditAPIConnector')]", + "version": "1.0.5" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_Connector')]", + "version": "1.0.5" + }, + { + "kind": "Parser", + "contentId": "[variables('_SlackAudit_Parser')]", + "version": "1.0.5" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_SlackAuditApplicationsInstalled_HuntingQueries')]", + "version": "1.0.5" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_SlackAuditDeactivatedUsers_HuntingQueries')]", + "version": "1.0.5" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_SlackAuditDownloadedFilesByUser_HuntingQueries')]", + "version": "1.0.5" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_SlackAuditFailedLoginsUnknownUsername_HuntingQueries')]", + "version": "1.0.5" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_SlackAuditNewUsers_HuntingQueries')]", + "version": "1.0.5" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_SlackAuditSuspiciousFilesDownloaded_HuntingQueries')]", + "version": "1.0.5" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_SlackAuditUploadedFilesByUser_HuntingQueries')]", + "version": "1.0.5" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_SlackAuditUserLoginsByIP_HuntingQueries')]", + "version": "1.0.5" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_SlackAuditUserPermissionsChanged_HuntingQueries')]", + "version": "1.0.5" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_SlackAuditUsersJoinedChannelsWithoutInvites_HuntingQueries')]", + "version": "1.0.5" + } + ] + }, + "firstPublishDate": "2021-03-24", + "providers": [ + "Slack" + ], + "categories": { + "domains": [ + "Application" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/SlackAudit/SolutionMetadata.json b/Solutions/SlackAudit/SolutionMetadata.json new file mode 100644 index 0000000000..32021f0acd --- /dev/null +++ b/Solutions/SlackAudit/SolutionMetadata.json @@ -0,0 +1,15 @@ +{ + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-slackaudit", + "firstPublishDate": "2021-03-24", + "providers": ["Slack"], + "categories": { + "domains" : ["Application"] + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } +} \ No newline at end of file diff --git a/Solutions/SlackAudit/data/Solution_SlackAudit.json b/Solutions/SlackAudit/data/Solution_SlackAudit.json new file mode 100644 index 0000000000..2e21c24c54 --- /dev/null +++ b/Solutions/SlackAudit/data/Solution_SlackAudit.json @@ -0,0 +1,43 @@ +{ + "Name": "SlackAudit", + "Author": "Nikhil Tripathi - v-ntripathi@microsoft.com", + "Logo": "", + "WorkbookDescription": "", + "Description": "[Slack](https://slack.com) Audit data connector provides the capability to ingest [Slack Audit Records](https://api.slack.com/admins/audit-logs) events into Azure Sentinel through the REST API. Refer to [API documentation](https://api.slack.com/admins/audit-logs#the_audit_event) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", + "Workbooks": [ + "Workbooks/SlackAudit.json" + ], + "Analytic Rules": [ + "Analytic Rules/SlackAuditEmptyUA.yaml", + "Analytic Rules/SlackAuditMultipleArchivedFilesUploadedInShortTimePeriod.yaml", + "Analytic Rules/SlackAuditMultipleFailedLoginsForUser.yaml", + "Analytic Rules/SlackAuditSensitiveFile.yaml", + "Analytic Rules/SlackAuditSuspiciousFileDownloaded.yaml", + "Analytic Rules/SlackAuditUnknownUA.yaml", + "Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml", + "Analytic Rules/SlackAuditUserEmailChanged.yaml", + "Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml" + ], + "Data Connectors": [ + "Data Connectors/SlackAudit_API_FunctionApp.json", + "Data Connectors/SlackNativePollerConnector/azuredeploy_Slack_native_poller_connector.json" + ], + "Parsers": [ + "Parsers/SlackAudit.txt" + ], + "Hunting Queries": [ + "Hunting Queries/SlackAuditApplicationsInstalled.yaml", + "Hunting Queries/SlackAuditDeactivatedUsers.yaml", + "Hunting Queries/SlackAuditDownloadedFilesByUser.yaml", + "Hunting Queries/SlackAuditFailedLoginsUnknownUsername.yaml", + "Hunting Queries/SlackAuditNewUsers.yaml", + "Hunting Queries/SlackAuditSuspiciousFilesDownloaded.yaml", + "Hunting Queries/SlackAuditUploadedFilesByUser.yaml", + "Hunting Queries/SlackAuditUserLoginsByIP.yaml", + "Hunting Queries/SlackAuditUserPermissionsChanged.yaml", + "Hunting Queries/SlackAuditUsersJoinedChannelsWithoutInvites.yaml" + ], + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\GitHub\\azure\\Solutions\\SlackAudit", + "Version": "1.0.4" + } \ No newline at end of file diff --git a/Solutions/TenableAD/Workbooks/Images/Logo/tenablead_logo.svg b/Solutions/TenableAD/Workbooks/Images/Logo/tenablead_logo.svg new file mode 100644 index 0000000000..8798da7c7e --- /dev/null +++ b/Solutions/TenableAD/Workbooks/Images/Logo/tenablead_logo.svg @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoABlack1.png b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoABlack1.png new file mode 100644 index 0000000000..2554d58c74 Binary files /dev/null and b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoABlack1.png differ diff --git a/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoABlack2.png b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoABlack2.png new file mode 100644 index 0000000000..45b6ff7fd5 Binary files /dev/null and b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoABlack2.png differ diff --git a/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoABlack3.png b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoABlack3.png new file mode 100644 index 0000000000..589f4d04f4 Binary files /dev/null and b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoABlack3.png differ diff --git a/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoAWhite1.png b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoAWhite1.png new file mode 100644 index 0000000000..d61e0ec900 Binary files /dev/null and b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoAWhite1.png differ diff --git a/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoAWhite2.png b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoAWhite2.png new file mode 100644 index 0000000000..306f58f7e8 Binary files /dev/null and b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoAWhite2.png differ diff --git a/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoAWhite3.png b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoAWhite3.png new file mode 100644 index 0000000000..a96c24279c Binary files /dev/null and b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoAWhite3.png differ diff --git a/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEBlack1.png b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEBlack1.png new file mode 100644 index 0000000000..82cecb5d13 Binary files /dev/null and b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEBlack1.png differ diff --git a/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEBlack2.png b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEBlack2.png new file mode 100644 index 0000000000..b1ad29e331 Binary files /dev/null and b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEBlack2.png differ diff --git a/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEBlack3.png b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEBlack3.png new file mode 100644 index 0000000000..3c8c7f99a0 Binary files /dev/null and b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEBlack3.png differ diff --git a/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEWhite1.png b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEWhite1.png new file mode 100644 index 0000000000..c9eae8fe53 Binary files /dev/null and b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEWhite1.png differ diff --git a/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEWhite2.png b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEWhite2.png new file mode 100644 index 0000000000..73fe165fac Binary files /dev/null and b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEWhite2.png differ diff --git a/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEWhite3.png b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEWhite3.png new file mode 100644 index 0000000000..9462a05826 Binary files /dev/null and b/Solutions/TenableAD/Workbooks/Images/Preview/TenableAdIoEWhite3.png differ diff --git a/Solutions/TenableAD/Workbooks/TenableAdIoA.json b/Solutions/TenableAD/Workbooks/TenableAdIoA.json new file mode 100644 index 0000000000..0f1129d698 --- /dev/null +++ b/Solutions/TenableAD/Workbooks/TenableAdIoA.json @@ -0,0 +1,386 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "67b966ba-ba6a-4d80-9faf-d306a174e09d", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "label": "Time Range", + "type": 4, + "description": "Specify the time range on which to query the data", + "isRequired": true, + "value": { + "durationMs": 7776000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": false + }, + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "9c164d2b-e79c-4b71-a050-6d5648d5ebd9", + "version": "KqlParameterItem/1.0", + "name": "SamplingPeriod", + "label": "Sampling Period", + "type": 4, + "description": "Specify the sampling period for the time charts", + "isRequired": true, + "value": { + "durationMs": 86400000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "afad_parser()\r\n| where MessageType == 2\r\n| summarize AlertCount = count() by Explanation, Codename", + "size": 3, + "title": "Detected IoAs list with codenames explanations", + "noDataMessage": "No alerts", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Codename", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "AlertCount", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "rightContent": { + "columnMatch": "Explanation" + }, + "showBorder": false, + "size": "full" + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "Explanation", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "AlertCount", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "100", + "name": "query - 4" + } + ] + }, + "name": "group - 4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "afad_parser()\n| where MessageType == 2\n| summarize AlertCount = count() by Codename", + "size": 3, + "title": "IoAs chart", + "noDataMessage": "No alerts", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "yAxis": [ + "AlertCount" + ], + "group": "Codename", + "createOtherGroup": 20, + "ySettings": { + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal", + "useGrouping": true + } + } + } + } + }, + "customWidth": "40", + "name": "Piechart" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "afad_parser\r\n| where MessageType == 2\r\n| summarize by Time, Codename, SourceHostname, SourceIP, DestinationHostname, DestinationIP", + "size": 2, + "title": "Triggered IoA alerts list", + "noDataMessage": "No alerts", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "exportFieldName": "DevianceID", + "exportParameterName": "SelectedDevianceID", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "sortBy": [] + }, + "customWidth": "60", + "showPin": false, + "name": "query - 3", + "styleSettings": { + "margin": "0px", + "padding": "0px" + } + } + ] + }, + "name": "IoAs", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "afad_parser()\r\n| where MessageType == 2\r\n| summarize AlertCount = count() by Severity", + "size": 0, + "title": "IoAs severity chart", + "noDataMessage": "No alerts", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "graph", + "graphSettings": { + "type": 2, + "topContent": { + "columnMatch": "Severity", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "AlertCount", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "nodeIdField": "Severity", + "graphOrientation": 3, + "showOrientationToggles": false, + "nodeSize": null, + "staticNodeSize": 100, + "colorSettings": { + "nodeColorField": "Severity", + "type": 1, + "colorPalette": "default" + }, + "hivesMargin": 5 + } + }, + "customWidth": "25", + "name": "query - 1", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let threshold = 1;\r\nlet SeverityTable=datatable(Severity:string,Level:int) [\r\n\"low\", 1,\r\n\"medium\", 2,\r\n\"high\", 3,\r\n\"critical\", 4\r\n];\r\nafad_parser\r\n| where MessageType == 2 \r\n| lookup kind=leftouter SeverityTable on Severity\r\n| where Level >= ['threshold']\r\n| summarize Count = count() by bin(Time, {SamplingPeriod:seconds}), Severity", + "size": 0, + "title": "Alerts raised over time grouped by severity", + "noDataMessage": "No alerts", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "chartSettings": { + "showLegend": true + } + }, + "customWidth": "75", + "name": "query - 2" + } + ] + }, + "name": "Severity", + "styleSettings": { + "showBorder": true + } + } + ], + "fromTemplateId": "sentinel-Tenable.ad | Indicators of Attack", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/TenableAD/Workbooks/TenableAdIoE.json b/Solutions/TenableAD/Workbooks/TenableAdIoE.json new file mode 100644 index 0000000000..6ebe1ba590 --- /dev/null +++ b/Solutions/TenableAD/Workbooks/TenableAdIoE.json @@ -0,0 +1,515 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "43366a94-7278-4619-bee0-92bcfcbc7210", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "label": "Time Range", + "type": 4, + "description": "Specify the time range on which to query the data", + "isRequired": true, + "value": { + "durationMs": 7776000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": false + }, + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "39f06de4-8b6f-4e62-85dc-a198ff7365b0", + "version": "KqlParameterItem/1.0", + "name": "SamplingPeriod", + "label": "Sampling Period", + "type": 4, + "description": "Specify the sampling period for the time charts", + "isRequired": true, + "value": { + "durationMs": 86400000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 3" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "edcecaf8-8161-4ea6-b0e8-770747c32bec", + "cellValue": "ioes", + "linkTarget": "parameter", + "linkLabel": "General", + "subTarget": "(\"\")", + "style": "link" + }, + { + "id": "78eca422-e0a3-4634-8555-eb0a181c6556", + "cellValue": "ioes", + "linkTarget": "parameter", + "linkLabel": "Password issues", + "subTarget": "(\"C-CLEARTEXT-PASSWORD\", \"C-PASSWORD-DONT-EXPIRE\", \"C-USER-REVER-PWDS\", \"C-PASSWORD-POLICY\", \"C-USER-PASSWORD\", \"C-KRBTGT-PASSWORD\", \"C-AAD-SSO-PASSWORD\", \"C-REVER-PWD-GPO\")", + "style": "link" + }, + { + "id": "08647ae1-6b0f-4094-951a-45aed7d53737", + "cellValue": "ioes", + "linkTarget": "parameter", + "linkLabel": "User accounts issues", + "subTarget": "(\"C-ACCOUNTS-DANG-SID-HISTORY\", \"C-PRE-WIN2000-ACCESS-MEMBERS\", \"C-PASSWORD-DONT-EXPIRE\", \"C-SLEEPING-ACCOUNTS\", \"C-DANG-PRIMGROUPID\", \"C-PASSWORD-NOT-REQUIRED\", \"C-USER-PASSWORD\")", + "style": "link" + }, + { + "id": "f7c5450f-2b23-4fdb-8c5e-91120ec9b6ad", + "cellValue": "ioes", + "linkTarget": "parameter", + "linkLabel": "Privileged accounts issues", + "subTarget": "(\"C-PRIV-ACCOUNTS-SPN\", \"C-NATIVE-ADM-GROUP-MEMBERS\", \"C-KRBTGT-PASSWORD\", \"C-PROTECTED-USERS-GROUP-UNUSED\", \"C-ADMINCOUNT-ACCOUNT-PROPS\", \"C-ADM-ACC-USAGE\", \"C-LAPS-UNSECURE-CONFIG\", \"C-DISABLED-ACCOUNTS-PRIV-GROUPS\")", + "style": "link" + }, + { + "id": "f3d56c20-8dd6-4cc4-921e-b16da7867ad4", + "cellValue": "ioes", + "linkTarget": "parameter", + "linkLabel": "AD attacks pathways", + "subTarget": "(\"C-PRIV-ACCOUNTS-SPN\", \"C-SDPROP-CONSISTENCY\", \"C-DANG-PRIMGROUPID\", \"C-GPO-HARDENING\", \"C-DC-ACCESS-CONSISTENCY\", \"C-DANGEROUS-TRUST-RELATIONSHIP\", \"C-UNCONST-DELEG\", \"C-ABNORMAL-ENTRIES-IN-SCHEMA\")", + "style": "link" + } + ] + }, + "customWidth": "50", + "name": "links - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "afad_parser()\r\n| where MessageType == 0| where MessageType == 0 and (\"\" in {ioes} or Codename in {ioes})\r\n| summarize AlertCount = count() by Explanation, Codename", + "size": 3, + "title": "Detected IoEs list with codenames explanations", + "noDataMessage": "No alerts", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Codename", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "AlertCount", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "rightContent": { + "columnMatch": "Explanation" + }, + "showBorder": false, + "size": "full" + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "Explanation", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "AlertCount", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "name": "query - 4" + }, + { + "type": 1, + "content": { + "json": "# Indicators of Exposure\r\nOur IoEs are behavioral detection indicators powered by the latest intelligence on the Active Directory threat landscape. Our team builds our IoEs from technical indicators (IOCs) and tactics, techniques and procedures (commonly referred as TTPs), and disseminate them to our users’ platforms transparently, therefore ensuring a permanent state-of-the-art detection capability.\r\n\r\n\r\n**Tenable.ad** measures the security maturity of your AD infrastructures through Indicators of Exposure (IoEs) and assigns severity levels (**Critical**, **High**, **Medium** or **Low**) to the constant flow of events that is being monitored and analyzed.\r\n\r\n-\tCritical: The IoE is dealing with AD sensitive object that will lead to a full AD compromise is one of them is accessed by an illegitimate user\r\n-\tHigh : The IoE is either dealing with post exploitation techniques (that could allow credential thefts for example or backdooring) or with exploitation techniques which is requiring some level of administrative right to be exploited\r\n\r\n-\tMedium : The IoE is referencing a security issue that will have impact on business related data but without endangering the entire AD infrastructure\r\n\r\n-\tLow: The IoE is related to good security practices. Deviances raised by this IoE have a minimal security impact on the monitored infrastructure\r\n\r\n\r\nFrom **Tenable.ad** interface, the **Indicators of Exposure** page displays IoE tiles arranged in the following order:\r\n\r\n- By severity level via color codes (red for Critical, orange for High, yellow for Medium and blue for Low).\r\n\r\n- Vertically, by order of severity (red for top priority and blue for least priority).\r\n\r\n- Horizontally, by order of complexity (starting with the least complex cases and ending with the most complex cases). The complexity indicator is dynamically computed by Tenable.ad's platform to describe how difficult it will be for the Administration team to fix the deviant IoE.\r\n\r\n\r\nIn case of security regressions, **Tenable.ad** will trigger alerts." + }, + "customWidth": "50", + "name": "text - 1" + } + ] + }, + "name": "group - 4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "afad_parser()\r\n| where MessageType == 0 and (\"\" in {ioes} or Codename in {ioes})\r\n| summarize AlertCount = count() by Severity", + "size": 0, + "title": "IoEs severity chart", + "noDataMessage": "No alerts", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "graph", + "graphSettings": { + "type": 2, + "topContent": { + "columnMatch": "Severity", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "AlertCount", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "nodeIdField": "Severity", + "graphOrientation": 3, + "showOrientationToggles": false, + "nodeSize": null, + "staticNodeSize": 100, + "colorSettings": { + "nodeColorField": "Severity", + "type": 1, + "colorPalette": "default" + }, + "hivesMargin": 5 + } + }, + "customWidth": "25", + "name": "query - 1", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let threshold = 1;\r\nlet SeverityTable=datatable(Severity:string,Level:int) [\r\n\"low\", 1,\r\n\"medium\", 2,\r\n\"high\", 3,\r\n\"critical\", 4\r\n];\r\nafad_parser\r\n| where MessageType == 0 and (\"\" in {ioes} or Codename in {ioes})\r\n| lookup kind=leftouter SeverityTable on Severity\r\n| where Level >= ['threshold']\r\n| summarize Count = count() by bin(Time, {SamplingPeriod:seconds}), Severity", + "size": 0, + "title": "Alerts raised over time grouped by severity", + "noDataMessage": "No alerts", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "chartSettings": { + "showLegend": true + } + }, + "customWidth": "75", + "name": "query - 2" + } + ] + }, + "name": "Severity", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "afad_parser()\n| where MessageType == 0| where MessageType == 0 and (\"\" in {ioes} or Codename in {ioes})\n| summarize AlertCount = count() by Codename", + "size": 3, + "title": "IoEs chart", + "noDataMessage": "No alerts", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "yAxis": [ + "AlertCount" + ], + "group": "Codename", + "createOtherGroup": 20, + "ySettings": { + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal", + "useGrouping": true + } + } + } + } + }, + "customWidth": "50", + "name": "Piechart" + } + ] + }, + "name": "group - 5", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "afad_parser\r\n| where MessageType == 0 and (\"\" in {ioes} or Codename in {ioes})\r\n| summarize Count = count() by bin(Time, {SamplingPeriod:seconds}), Codename", + "size": 0, + "title": "Number of triggered IoE alerts over time", + "noDataMessage": "No alerts", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "chartSettings": { + "showLegend": true + } + }, + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "afad_parser\r\n| where MessageType == 0 and (\"\" in {ioes} or Codename in {ioes})\r\n| summarize by Time, DevianceID, Explanation", + "size": 0, + "title": "Triggered IoE alerts list", + "noDataMessage": "No alerts", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "exportFieldName": "DevianceID", + "exportParameterName": "SelectedDevianceID", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "sortBy": [] + }, + "customWidth": "50", + "showPin": false, + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let ID_ = dynamic({SelectedDevianceID});\r\nafad_parser()\r\n| where MessageType == 0 and tostring(DevianceID) == tostring(ID_)\r\n| project ADObject", + "size": 3, + "title": "Impacted AD object", + "noDataMessage": "Please select a deviance to show impacted AD Objects", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "exportFieldName": "AlertID", + "exportParameterName": "SelectedAlertID", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ADObject", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "100%" + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 4" + }, + { + "type": 1, + "content": { + "json": "You can select an alert to show details about it", + "style": "info" + }, + "name": "text - 5" + } + ] + }, + "name": "IoEs", + "styleSettings": { + "showBorder": true + } + } + ], + "fromTemplateId": "sentinel-Tenable.ad | Indicators of Exposure", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/Training/Azure-Sentinel-Training-Lab/Modules/Module-1-Setting-up-the-environment.md b/Solutions/Training/Azure-Sentinel-Training-Lab/Modules/Module-1-Setting-up-the-environment.md index cee956b38c..b8a6376972 100644 --- a/Solutions/Training/Azure-Sentinel-Training-Lab/Modules/Module-1-Setting-up-the-environment.md +++ b/Solutions/Training/Azure-Sentinel-Training-Lab/Modules/Module-1-Setting-up-the-environment.md @@ -15,7 +15,7 @@ Permissions to create a resource group in your Azure subscription. ### Exercise 1: The Microsoft Sentinel workspace -In this exercise we will show you how to create a brand new Microsoft Sentinel workspace. If you already have a pre-existing one that you would like to use, you can skip to [Exercise 2](Module-1-Setting-up-the-environment.md#exercise-2-deploy-azure-sentinel-training-lab-arm-template). +In this exercise we will show you how to create a brand new Microsoft Sentinel workspace. If you already have a pre-existing one that you would like to use, you can skip to [Exercise 2](Module-1-Setting-up-the-environment.md#exercise-2-deploy-the-microsoft-sentinel-training-lab-solution). 1. Navigate to the [Azure Portal](http://portal.azure.com) and log in with your account. @@ -49,7 +49,7 @@ Click **Review + create** and then **Create** after the validation completes. Th ### Exercise 2: Deploy the Microsoft Sentinel Training Lab Solution -In this exercise you will deploy the Trainig Lab solution into your existing workspace. This will ingest pre-recorded data (~20 MBs) and create several other artifacts that will be used during the exercises. +In this exercise you will deploy the Training Lab solution into your existing workspace. This will ingest pre-recorded data (~20 MBs) and create several other artifacts that will be used during the exercises. 1. In the Azure Portal, go to the top search bar and type *Microsoft Sentinel Training*. Select the **Microsoft Sentinel Training Lab Solution (Preview)** marketplace item on the right. diff --git a/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASDLPViolation.yaml b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASDLPViolation.yaml new file mode 100755 index 0000000000..b3affdd6ac --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASDLPViolation.yaml @@ -0,0 +1,28 @@ +id: 1ddeb8ad-cad9-4db4-b074-f9da003ca3ed +name: Trend Micro CAS - DLP violation +description: | + 'Detects when DLP policy violation occurs.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + TrendMicroCAS + | where isnotempty(TriggeredDlpTemplate) + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASPossiblePhishingMail.yaml b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASPossiblePhishingMail.yaml new file mode 100755 index 0000000000..d92d3161eb --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASPossiblePhishingMail.yaml @@ -0,0 +1,33 @@ +id: 9e7b3811-d743-479c-a296-635410562429 +name: Trend Micro CAS - Possible phishing mail +description: | + 'Detects possible phishing mail.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + let threshold = 5; + TrendMicroCAS + | where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver') + | where isnotempty(SrcFileName) + | where isnotempty(SecurityRiskName) + | summarize r_users = makeset(DstUserName) by SrcFileName, bin(TimeGenerated, 30m) + | where array_length(r_users) > threshold + | extend AccountCustomEntity = r_users +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASRansomwareOnHost.yaml b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASRansomwareOnHost.yaml new file mode 100755 index 0000000000..391f6e59e1 --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASRansomwareOnHost.yaml @@ -0,0 +1,32 @@ +id: 0bec3f9a-dbe9-4b4c-9ff6-498d64bbef90 +name: Trend Micro CAS - Ransomware infection +description: | + 'Triggeres when ransomware was detected.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1486 +query: | + TrendMicroCAS + | where EventType =~ 'ransomware' + | extend AccountCustomEntity = DstUserName, MalwareCustomEntity = RansomwareName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: Malware + fieldMappings: + - identifier: Name + columnName: MalwareCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASRansomwareOutbreak.yaml b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASRansomwareOutbreak.yaml new file mode 100755 index 0000000000..2b6ce9f053 --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASRansomwareOutbreak.yaml @@ -0,0 +1,30 @@ +id: 38e043ce-a1fd-497b-8d4f-ce5ca2db90cd +name: Trend Micro CAS - Ransomware outbreak +description: | + 'Triggeres when ransomware was detected on several accounts.' +severity: High +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1486 +query: | + TrendMicroCAS + | where EventType =~ 'ransomware' + | summarize count() by DstUserName, bin(TimeGenerated, 15m) + | where count_ >= 2 + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASSuspiciousFilename.yaml b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASSuspiciousFilename.yaml new file mode 100755 index 0000000000..4f9acfed2a --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASSuspiciousFilename.yaml @@ -0,0 +1,29 @@ +id: 52c4640a-1e2b-4155-b69e-e1869c9a57c9 +name: Trend Micro CAS - Suspicious filename +description: | + 'Detects unexpected filename.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + TrendMicroCAS + | where isnotempty(SrcFileName) + | where SrcFileName matches regex @'\A[a-zA-Z0-9_\-.]{1,3}\.\w+$' + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASThreatNotBlocked.yaml b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASThreatNotBlocked.yaml new file mode 100755 index 0000000000..96668cdc28 --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASThreatNotBlocked.yaml @@ -0,0 +1,29 @@ +id: c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a +name: Trend Micro CAS - Threat detected and not blocked +description: | + 'Detects when threat was not blocked by CAS solution.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - DefenseEvasion +relevantTechniques: + - T1562 +query: | + TrendMicroCAS + | where isnotempty(SecurityRiskName) + | where EventOriginalResultDetails !has 'Blocked' or EventOriginalResultDetails !has 'Block' or EventOriginalResultDetails !has 'Quarantine' or TriggeredPolicyName has 'Monitor Only' + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASUnexpectedFileInMail.yaml b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASUnexpectedFileInMail.yaml new file mode 100755 index 0000000000..9b330c02be --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASUnexpectedFileInMail.yaml @@ -0,0 +1,32 @@ +id: 201fd2d1-9131-4b29-bace-ce5d19f3e4ee +name: Trend Micro CAS - Unexpected file via mail +description: | + 'Detects when unexpected file recieved via mail.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + let f_types = dynamic(['ps1', 'bat', 'scr', 'sh', 'exe', 'js', 'lnk']); + TrendMicroCAS + | where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver') + | where isnotempty(SrcFileName) + | extend file_type = extract(@'\.(\w+)$', 1, SrcFileName) + | where file_type in~ (f_types) + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASUnexpectedFileOnFileShare.yaml b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASUnexpectedFileOnFileShare.yaml new file mode 100755 index 0000000000..f7bab6a473 --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASUnexpectedFileOnFileShare.yaml @@ -0,0 +1,32 @@ +id: de54f817-f338-46bf-989b-4e016ea6b71b +name: Trend Micro CAS - Unexpected file on file share +description: | + 'Detects unexpected files on file share.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + let f_types = dynamic(['ps1', 'bat', 'scr', 'sh', 'exe', 'js', 'lnk']); + TrendMicroCAS + | where EventCategoryType in~ ('sharepoint', 'onedrive', 'dropbox', 'box', 'googledrive') + | where isnotempty(SrcFileName) + | extend file_type = extract(@'\.(\w+)$', 1, SrcFileName) + | where file_type in~ (f_types) or SrcFileName !contains @'.' + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASVAInfectedUser.yaml b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASVAInfectedUser.yaml new file mode 100755 index 0000000000..58a1088c85 --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASVAInfectedUser.yaml @@ -0,0 +1,33 @@ +id: 3649dfb8-a5ca-47dd-8965-cd2f633ca533 +name: Trend Micro CAS - Infected user +description: | + 'Detects when malware was detected for user account.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + TrendMicroCAS + | where EventType has_all ('virtual', 'analyzer') + | where isnotempty(VirusName) + | extend AccountCustomEntity = DstUserName, MalwareCustomEntity = VirusName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: Malware + fieldMappings: + - identifier: Name + columnName: MalwareCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASVAOutbreak.yaml b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASVAOutbreak.yaml new file mode 100755 index 0000000000..b431971be8 --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASVAOutbreak.yaml @@ -0,0 +1,35 @@ +id: 65c2a6fe-ff7b-46b0-9278-61265f77f3bc +name: Trend Micro CAS - Multiple infected users +description: | + 'Detects when same malware was detected for multiple user account.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + TrendMicroCAS + | where EventType has_all ('virtual', 'analyzer') + | where isnotempty(VirusName) + | summarize count() by DstUserName, VirusName, bin(TimeGenerated, 15m) + | where count_ >= 2 + | extend AccountCustomEntity = DstUserName, MalwareCustomEntity = VirusName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: Malware + fieldMappings: + - identifier: Name + columnName: MalwareCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASFilesOnShares.yaml b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASFilesOnShares.yaml new file mode 100755 index 0000000000..16a0fcc655 --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASFilesOnShares.yaml @@ -0,0 +1,29 @@ +id: 765f1769-cbe2-4c1a-a708-1769c2c48d79 +name: Trend Micro CAS - Files stored on cloud fileshare services +description: | + 'Query searches for stored on cloud fileshare services.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + TrendMicroCAS + | where TimeGenerated > ago(24h) + | where EventCategoryType in~ ('sharepoint', 'onedrive', 'dropbox', 'box', 'googledrive') + | where isnotempty(SrcFileName) + | project DetectionTime, DstUserName, SrcFileName, EventOriginalResultDetails, SecurityRiskName, VirusName + | extend FileCustomEntity = SrcFileName, AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: File + fieldMappings: + - identifier: Name + columnName: FileCustomEntity diff --git a/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASInfectedFilesInEmails.yaml b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASInfectedFilesInEmails.yaml new file mode 100755 index 0000000000..5f57518f05 --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASInfectedFilesInEmails.yaml @@ -0,0 +1,26 @@ +id: 8c386a11-7282-41ae-8181-2bfcafe20aad +name: Trend Micro CAS - Infected files received via email +description: | + 'Query searches for infected files received via email.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + TrendMicroCAS + | where TimeGenerated > ago(24h) + | where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver') + | where isnotempty(SecurityRiskName) + | where EventOriginalResultDetails =~ 'Quarantine' + | project DetectionTime, DstUserName, MailMessageFileName, SecurityRiskName + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASRansomwareThreats.yaml b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASRansomwareThreats.yaml new file mode 100755 index 0000000000..7e3cde4da2 --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASRansomwareThreats.yaml @@ -0,0 +1,24 @@ +id: 440f5440-e452-4b19-a8a4-5e39b5676657 +name: Trend Micro CAS - Ransomware threats +description: | + 'Query searches for ransomware threats.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + TrendMicroCAS + | where TimeGenerated > ago(24h) + | where isnotempty(RansomwareName) + | project DetectionTime, DstUserName, SrcFileName, RansomwareName + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASRareFilesRecievedViaEmail.yaml b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASRareFilesRecievedViaEmail.yaml new file mode 100755 index 0000000000..5d59409b32 --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASRareFilesRecievedViaEmail.yaml @@ -0,0 +1,26 @@ +id: 08df251e-56c6-4e06-a41b-2c86344cb383 +name: Trend Micro CAS - Rare files received via email services +description: | + 'Query searches for rare files recieved via email services.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + TrendMicroCAS + | where TimeGenerated > ago(24h) + | where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver') + | where isnotempty(MailMessageFileName) + | summarize count() by MailMessageFileName, EventOriginalResultDetails + | order by count_ asc + | extend FileCustomEntity = MailMessageFileName +entityMappings: + - entityType: File + fieldMappings: + - identifier: Name + columnName: FileCustomEntity diff --git a/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASRiskyUsers.yaml b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASRiskyUsers.yaml new file mode 100755 index 0000000000..cc17d9ca5d --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASRiskyUsers.yaml @@ -0,0 +1,24 @@ +id: 496a35f6-bc85-47f9-a48f-9a55d3c9530f +name: Trend Micro CAS - Risky users +description: | + 'Query searches for users with high number of threats.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + TrendMicroCAS + | where TimeGenerated > ago(24h) + | where isnotempty(SecurityRiskName) + | summarize threats = makeset(SecurityRiskName) by DstUserName + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASScanDiscoveredThreats.yaml b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASScanDiscoveredThreats.yaml new file mode 100755 index 0000000000..49ed31d6eb --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASScanDiscoveredThreats.yaml @@ -0,0 +1,29 @@ +id: 993ca829-5d6a-4432-b192-e5dcf7bfea0c +name: Trend Micro CAS - Security risk scan threats +description: | + 'Query searches for threats discovered via security risk scans.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + TrendMicroCAS + | where TimeGenerated > ago(24h) + | where EventType =~ 'security_risk_scan' + | where isnotempty(SecurityRiskName) + | project DetectionTime, DstUserName, SrcFileName, SecurityRiskName + | extend AccountCustomEntity = DstUserName, FileCustomEntity = SrcFileName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity + - entityType: File + fieldMappings: + - identifier: Name + columnName: FileCustomEntity diff --git a/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASSuspiciousFilesSharepoint.yaml b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASSuspiciousFilesSharepoint.yaml new file mode 100755 index 0000000000..29f2a3ba7e --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASSuspiciousFilesSharepoint.yaml @@ -0,0 +1,25 @@ +id: dfd91afc-66f0-4661-90d7-82f9b5bf3d8f +name: Trend Micro CAS - Suspicious files on sharepoint +description: | + 'Query searches for suspicious files on sharepoint.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + TrendMicroCAS + | where TimeGenerated > ago(24h) + | where EventCategoryType =~ 'sharepoint' + | where EventOriginalResultDetails =~ 'Quarantine' + | project DetectionTime, DstUserName, SrcFileName, SrcFileSHA1, SrcFileSHA256, SecurityRiskName + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASTopFilesRecievedViaEmail.yaml b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASTopFilesRecievedViaEmail.yaml new file mode 100755 index 0000000000..8736efa88c --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASTopFilesRecievedViaEmail.yaml @@ -0,0 +1,25 @@ +id: 5b2dc14b-a55c-4002-8c2a-94f521baa0f4 +name: Trend Micro CAS - Files received via email services +description: | + 'Query searches for top files recieved via email services.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + TrendMicroCAS + | where TimeGenerated > ago(24h) + | where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver') + | where isnotempty(MailMessageFileName) + | summarize count() by MailMessageFileName, EventOriginalResultDetails + | extend FileCustomEntity = MailMessageFileName +entityMappings: + - entityType: File + fieldMappings: + - identifier: Name + columnName: FileCustomEntity diff --git a/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASUserDLPViolations.yaml b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASUserDLPViolations.yaml new file mode 100755 index 0000000000..f7b645b39b --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASUserDLPViolations.yaml @@ -0,0 +1,24 @@ +id: 001be88a-e98f-4e9a-ad30-62b9ad8222a5 +name: Trend Micro CAS - DLP violations +description: | + 'Query searches for DLP violations by users.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +tactics: + - Exfiltration +relevantTechniques: + - T1048 +query: | + TrendMicroCAS + | where TimeGenerated > ago(24h) + | where isnotempty(TriggeredDlpTemplate) + | project DetectionTime, DstUserName, SrcFileName, TriggeredDlpTemplate + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity \ No newline at end of file diff --git a/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASVAThreats.yaml b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASVAThreats.yaml new file mode 100755 index 0000000000..1c5cb6c623 --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASVAThreats.yaml @@ -0,0 +1,25 @@ +id: 5ce1415f-cdea-4740-a481-73c1394248c2 +name: Trend Micro CAS - Virtual Analyzer threats +description: | + 'Query searches for Virtual Analyzer threats.' +severity: Medium +requiredDataConnectors: + - connectorId: TrendMicroCAS + dataTypes: + - TrendMicroCAS +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + TrendMicroCAS + | where TimeGenerated > ago(24h) + | where EventType has 'virtual_analyzer' + | where isnotempty(VirusName) + | project DetectionTime, DstUserName, SrcFileName, RansomwareName + | extend AccountCustomEntity = DstUserName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/Trend Micro Cloud App Security/Workbooks/Images/TrendMicroCASBlack.png b/Solutions/Trend Micro Cloud App Security/Workbooks/Images/TrendMicroCASBlack.png new file mode 100644 index 0000000000..b31558bba2 Binary files /dev/null and b/Solutions/Trend Micro Cloud App Security/Workbooks/Images/TrendMicroCASBlack.png differ diff --git a/Solutions/Trend Micro Cloud App Security/Workbooks/Images/TrendMicroCASWhite.png b/Solutions/Trend Micro Cloud App Security/Workbooks/Images/TrendMicroCASWhite.png new file mode 100644 index 0000000000..ed3d4854f7 Binary files /dev/null and b/Solutions/Trend Micro Cloud App Security/Workbooks/Images/TrendMicroCASWhite.png differ diff --git a/Solutions/Trend Micro Cloud App Security/Workbooks/TrendMicroCAS.json b/Solutions/Trend Micro Cloud App Security/Workbooks/TrendMicroCAS.json new file mode 100644 index 0000000000..041733614f --- /dev/null +++ b/Solutions/Trend Micro Cloud App Security/Workbooks/TrendMicroCAS.json @@ -0,0 +1,310 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "**NOTE**: This data connector depends on a parser based on Kusto Function **TrendMicroCAS** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-trendmicrocas-parser)" + }, + "name": "text - 8" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "cd8447d9-b096-4673-92d8-2a1e8291a125", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "description": "Sets the time name for analysis", + "value": { + "durationMs": 604800000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 900000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "TrendMicroCAS\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};", + "size": 0, + "title": "Events Over Time", + "color": "lightBlue", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "graphSettings": { + "type": 0 + } + }, + "customWidth": "50", + "name": "query - 12", + "styleSettings": { + "maxWidth": "55" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "TrendMicroCAS\r\n| where isnotempty(EventType)\r\n| summarize count() by EventType\r\n| join kind = inner (TrendMicroCAS\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType)\r\n on EventType\r\n| project-away EventType1, TimeGenerated\r\n| project Trend, count_, EventType = case(EventType =~ 'security_risk_scan', 'Security Risk',\r\n EventType has 'virtual_analyzer', 'Virtual Analyzer',\r\n EventType startswith 'ransomware', 'Ransomware',\r\n EventType contains 'data', 'DLP',\r\n 'Other')", + "size": 3, + "title": "Event types", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "EventType", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 21, + "formatOptions": { + "palette": "purple" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "query - 0", + "styleSettings": { + "maxWidth": "30" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "TrendMicroCAS\r\n| summarize count() by EventCategoryType", + "size": 3, + "title": "Events by Service", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "25", + "name": "query - 3", + "styleSettings": { + "margin": "10", + "padding": "10" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "TrendMicroCAS\r\n| where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver')\r\n| extend Domain = extract(@'@(\\S+)\\>', 1, MailMessageSender)\r\n| summarize MessageCount = count() by Domain", + "size": 3, + "title": "Top domains", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "rowLimit": 50, + "filter": true + } + }, + "customWidth": "30", + "name": "query - 8" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let t1 = TrendMicroCAS\n| where isnotempty(SecurityRiskName)\n| summarize EventCount=count() by ThreatName=SecurityRiskName;\nlet t2 = TrendMicroCAS\n| where isnotempty(VirusName)\n| order by DetectionTime\n| summarize EventCount=count() by ThreatName=VirusName;\nlet t3 = TrendMicroCAS\n| where isnotempty(RansomwareName)\n| order by DetectionTime\n| summarize EventCount=count() by ThreatName=RansomwareName;\nunion isfuzzy=true t1, t2, t3", + "size": 3, + "title": "Top Threats", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "30", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "TrendMicroCAS\n| where EventType =~ 'security_risk_scan'\n| where isnotempty(SecurityRiskName)\n| order by DetectionTime\n| project DetectionTime, File=case(isnotempty(SrcFileName), SrcFileName, MailMessageFileName), Result=strcat(iif(EventOriginalResultDetails contains 'Quarantine' or EventOriginalResultDetails contains 'Block', '✅ - Resolved', '❌ - Unknown'))", + "size": 0, + "title": "Latest files scanned", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "40", + "name": "query - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let m_files = TrendMicroCAS\r\n| where isnotempty(MailMessageFileName)\r\n| summarize count() by MailMessageFileName, EventCategoryType\r\n| project-rename Count=count_, File=MailMessageFileName, Service=EventCategoryType;\r\nlet o_files = TrendMicroCAS\r\n| where isnotempty(SrcFileName)\r\n| summarize count() by SrcFileName, EventCategoryType\r\n| project-rename Count=count_, File=SrcFileName, Service=EventCategoryType;\r\nunion isfuzzy=true m_files, o_files\r\n\r\n", + "size": 1, + "title": "Files most seen", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "filter": true + } + }, + "customWidth": "35", + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "TrendMicroCAS\r\n| where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver')\r\n| where isnotempty(MailMessageFileName)\r\n| summarize count() by MailMessageFileName", + "size": 3, + "title": "Files from emails", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "sortBy": [ + { + "itemKey": "TotalEvents", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "TotalEvents", + "sortOrder": 2 + } + ] + }, + "customWidth": "33", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "TrendMicroCAS\n| where EventCategoryType in~ ('sharepoint', 'onedrive', 'dropbox', 'box', 'googledrive')\n| where isnotempty(SrcFileName)\n| summarize count() by SrcFileName\n| project-rename Count=count_, File=SrcFileName", + "size": 3, + "title": "Files on fileshare services", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "30", + "name": "query - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let t1 = TrendMicroCAS\r\n| where isnotempty(SecurityRiskName)\r\n| order by DetectionTime\r\n| project DetectionTime, User=DstUserName, ThreatName=SecurityRiskName;\r\nlet t2 = TrendMicroCAS\r\n| where isnotempty(VirusName)\r\n| order by DetectionTime\r\n| project DetectionTime, User=DstUserName, ThreatName=VirusName;\r\nlet t3 = TrendMicroCAS\r\n| where isnotempty(RansomwareName)\r\n| order by DetectionTime\r\n| project DetectionTime, User=DstUserName, ThreatName=RansomwareName;\r\nunion isfuzzy=true t1, t2, t3", + "size": 1, + "title": "Latest acounts with threats", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 50, + "filter": true + } + }, + "customWidth": "40", + "name": "query - 12", + "styleSettings": { + "maxWidth": "33" + } + } + ], + "fromTemplateId": "sentinel-TrendMicroCASWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiDormantVMStarted.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiDormantVMStarted.yaml new file mode 100755 index 0000000000..3794df44c5 --- /dev/null +++ b/Solutions/VMWareESXi/Analytic Rules/ESXiDormantVMStarted.yaml @@ -0,0 +1,55 @@ +id: 4cdcd5d8-89df-4076-a917-bc50abb9f2ab +name: VMWare ESXi - Dormant VM started +description: | + 'Detects when dormant VM was started.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1190 +query: | + let vm_p_off = + VMwareESXi + | where TimeGenerated > ago(14d) + | where SyslogMessage has ('VmPoweredOffEvent') + | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage) + | summarize LastPowerOffTime=max(TimeGenerated) by DstHostname + | where datetime_diff('day',datetime(now),LastPowerOffTime) >= 20; + let vm_p_on = + VMwareESXi + | where TimeGenerated > ago(14d) + | where SyslogMessage has ('VmPoweredOnEvent') + | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage) + | summarize LastPowerOnTime=max(TimeGenerated) by DstHostname + | where datetime_diff('day',datetime(now),LastPowerOnTime) >= 20; + let off_vms = + vm_p_on + | join (vm_p_off) on DstHostname + | where LastPowerOffTime > LastPowerOnTime + | summarize p_off_vm = makeset(DstHostname) + | extend k=1; + let p_on_vms = + VMwareESXi + | where TimeGenerated between (ago(24h) .. datetime(now)) + | where SyslogMessage has ('VmPoweredOnEvent') + | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage) + | extend k=1 + | join (off_vms) on k + | where p_off_vm !has DstHostname + | summarize rec_p_on = makeset(DstHostname) + | extend HostCustomEntity = rec_p_on +entityMappings: + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiLowPatchDiskSpace.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiLowPatchDiskSpace.yaml new file mode 100755 index 0000000000..36a4a590e1 --- /dev/null +++ b/Solutions/VMWareESXi/Analytic Rules/ESXiLowPatchDiskSpace.yaml @@ -0,0 +1,32 @@ +id: 48d992ba-d404-4159-a8c6-46f51d1325c7 +name: VMWare ESXi - Low patch disk space +description: | + 'This rule is triggered when low patch disk store space is detected.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1529 +query: | + let threshold = 100; + VMwareESXi + | where SyslogMessage has ('Patch store disk') + | extend sp = toreal(extract(@'free space is:\s(\d+)', 1, SyslogMessage)) / 1000000000 + | where sp < threshold + | extend h = 'Hypervisor' + | extend HostCustomEntity = h +entityMappings: + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiLowTempDirSpace.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiLowTempDirSpace.yaml new file mode 100755 index 0000000000..c1133c7fb9 --- /dev/null +++ b/Solutions/VMWareESXi/Analytic Rules/ESXiLowTempDirSpace.yaml @@ -0,0 +1,32 @@ +id: 2ee727f7-b7c2-4034-b6c9-d245d5a29343 +name: VMWare ESXi - Low temp directory space +description: | + 'This rule is triggered when temp directory space is detected.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1529 +query: | + let threshold = 10; + VMwareESXi + | where SyslogMessage has_all ('Temp directory', 'free space') + | extend sp = toreal(extract(@'free space is:\s(\d+)', 1, SyslogMessage)) / 1000000000 + | where sp < threshold + | extend h = 'Hypervisor' + | extend HostCustomEntity = h +entityMappings: + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleNewVM.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleNewVM.yaml new file mode 100755 index 0000000000..7997087719 --- /dev/null +++ b/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleNewVM.yaml @@ -0,0 +1,42 @@ +id: bdea247f-7d17-498c-ac0e-c7e764cbdbbe +name: VMWare ESXi - Multiple new VMs started +description: | + 'Detects when multiple new VMs were started.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1078 +query: | + let threshold = 5; + let a_vm = + VMwareESXi + | where SyslogMessage has ('VmPoweredOnEvent') + | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage) + | summarize vm_l = makeset(DstHostname) + | extend k=1; + VMwareESXi + | where SyslogMessage has ('VmPoweredOnEvent') + | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage) + | extend SrcUsername = extract(@'\[info\]\s+\[(.*?)\]', 1, SyslogMessage) + | extend k = 1 + | join (a_vm) on k + | where vm_l !has DstHostname + | summarize n_vm = makeset(DstHostname) by SrcUsername, bin(TimeGenerated, 10m) + | where array_length(n_vm) >= threshold + | extend HostCustomEntity = n_vm +entityMappings: + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleVMStopped.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleVMStopped.yaml new file mode 100755 index 0000000000..5e77c74faa --- /dev/null +++ b/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleVMStopped.yaml @@ -0,0 +1,37 @@ +id: 5fe1af14-cd40-48ff-b581-3a12a1f90785 +name: VMWare ESXi - Multiple VMs stopped +description: | + 'Detects when multiple VMs ware stopped by user.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1529 +query: | + let threshold = 5; + VMwareESXi + | where SyslogMessage has ('VmPoweredOffEvent') + | extend SrcUsername = extract(@'\[info\]\s+\[(.*?)\]', 1, SyslogMessage) + | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage) + | summarize st_vm = makeset(DstHostname) by SrcUsername, bin(TimeGenerated, 5m) + | where array_length(st_vm) > threshold + | extend HostCustomEntity = st_vm, AccountCustomEntity = SrcUsername +entityMappings: + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiNewVM.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiNewVM.yaml new file mode 100755 index 0000000000..7c08820d4e --- /dev/null +++ b/Solutions/VMWareESXi/Analytic Rules/ESXiNewVM.yaml @@ -0,0 +1,38 @@ +id: 0f4a80de-344f-47c0-bc19-cb120c59b6f0 +name: VMWare ESXi - New VM started +description: | + 'Detects when new VM was started.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess +relevantTechniques: + - T1078 +query: | + let a_vm = + VMwareESXi + | where SyslogMessage has ('VmPoweredOnEvent') + | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage) + | summarize vm_l = makeset(DstHostname) + | extend k=1; + VMwareESXi + | where SyslogMessage has ('VmPoweredOnEvent') + | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage) + | extend k = 1 + | join (a_vm) on k + | where vm_l !has DstHostname + | extend HostCustomEntity = DstHostname +entityMappings: + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiRootImpersonation.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiRootImpersonation.yaml new file mode 100755 index 0000000000..77145fb4c8 --- /dev/null +++ b/Solutions/VMWareESXi/Analytic Rules/ESXiRootImpersonation.yaml @@ -0,0 +1,29 @@ +id: 23a3cf72-9497-408e-8144-87958a60d31a +name: VMWare ESXi - Root impersonation +description: | + 'Detects when root impersonation occurs.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - PrivilegeEscalation +relevantTechniques: + - T1078 +query: | + VMwareESXi + | where SyslogMessage has_all ('ImpersonateUser', 'VcIntegrity', 'root') + | extend user = 'root' + | extend AccountCustomEntity = user +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiRootLogin.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiRootLogin.yaml new file mode 100755 index 0000000000..2cdce7e54a --- /dev/null +++ b/Solutions/VMWareESXi/Analytic Rules/ESXiRootLogin.yaml @@ -0,0 +1,30 @@ +id: deb448a8-6a9d-4f8c-8a95-679a0a2cd62c +name: VMWare ESXi - Root login +description: | + 'Detects when root user login.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - InitialAccess + - PrivilegeEscalation +relevantTechniques: + - T1078 +query: | + VMwareESXi + | where SyslogMessage has_all ('UserLoginSessionEvent', 'root', 'logged in') + | extend SrcIpAddr = extract(@'root@(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage) + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiSharedOrStolenRootAccount.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiSharedOrStolenRootAccount.yaml new file mode 100755 index 0000000000..98c385e4c7 --- /dev/null +++ b/Solutions/VMWareESXi/Analytic Rules/ESXiSharedOrStolenRootAccount.yaml @@ -0,0 +1,31 @@ +id: 9c496d6c-42a3-4896-9b6c-00254386928f +name: VMWare ESXi - Shared or stolen root account +description: | + 'Detects when shared or stolen root account.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 1 +tactics: + - InitialAccess + - PrivilegeEscalation +relevantTechniques: + - T1078 +query: | + VMwareESXi + | where SyslogMessage has_all ('UserLoginSessionEvent', 'root', 'logged in') + | extend SrcIpAddr = extract(@'root@(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage) + | summarize count() by SrcIpAddr, bin(TimeGenerated, 15m) + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiUnexpectedDiskImage.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiUnexpectedDiskImage.yaml new file mode 100755 index 0000000000..ccf70dc221 --- /dev/null +++ b/Solutions/VMWareESXi/Analytic Rules/ESXiUnexpectedDiskImage.yaml @@ -0,0 +1,38 @@ +id: 395c5560-ddc2-45b2-aafe-2e3f64528d3d +name: VMWare ESXi - Unexpected disk image +description: | + 'Detects unexpected disk image for VM.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1496 +query: | + let img_ = + VMwareESXi + | where SyslogMessage has ('Matched discovered VM') + | extend DstHostname = extract(@'vim.VirtualMachine\S+,(.*?)\]', 1, SyslogMessage) + | extend kImageName = extract(@'ds:///vmfs/volumes/(.*)/(.*?),', 2, SyslogMessage) + | summarize img_lst = makeset(kImageName) by DstHostname; + VMwareESXi + | where SyslogMessage has ('Matched discovered VM') + | extend DstHostname = extract(@'vim.VirtualMachine\S+,(.*?)\]', 1, SyslogMessage) + | extend ImageName = extract(@'ds:///vmfs/volumes/(.*)/(.*?),', 2, SyslogMessage) + | join (img_) on DstHostname + | where img_lst !has ImageName + | extend HostCustomEntity = DstHostname +entityMappings: + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/VMWareESXi/Analytic Rules/ESXiVMStopped.yaml b/Solutions/VMWareESXi/Analytic Rules/ESXiVMStopped.yaml new file mode 100755 index 0000000000..4420edb463 --- /dev/null +++ b/Solutions/VMWareESXi/Analytic Rules/ESXiVMStopped.yaml @@ -0,0 +1,34 @@ +id: 43889f30-7bce-4d8a-93bb-29c9615ca8dd +name: VMWare ESXi - VM stopped +description: | + 'Detects when VM was stopped.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1529 +query: | + VMwareESXi + | where SyslogMessage has ('VmPoweredOffEvent') + | extend SrcUsername = extract(@'\[info\]\s+\[(.*?)\]', 1, SyslogMessage) + | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage) + | extend HostCustomEntity = DstHostname, AccountCustomEntity = SrcUsername +entityMappings: + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiDormantUsers.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiDormantUsers.yaml new file mode 100755 index 0000000000..20a1aaaf8c --- /dev/null +++ b/Solutions/VMWareESXi/Hunting Queries/ESXiDormantUsers.yaml @@ -0,0 +1,25 @@ +id: a0f32708-e6fb-427f-94d2-b09cf64acdf8 +name: ESXi - List of dormant users. +description: | + 'Query searches for dormant user dormant.' +severity: Low +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +tactics: + - InitialAccess +relevantTechniques: + - T1078 +query: | + VMwareESXi + | where TimeGenerated > ago(30d) + | where SyslogMessage has_all ('UserLoginSessionEvent', 'logged in') + | extend SrcUsername = extract(@'User\s(.*?)@\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', 1, SyslogMessage) + | summarize LastLoginTime=max(TimeGenerated) by SrcUsername + | extend AccountCustomEntity = SrcUsername +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountCustomEntity diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiDownloadErrors.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiDownloadErrors.yaml new file mode 100755 index 0000000000..814b9a6491 --- /dev/null +++ b/Solutions/VMWareESXi/Hunting Queries/ESXiDownloadErrors.yaml @@ -0,0 +1,23 @@ +id: 6702f91d-c764-497b-8d67-1cce8a33b895 +name: ESXi - Download errors +description: | + 'Query searches for download errors.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +tactics: + - InitialAccess +relevantTechniques: + - T1190 +query: | + VMwareESXi + | where TimeGenerated > ago(24h) + | where SyslogMessage has_any ('Download failed', 'Failed to download file', 'File download error') + | extend URLCustomEntity = SyslogMessage +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URLCustomEntity diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiNFCDownloadActivities.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiNFCDownloadActivities.yaml new file mode 100755 index 0000000000..f72f4f2c67 --- /dev/null +++ b/Solutions/VMWareESXi/Hunting Queries/ESXiNFCDownloadActivities.yaml @@ -0,0 +1,27 @@ +id: b5424011-314b-4ddc-95db-12d2b6f1ce96 +name: ESXi - NFC download activities +description: | + 'Query searches for download activities.' +severity: Low +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +tactics: + - InitialAccess +relevantTechniques: + - T1190 +query: | + VMwareESXi + | where TimeGenerated > ago(24h) + | where SyslogMessage has_all ('NFC', 'operation', 'Download') + | extend SrcUsername = extract(@'\[info\]\s+\[(.*?)\]', 1, SyslogMessage) + | extend path = extract(@"for path '(.*?)'\swas", 1, SyslogMessage) + | extend SrcIpAddr = extract(@"initiated from '(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'", 1, SyslogMessage) + | extend Result = extract(@"status\s'(\w+)'", 1, SyslogMessage) + | extend HostCustomEntity = DstHostname +entityMappings: + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiRootLoginFailure.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiRootLoginFailure.yaml new file mode 100755 index 0000000000..5572e447e1 --- /dev/null +++ b/Solutions/VMWareESXi/Hunting Queries/ESXiRootLoginFailure.yaml @@ -0,0 +1,25 @@ +id: fc6c0440-1bb6-4661-89e9-4cb2c8f1e5e2 +name: ESXi - Root logins failures +description: | + 'Query searches for failed root logins.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +tactics: + - InitialAccess + - PrivilegeEscalation +relevantTechniques: + - T1078 +query: | + VMwareESXi + | where TimeGenerated > ago(24h) + | where SyslogMessage has_all ('UserLoginSessionEvent', 'root', 'fail') + | extend SrcIpAddr = extract(@'root@(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage) + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiRootLogins.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiRootLogins.yaml new file mode 100755 index 0000000000..4b080f28b8 --- /dev/null +++ b/Solutions/VMWareESXi/Hunting Queries/ESXiRootLogins.yaml @@ -0,0 +1,25 @@ +id: e04a7f8e-1a47-4390-943d-a6cabbf4ec6e +name: ESXi - Root logins +description: | + 'Query searches for root logins.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +tactics: + - InitialAccess + - PrivilegeEscalation +relevantTechniques: + - T1078 +query: | + VMwareESXi + | where TimeGenerated > ago(24h) + | where SyslogMessage has_all ('UserLoginSessionEvent', 'root', 'logged in') + | extend SrcIpAddr = extract(@'root@(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage) + | extend IPCustomEntity = SrcIpAddr +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IPCustomEntity diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiUnusedVMs.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiUnusedVMs.yaml new file mode 100755 index 0000000000..f5b0b3e174 --- /dev/null +++ b/Solutions/VMWareESXi/Hunting Queries/ESXiUnusedVMs.yaml @@ -0,0 +1,56 @@ +id: d69f0373-f424-4f17-a34a-8379974fec6e +name: ESXi - List of unused VMs +description: | + 'Query searches for unused VMs.' +severity: Low +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +tactics: + - InitialAccess +relevantTechniques: + - T1190 +query: | + let vm_p_off = + VMwareESXi + | where TimeGenerated > ago(30d) + | where SyslogMessage has ('VmPoweredOffEvent') + | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage) + | summarize LastPowerOffTime=max(TimeGenerated) by DstHostname + | where datetime_diff('day',ago(now),LastPowerOnTime) >= 20; + let vm_p_on = + VMwareESXi + | where TimeGenerated > ago(30d) + | where SyslogMessage has ('VmPoweredOnEvent') + | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage) + | summarize LastPowerOnTime=max(TimeGenerated) by DstHostname + | where datetime_diff('day',ago(now),LastPowerOnTime) >= 20; + let off_vms = + vm_p_on + | join (vm_p_off) on DstHostname + | where LastPowerOffTime > LastPowerOnTime + | summarize p_off_vm = makeset(DstHostname) + | extend k=1; + let p_on_vms = + VMwareESXi + | where TimeGenerated between (ago(24h) .. ago(now)) + | where SyslogMessage has ('VmPoweredOnEvent') + | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage) + | extend k=1 + | join (off_vms) on k + | where DstHostname !in (p_off_vm); + | summarize rec_p_on = makeset(DstHostname) + VMwareESXi + | where TimeGenerated between (ago(24h) .. ago(now)) + | where SyslogMessage has ('VmPoweredOnEvent') + | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage) + | extend k=1; + | join (p_on_vms) on k + | where DstHostname !in~ (rec_p_on) + | extend HostCustomEntity = DstHostname +entityMappings: + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiVMHighLoad.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiVMHighLoad.yaml new file mode 100755 index 0000000000..d77135265b --- /dev/null +++ b/Solutions/VMWareESXi/Hunting Queries/ESXiVMHighLoad.yaml @@ -0,0 +1,28 @@ +id: 3467bb11-7cbf-49f7-9e71-c3d0da327af5 +name: ESXi - VM high resource load +description: | + 'Query searches for VMs with high resource consumption.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +tactics: + - Impact +relevantTechniques: + - T1499 +query: | + let threshold = 50; + VMwareESXi + | where TimeGenerated > ago(24h) + | where SyslogMessage has_any ('Virtual machine CPU usage', 'Virtual machine memory usage') + | where SyslogMessage has_all ('AlarmStatusChangedEvent', 'Red') + | extend DstHostname = extract(@"usage'\son\s(.*?)\schanged", 1, SyslogMessage) + | summarize count() by DstHostname, bin(TimeGenerated, 1h) + | where count_ >= threshold + | extend HostCustomEntity = DstHostname +entityMappings: + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiVMPoweredOff.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiVMPoweredOff.yaml new file mode 100755 index 0000000000..3b46745883 --- /dev/null +++ b/Solutions/VMWareESXi/Hunting Queries/ESXiVMPoweredOff.yaml @@ -0,0 +1,26 @@ +id: b8d23b5d-3fb0-4265-9f4f-8878bc87471d +name: ESXi - List of powered off VMs +description: | + 'Query searches for powered off VMs.' +severity: Medium +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +tactics: + - Impact +relevantTechniques: + - T1529 +query: | + VMwareESXi + | where TimeGenerated > ago(24h) + | where SyslogMessage has ('VmPoweredOffEvent') + | extend SrcUsername = extract(@'\[info\]\s+\[(.*?)\]', 1, SyslogMessage) + | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage) + | project TimeGenerated, SrcUsername, DstHostname + | extend HostCustomEntity = DstHostname +entityMappings: + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiVMPoweredOn.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiVMPoweredOn.yaml new file mode 100755 index 0000000000..0d1bf91940 --- /dev/null +++ b/Solutions/VMWareESXi/Hunting Queries/ESXiVMPoweredOn.yaml @@ -0,0 +1,26 @@ +id: 9148aa96-1480-4150-9ed7-bacaae322260 +name: ESXi - List of powered on VMs +description: | + 'Query searches for powered on VMs.' +severity: Low +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +tactics: + - InitialAccess +relevantTechniques: + - T1190 +query: | + VMwareESXi + | where TimeGenerated > ago(24h) + | where SyslogMessage has ('VmPoweredOnEvent') + | extend SrcUsername = extract(@'\[info\]\s+\[(.*?)\]', 1, SyslogMessage) + | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage) + | project TimeGenerated, SrcUsername, DstHostname + | extend HostCustomEntity = DstHostname +entityMappings: + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity diff --git a/Solutions/VMWareESXi/Hunting Queries/ESXiVirtualImagesList.yaml b/Solutions/VMWareESXi/Hunting Queries/ESXiVirtualImagesList.yaml new file mode 100755 index 0000000000..b4e736cf09 --- /dev/null +++ b/Solutions/VMWareESXi/Hunting Queries/ESXiVirtualImagesList.yaml @@ -0,0 +1,26 @@ +id: 9a90ccdd-2091-447f-bea2-e8a5125c8dde +name: ESXi - List of virtual disks (images) +description: | + 'Query searches for virtual disks (images) seen for VM.' +severity: Low +requiredDataConnectors: + - connectorId: VMwareESXi + dataTypes: + - VMwareESXi +tactics: + - Impact +relevantTechniques: + - T1496 +query: | + VMwareESXi + | where TimeGenerated > ago(24h) + | where SyslogMessage has ('Matched discovered VM') + | extend DstHostname = extract(@'vim.VirtualMachine\S+,(.*?)\]', 1, SyslogMessage) + | extend ImageName = extract(@'ds:///vmfs/volumes/(.*)/(.*?),', 2, SyslogMessage) + | summarize makeset(ImageName) by DstHostname + | extend HostCustomEntity = DstHostname +entityMappings: + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: HostCustomEntity diff --git a/Solutions/VMWareESXi/Workbooks/Images/VMWareESXiBlack.png b/Solutions/VMWareESXi/Workbooks/Images/VMWareESXiBlack.png new file mode 100644 index 0000000000..b74fd824f9 Binary files /dev/null and b/Solutions/VMWareESXi/Workbooks/Images/VMWareESXiBlack.png differ diff --git a/Solutions/VMWareESXi/Workbooks/Images/VMWareESXiWhite.png b/Solutions/VMWareESXi/Workbooks/Images/VMWareESXiWhite.png new file mode 100644 index 0000000000..957bf14401 Binary files /dev/null and b/Solutions/VMWareESXi/Workbooks/Images/VMWareESXiWhite.png differ diff --git a/Solutions/VMWareESXi/Workbooks/VMWareESXi.json b/Solutions/VMWareESXi/Workbooks/VMWareESXi.json new file mode 100644 index 0000000000..3cf8724725 --- /dev/null +++ b/Solutions/VMWareESXi/Workbooks/VMWareESXi.json @@ -0,0 +1,343 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "**NOTE**: This data connector depends on a parser based on Kusto Function **VMwareESXi** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-vmwareesxi-parser)" + }, + "name": "text - 8" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "cd8447d9-b096-4673-92d8-2a1e8291a125", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "description": "Sets the time name for analysis", + "value": { + "durationMs": 7776000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "VMwareESXi\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};", + "size": 0, + "title": "Events Over Time", + "color": "blueDark", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "graphSettings": { + "type": 0 + } + }, + "customWidth": "60", + "name": "query - 12", + "styleSettings": { + "maxWidth": "55" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Environment Summary", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "VMwareESXi\r\n| where SyslogMessage has 'VmPoweredOnEvent'\r\n| extend DstHostname = extract(@'\\[\\d+\\]\\s+\\[(.*?)\\s+on', 1, SyslogMessage)\r\n| summarize dcount(DstHostname)", + "size": 3, + "title": "Total VMs", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "50", + "name": "query - 3", + "styleSettings": { + "margin": "10", + "padding": "10" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "VMwareESXi\n| where SyslogMessage has_all ('UserLoginSessionEvent', 'logged in')\n| extend SrcUsername = extract(@'User\\s(.*?)@\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}', 1, SyslogMessage)\n| summarize dcount(SrcUsername)", + "size": 3, + "title": "Users", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "VMwareESXi\n| where SyslogMessage has_all ('UserLoginSessionEvent', 'logged in')\n| extend SrcIpAddr = extract(@'root@(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, SyslogMessage)\n| summarize dcount(SrcIpAddr)", + "size": 3, + "title": "Total IP Addreses", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "40", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "VMwareESXi\n| where SyslogMessage has ('Patch store disk')\n| extend sp = tolong(extract(@'free space is:\\s(\\d+)', 1, SyslogMessage)) / 1000000000\n| project ds = strcat(tostring(sp), ' GB')", + "size": 3, + "title": "Patch Disk Space Available", + "noDataMessage": "0", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "25", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "VMwareESXi\n| where SyslogMessage has_all ('Temp directory', 'free space')\n| extend sp = tolong(extract(@'free space is:\\s(\\d+)', 1, SyslogMessage)) / 1000000000\n| project tmp_sp = strcat(sp, ' GB')", + "size": 3, + "title": "Temp Disk Space Available", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "25", + "name": "query - 4" + } + ] + }, + "customWidth": "40", + "name": "group - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "VMwareESXi\n| where SyslogMessage has ('VmPoweredOffEvent')\n| extend DstHostname = extract(@'\\[\\d+\\]\\s+\\[(.*?)\\s+on', 1, SyslogMessage)\n| summarize off_t = max(TimeGenerated) by DstHostname\n| project DstHostname, Status=strcat(iff(isnotempty(off_t), '❌ - Powered Off', '✅ - Running'))\n", + "size": 3, + "title": "VM status", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table" + }, + "customWidth": "30", + "name": "query - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "VMwareESXi\n| where SyslogMessage has_all ('UserLoginSessionEvent', 'logged in')\n| extend SrcIpAddr = extract(@'@(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, SyslogMessage)\n| where isnotempty(SrcIpAddr)\n| summarize count() by SrcIpAddr", + "size": 3, + "title": "Source Addresses", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "25", + "name": "query - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "VMwareESXi\r\n| where SyslogMessage has_any ('UserLoginSessionEvent', 'UserLogoutSessionEvent')\r\n| extend SrcIpAddr = extract(@'@(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, SyslogMessage)\r\n| extend SrcUsername = extract(@'User\\s(.*?)@\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}', 1, SyslogMessage)\r\n| project EventTime=TimeGenerated, User=SrcUsername, SourceAddress=SrcIpAddr, Status=strcat(iff(SyslogMessage has 'UserLoginSessionEvent', '✅ - Logged in', '❌ - Logged out' ))\r\n", + "size": 0, + "title": "User Sessions", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "URL Category", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "purple" + } + }, + "showBorder": false + } + }, + "customWidth": "45", + "name": "query - 0", + "styleSettings": { + "maxWidth": "30" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "VMwareESXi\n| where SyslogMessage has_all ('UserLoginSessionEvent', 'denis', 'logged in')\n//| extend SrcUsername = extract(@'User\\s(.*?)@\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}', 1, SyslogMessage)\n| extend SrcIpAddr = extract(@'@(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, SyslogMessage)\n| order by TimeGenerated\n| project EventTime = TimeGenerated, SourceAddress = SrcIpAddr", + "size": 0, + "title": "Root Sessions", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "tileSettings": { + "titleContent": { + "columnMatch": "User", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "TotalMailsReceived", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 10, + "formatOptions": { + "palette": "magenta" + } + }, + "showBorder": false + } + }, + "customWidth": "30", + "name": "query - 10" + } + ], + "fromTemplateId": "sentinel-VMwareESXiWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Tools/AzureDataExplorer/ADXSupportedTables.json b/Tools/AzureDataExplorer/ADXSupportedTables.json index 30ba60718c..28efc58bf3 100644 --- a/Tools/AzureDataExplorer/ADXSupportedTables.json +++ b/Tools/AzureDataExplorer/ADXSupportedTables.json @@ -65,9 +65,14 @@ "DatabricksSQLPermissions", "DatabricksSSH", "DatabricksWorkspace", + "DeviceNetworkInfo", "DnsEvents", "DnsInventory", "Dynamics365Activity", + "EmailAttachmentInfo", + "EmailEvents", + "EmailUrlInfo", + "EmailPostDeliveryEvents", "ExchangeAssessmentRecommendation", "FailedIngestion", "FunctionAppLogs", @@ -128,6 +133,7 @@ "ThreatIntelligenceIndicator", "UpdateRunProgress", "UpdateSummary", + "UserPeerAnalytics", "Usage", "Watchlist", "WindowsEvent", diff --git a/Tools/Create-Azure-Sentinel-Solution/createSolution.ps1 b/Tools/Create-Azure-Sentinel-Solution/createSolution.ps1 index b6bec495a0..49a92b5bdc 100644 --- a/Tools/Create-Azure-Sentinel-Solution/createSolution.ps1 +++ b/Tools/Create-Azure-Sentinel-Solution/createSolution.ps1 @@ -1,6 +1,21 @@ $jsonConversionDepth = 50 $path = "$PSScriptRoot\input" +function handleEmptyInstructionProperties ($inputObj) { + $outputObj = $inputObj | + Get-Member -MemberType *Property | + Select-Object -ExpandProperty Name | + Sort-Object | + ForEach-Object -Begin { $obj = New-Object PSObject } { + if (($null -eq $inputObj.$_) -or ($inputObj.$_ -eq "") -or ($inputObj.$_.Count -eq 0)) { + Write-Host "Removing empty property $_" + } + else { + $obj | Add-Member -memberType NoteProperty -Name $_ -Value $inputObj.$_ + } + } { $obj } + $outputObj +} function removePropertiesRecursively ($resourceObj) { foreach ($prop in $resourceObj.PsObject.Properties) { $key = $prop.Name @@ -143,8 +158,7 @@ foreach ($inputFile in $(Get-ChildItem $path)) { $baseMainTemplate.parameters | Add-Member -MemberType NoteProperty -Name "formattedTimeNow" -Value $timeNowParameter } try { - # Handle non-ASCII characters (Emoji's) - $data = $rawData -replace "[^ -~\t]", "" + $data = $rawData # Serialize workbook data $serializedData = $data | ConvertFrom-Json -Depth $jsonConversionDepth # Remove empty braces @@ -524,46 +538,57 @@ foreach ($inputFile in $(Get-ChildItem $path)) { contentId = "[variables('_$connectorId')]"; version = $contentToImport.Version; }; - function handleEmptyInstructionProperties ($inputObj) { - $outputObj = $inputObj | - Get-Member -MemberType *Property | - Select-Object -ExpandProperty Name | - Sort-Object | - ForEach-Object -Begin { $obj = New-Object PSObject } { - if (($null -eq $inputObj.$_) -or ($inputObj.$_ -eq "") -or ($inputObj.$_.Count -eq 0)) { - Write-Host "Removing empty property $_" - } - else { - $obj | Add-Member -memberType NoteProperty -Name $_ -Value $inputObj.$_ - } - } { $obj } - $outputObj - } foreach ($step in $connectorData.instructionSteps) { # Remove empty properties from each instructionStep $stepIndex = $connectorData.instructionSteps.IndexOf($step) $connectorData.instructionSteps[$stepIndex] = handleEmptyInstructionProperties $step } - $connectorObj = [PSCustomObject]@{ - id = "[variables('_connector$connectorCounter-source')]"; - name = "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector$connectorCounter-name'))]" - apiVersion = "2021-03-01-preview"; - type = "Microsoft.OperationalInsights/workspaces/providers/dataConnectors"; - location = "[parameters('workspace-location')]"; - kind = "GenericUI"; - properties = [PSCustomObject]@{ - connectorUiConfig = [PSCustomObject]@{ - title = $connectorData.title; - publisher = $connectorData.publisher; - descriptionMarkdown = $connectorData.descriptionMarkdown; - graphQueries = $connectorData.graphQueries; - sampleQueries = $connectorData.sampleQueries; - dataTypes = $connectorData.dataTypes; - connectivityCriterias = $connectorData.connectivityCriterias; - availability = $connectorData.availability; - permissions = $connectorData.permissions; - instructionSteps = $connectorData.instructionSteps + $connectorObj = [PSCustomObject]@{} + # If direct title is available, assume standard connector format + if ($connectorData.title) { + $connectorObj = [PSCustomObject]@{ + id = "[variables('_connector$connectorCounter-source')]"; + name = "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector$connectorCounter-name'))]" + apiVersion = "2021-03-01-preview"; + type = "Microsoft.OperationalInsights/workspaces/providers/dataConnectors"; + location = "[parameters('workspace-location')]"; + kind = "GenericUI"; + properties = [PSCustomObject]@{ + connectorUiConfig = [PSCustomObject]@{ + title = $connectorData.title; + publisher = $connectorData.publisher; + descriptionMarkdown = $connectorData.descriptionMarkdown; + graphQueries = $connectorData.graphQueries; + sampleQueries = $connectorData.sampleQueries; + dataTypes = $connectorData.dataTypes; + connectivityCriterias = $connectorData.connectivityCriterias; + availability = $connectorData.availability; + permissions = $connectorData.permissions; + instructionSteps = $connectorData.instructionSteps + } + } + } + } + elseif ($connectorData.resources -and + $connectorData.resources[0] -and + $connectorData.resources[0].properties -and + $connectorData.resources[0].properties.connectorUiConfig -and + $connectorData.resources[0].properties.pollingConfig) { + # Else check if Polling connector + $connectorData = $connectorData.resources[0] + $connectorUiConfig = $connectorData.properties.connectorUiConfig + $connectorUiConfig.PSObject.Properties.Remove('id') + $connectorObj = [PSCustomObject]@{ + id = "[variables('_connector$connectorCounter-source')]"; + name = "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector$connectorCounter-name'))]" + apiVersion = "2021-03-01-preview"; + type = "Microsoft.OperationalInsights/workspaces/providers/dataConnectors"; + location = "[parameters('workspace-location')]"; + kind = $connectorData.kind; + properties = [PSCustomObject]@{ + connectorUiConfig = $connectorUiConfig; + pollingConfig = $connectorData.properties.pollingConfig; } } } diff --git a/Tools/Create-Azure-Sentinel-Solution/input/Solution_HYAS.json b/Tools/Create-Azure-Sentinel-Solution/input/Solution_HYAS.json new file mode 100644 index 0000000000..2ef6eef8a2 --- /dev/null +++ b/Tools/Create-Azure-Sentinel-Solution/input/Solution_HYAS.json @@ -0,0 +1,26 @@ +{ + "Name": "HYAS", + "Author": "Manoj Arimanda - v-marimanda@microsoft.com", + "Playbooks": [ + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Domain-C2-Attribution/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Email-C2-Attribution/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-C2-Attribution/azuredeploy.json", + "Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-SHA256-C2-Attribution/azuredeploy.json" + ], + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\HYAS", + "Version": "1.1.1" +} \ No newline at end of file diff --git a/Tools/stats/stats.md b/Tools/stats/stats.md index 2e0961635f..fc8dd2f171 100644 --- a/Tools/stats/stats.md +++ b/Tools/stats/stats.md @@ -1,4 +1,4 @@ # Top Threat Hunters | | | |----|----| -|
RankUserScoreBadges
1 9b 1440Check Point 75 Badge
2 pemontto 1320Check Point 100 BadgeBug Basher Badge
3 ivanovchinnikov 1140Check Point 50 Badge
4 danymello 710Check Point 25 BadgeBug Basher Badge
5 AdrianRecFut 510Check Point 25 Badge
6 tj-senserva 470Check Point 25 BadgeBug Basher Badge
7 javedahmadkhan 400Check Point 10 Badge
8 dharmaAccenture 380Check Point 10 Badge
9 FlyingBlueMonkey 370Check Point 10 Badge
10 adirDev 370Check Point 10 BadgeBug Basher Badge
|
RankUserScoreBadges
11 RamboV 360Check Point 10 Badge
12 Azomasiel 330Check Point 10 BadgeBug Basher Badge
13 sindhuacc 320Check Point 10 Badge
14 gilior 310Check Point 25 BadgeBug Basher Badge
15 aymenim 230Check Point 10 Badge
16 gitj121 200Check Point 10 Badge
17 ChuckWil 200Check Point 10 Badge
18 grschloe 200Check Point 10 Badge
19 techwriter-dev 190Check Point 10 Badge
20 samikroy 180Check Point 10 Badge
| \ No newline at end of file +|
RankUserScoreBadges
1 spsocprime 1780Check Point 75 BadgeBug Basher Badge
2 javiersoriano 1580Check Point 75 Badge
3 9b 1440Check Point 75 Badge
4 pemontto 1320Check Point 100 BadgeBug Basher Badge
5 ivanovchinnikov 1140Check Point 50 Badge
6 AdrianRecFut 540Check Point 25 Badge
7 RamboV 520Check Point 25 Badge
8 javedahmadkhan 400Check Point 10 Badge
9 tj-senserva 390Check Point 10 BadgeBug Basher Badge
10 danymello 380Check Point 10 BadgeBug Basher Badge
|
RankUserScoreBadges
11 dharmaAccenture 380Check Point 10 Badge
12 gitj121 340Check Point 10 BadgeBug Basher Badge
13 Azomasiel 330Check Point 10 BadgeBug Basher Badge
14 sindhuacc 320Check Point 10 Badge
15 samikroy 270Check Point 10 Badge
16 ep3p 260Check Point 10 BadgeBug Basher Badge
17 cyberiskvision 230Check Point 10 Badge
18 aymenim 230Check Point 10 Badge
19 ThijsLecomte 220Check Point 10 Badge
20 grschloe 200Check Point 10 Badge
| \ No newline at end of file diff --git a/Workbooks/AzureSentinelCost.json b/Workbooks/AzureSentinelCost.json index 54b6ff2bd0..cabbfea4e0 100644 --- a/Workbooks/AzureSentinelCost.json +++ b/Workbooks/AzureSentinelCost.json @@ -253,7 +253,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let Categories = datatable(Type:string,Category:string)\r\n[\r\n \"AuditLogs\", \"Azure Active Directory\",\r\n \"SigninLogs\", \"Azure Active Directory\",\r\n \"AADNonInteractiveUserSignInLogs\", \"Azure Active Directory\",\r\n \"AADServicePrincipalSignInLogs\", \"Azure Active Directory\",\r\n \"AADManagedIdentitySignInLogs\", \"Azure Active Directory\",\r\n \"AADProvisioningLogs\",\"Azure Active Directory\",\r\n \"BehaviorAnalytics\", \"User Entity Behavior Analytics\",\r\n \"UserPeerAnalytics\",\"User Entity Behavior Analytics\",\r\n \"UserAccessAnalytics\",\"User Entity Behavior Analytics\",\r\n \"IdentityInfo\",\"User Entity Behavior Analytics\",\r\n \"DeviceLogonEvents\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceEvents\",\"Microsoft Defender for Endpoint\",\r\n\t\"DeviceNetworkInfo\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceImageLoadEvents\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceFileEvents\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceInfo\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceProcessEvents\", \"Microsoft Defender for Endpoint\",\t\r\n\t\"DeviceNetworkEvents\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceRegistryEvents\", \"Microsoft Defender for Endpoint\",\r\n \"DeviceFileCertificateInfo\", \"Microsoft Defender for Endpoint\",\r\n \"EmailAttachmentInfo\", \"Microsoft Defender for Office 365\",  \r\n \"EmailEvents\", \"Microsoft Defender for Office 365\",  \r\n \"EmailPostDeliveryEvents\", \"Microsoft Defender for Office 365\",  \r\n \"EmailUrlInfo\", \"Microsoft Defender for Office 365\",\r\n \"IdentityLogonEvents\", \"Microsoft Defender for Identity\",\r\n \"IdentityQueryEvents\", \"Microsoft Defender for Identity\",\r\n \"IdentityDirectoryEvents\", \"Microsoft Defender for Identity\",\r\n \"CloudAppEvents\", \"Microsoft Defender for Cloud Apps\",\r\n \"AlertEvidence\", \"Microsoft Defender Alert Evidence\",\r\n \"InsightsMetrics\", \"Azure Monitor for VMs\",\r\n \"VMBoundPort\", \"Azure Monitor for VMs\",\r\n \"VMComputer\", \"Azure Monitor for VMs\",\r\n \"VMConnection\", \"Azure Monitor for VMs\",\r\n \"VMProcess\", \"Azure Monitor for VMs\",\r\n \"SecurityEvent\", \"Windows Security Events\",\r\n \"Syslog\", \"Syslog/CEF\",\r\n \"CommonSecurityLog\", \"Syslog/CEF\",\r\n \"ThreatIntelligenceIndicator\", \"Threat Intelligence\",\r\n \"DnsEvents\", \"DNS Logs\",\r\n \"DnsInventory\", \"DNS Logs\",\r\n \"AWSCloudTrail\", \"AWS Cloud Trail\",\r\n \"ConfigurationChange\", \"Change Tracking\",\r\n \"ConfigurationData\", \"Change Tracking\",\r\n \"AzureDiagnostics\", \"Azure Resources\",\r\n \"LAQueryLogs\", \"Management\",\r\n \"SentinelHealth\",\"Management\",\r\n \"Perf\",\"Performance\",\r\n \"AzureMetrics\",\"Azure Metrics\",\r\n \"SecurityNestedRecommendation\", \"Azure Security Center\",\r\n \"SecurityRecommendation\", \"Azure Security Center\",\r\n \"SecurityRegulatoryCompliance\", \"Azure Security Center\",\r\n \"SecureScoreControls\", \"Azure Security Center\",\r\n \"SecurityBaseline\", \"Azure Security Center\",\r\n \"SecureScores\", \"Azure Security Center\",\r\n \"Update\", \"Update Management\",\r\n \"UpdateSummary\", \"Update Management\"\r\n];\r\nlet customTables = Usage\r\n| where IsBillable == true\r\n| where DataType contains \"_CL\"\r\n| summarize size = sum(Quantity)/1024 by DataType\r\n| project ['Log Type'] = DataType, ['Table Size'] = size, ['Estimated cost'] = size*{Price};\r\nlet knownTables = Usage\r\n| where IsBillable == true \r\n| join kind=leftouter Categories on $left.DataType == $right.Type\r\n| summarize size =sumif(Quantity, isnotempty(Category))/1024, sizeOther= sumif(Quantity,(isempty(Category) and DataType !contains \"_CL\"))/1024 by Category\r\n| project ['Log Type'] = iif(isnotempty( Category),Category,\"Other\"), ['Table Size'] = iif(isnotempty( Category),size,sizeOther), ['Estimated cost'] = iif(isnotempty(Category),size*{Price},sizeOther*4);\r\nunion customTables, knownTables\r\n| order by ['Table Size'] desc", + "query": "let Categories = datatable(Type:string,Category:string)\r\n[\r\n \"AuditLogs\", \"Azure Active Directory\",\r\n \"SigninLogs\", \"Azure Active Directory\",\r\n \"AADNonInteractiveUserSignInLogs\", \"Azure Active Directory\",\r\n \"AADServicePrincipalSignInLogs\", \"Azure Active Directory\",\r\n \"AADManagedIdentitySignInLogs\", \"Azure Active Directory\",\r\n \"AADProvisioningLogs\",\"Azure Active Directory\",\r\n \"BehaviorAnalytics\", \"User Entity Behavior Analytics\",\r\n \"UserPeerAnalytics\",\"User Entity Behavior Analytics\",\r\n \"UserAccessAnalytics\",\"User Entity Behavior Analytics\",\r\n \"IdentityInfo\",\"User Entity Behavior Analytics\",\r\n \"DeviceLogonEvents\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceEvents\",\"Microsoft Defender for Endpoint\",\r\n\t\"DeviceNetworkInfo\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceImageLoadEvents\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceFileEvents\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceInfo\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceProcessEvents\", \"Microsoft Defender for Endpoint\",\t\r\n\t\"DeviceNetworkEvents\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceRegistryEvents\", \"Microsoft Defender for Endpoint\",\r\n \"DeviceFileCertificateInfo\", \"Microsoft Defender for Endpoint\",\r\n \"EmailAttachmentInfo\", \"Microsoft Defender for Office 365\",  \r\n \"EmailEvents\", \"Microsoft Defender for Office 365\",  \r\n \"EmailPostDeliveryEvents\", \"Microsoft Defender for Office 365\",  \r\n \"EmailUrlInfo\", \"Microsoft Defender for Office 365\",\r\n \"IdentityLogonEvents\", \"Microsoft Defender for Identity\",\r\n \"IdentityQueryEvents\", \"Microsoft Defender for Identity\",\r\n \"IdentityDirectoryEvents\", \"Microsoft Defender for Identity\",\r\n \"CloudAppEvents\", \"Microsoft Defender for Cloud Apps\",\r\n \"AlertEvidence\", \"Microsoft Defender Alert Evidence\",\r\n \"InsightsMetrics\", \"Azure Monitor for VMs\",\r\n \"VMBoundPort\", \"Azure Monitor for VMs\",\r\n \"VMComputer\", \"Azure Monitor for VMs\",\r\n \"VMConnection\", \"Azure Monitor for VMs\",\r\n \"VMProcess\", \"Azure Monitor for VMs\",\r\n \"SecurityEvent\", \"Windows Security Events\",\r\n \"Syslog\", \"Syslog/CEF\",\r\n \"CommonSecurityLog\", \"Syslog/CEF\",\r\n \"ThreatIntelligenceIndicator\", \"Threat Intelligence\",\r\n \"DnsEvents\", \"DNS Logs\",\r\n \"DnsInventory\", \"DNS Logs\",\r\n \"AWSCloudTrail\", \"AWS Cloud Trail\",\r\n \"ConfigurationChange\", \"Change Tracking\",\r\n \"ConfigurationData\", \"Change Tracking\",\r\n \"AzureDiagnostics\", \"Azure Resources\",\r\n \"LAQueryLogs\", \"Management\",\r\n \"SentinelHealth\",\"Management\",\r\n \"Perf\",\"Performance\",\r\n \"AzureMetrics\",\"Azure Metrics\",\r\n \"SecurityNestedRecommendation\", \"Microsoft Defender for Cloud\",\r\n \"SecurityRecommendation\", \"Microsoft Defender for Cloud\",\r\n \"SecurityRegulatoryCompliance\", \"Microsoft Defender for Cloud\",\r\n \"SecureScoreControls\", \"Microsoft Defender for Cloud\",\r\n \"SecurityBaseline\", \"Microsoft Defender for Cloud\",\r\n \"SecureScores\", \"Microsoft Defender for Cloud\",\r\n \"Update\", \"Update Management\",\r\n \"UpdateSummary\", \"Update Management\"\r\n];\r\nlet customTables = Usage\r\n| where IsBillable == true\r\n| where DataType contains \"_CL\"\r\n| summarize size = sum(Quantity)/1024 by DataType\r\n| project ['Log Type'] = DataType, ['Table Size'] = size, ['Estimated cost'] = size*{Price};\r\nlet knownTables = Usage\r\n| where IsBillable == true \r\n| join kind=leftouter Categories on $left.DataType == $right.Type\r\n| summarize size =sumif(Quantity, isnotempty(Category))/1024, sizeOther= sumif(Quantity,(isempty(Category) and DataType !contains \"_CL\"))/1024 by Category\r\n| project ['Log Type'] = iif(isnotempty( Category),Category,\"Other\"), ['Table Size'] = iif(isnotempty( Category),size,sizeOther), ['Estimated cost'] = iif(isnotempty(Category),size*{Price},sizeOther*4);\r\nunion customTables, knownTables\r\n| order by ['Table Size'] desc", "size": 0, "title": "Breakdown of billable ingestion by log category in the last {TimeRange}", "timeContext": { @@ -941,4 +941,4 @@ ], "fromTemplateId": "sentinel-CostWorkbook", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" -} \ No newline at end of file +} diff --git a/Workbooks/DSTIMWorkbook.json b/Workbooks/DSTIMWorkbook.json new file mode 100644 index 0000000000..cc8d38c127 --- /dev/null +++ b/Workbooks/DSTIMWorkbook.json @@ -0,0 +1,2230 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "# Data Security Sensitive data Impact Assessment\r\nUse this Workbook to accelerate the investigation and impact assessment of incidents that involve sensitive data such as PII, PCI, PHI, or Intellectual Property present in Azure Blob Storage data source.\r\nThis solution is in its Private Preview stage and will correlate Azure Blob Storage resource audit logs and data sensitivity logs from Azure Purview - to create sensitive data impact assessment report (i.e. Who accessed, What sensitive data, from Where and When).\r\n\r\n  Please take time to answer a quick survey,\r\n[ click here. ]()\r\n\r\n" + }, + "customWidth": "0", + "name": "text - 16", + "styleSettings": { + "padding": "0px 30px", + "maxWidth": "70%" + } + }, + { + "type": 1, + "content": { + "json": "![Image Name](https://azure.microsoft.com/svghandler/security-center?width=200&height=200) " + }, + "customWidth": "0", + "name": "text - 17", + "styleSettings": { + "maxWidth": "20%" + } + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "5e28d027-8f7a-40c4-a1ee-0424648c6f94", + "cellValue": "TabName", + "linkTarget": "parameter", + "linkLabel": "Summary", + "subTarget": "Summary", + "style": "link" + }, + { + "id": "e09caa82-1657-4927-b776-916bcb7918dd", + "cellValue": "TabName", + "linkTarget": "parameter", + "linkLabel": "User account", + "subTarget": "UserAccount", + "style": "link" + }, + { + "id": "bc68a7f4-0783-4ec2-ae6c-052cafcbed05", + "cellValue": "TabName", + "linkTarget": "parameter", + "linkLabel": "IP address", + "subTarget": "IPAddress", + "style": "link" + } + ] + }, + "name": "Tabs", + "styleSettings": { + "margin": "0px 30px" + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "c5d3cca3-1c66-4dc7-8ef3-5986c66b3bff", + "version": "KqlParameterItem/1.0", + "name": "LinkName", + "type": 1, + "isGlobal": true, + "query": "print('default')", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "Anomalies" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - LinkName" + }, + { + "type": 1, + "content": { + "json": "----\r\n## Investigation scope" + }, + "name": "break - Copy", + "styleSettings": { + "margin": "0px 30px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "8957770d-ea80-4383-8fda-e7a3ac4a45aa", + "version": "KqlParameterItem/1.0", + "name": "TimeRange_IS", + "label": "During", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 5184000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 86400000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "96377586-679c-4081-b68d-119b06380ade", + "version": "KqlParameterItem/1.0", + "name": "Subcriptions_IS", + "label": "Subscription", + "type": 6, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "//drop down parameter, list of subscriptions.\r\nDSTIMAccess_CL\r\n| where AggregationLastEventTime_t {TimeRange_IS} or TimeDiscovered_t {TimeRange_IS}\r\n| project ResourceSubscriptionId = ResourceSubscriptionId_g, AggregationLastEventTime = AggregationLastEventTime_t, TimeGenerated = TimeDiscovered_t\r\n| distinct ResourceSubscriptionId\r\n", + "crossComponentResources": [ + "value::selected" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "db2fcd85-cd0a-4ae5-a2fc-0c8d43eedec9", + "version": "KqlParameterItem/1.0", + "name": "ResourceGroup_IS", + "label": "Resource group", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "//dropdown parameter, list of Resource groups according to Subscriptions_IS parameter\r\nDSTIMAccess_CL | project ResourceSubscriptionId_g, ResourceGroup, AggregationLastEventTime_t, TimeDiscovered_t \r\n| where AggregationLastEventTime_t {TimeRange_IS} or TimeDiscovered_t {TimeRange_IS}\r\n| where \"{Subcriptions_IS}\" == \"'*'\" or '{Subcriptions_IS:id}' has ResourceSubscriptionId_g\r\n| distinct ResourceGroup", + "crossComponentResources": [ + "value::selected" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "15fe75b2-3ebc-417a-8c65-0216d32ceef6", + "version": "KqlParameterItem/1.0", + "name": "UserAccount_IS", + "label": "User account", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "//union between mailAdress acounts and app id's. (might change after normelizing the user account info we get from accesslogs).\r\n//dropdown parameter, list of Resource groups according to Subscriptions_IS parameter\r\nlet filteredLogs = DSTIMAccess_CL \r\n| project ResourceSubscriptionId = ResourceSubscriptionId_g, ResourceGroup, AggregationLastEventTime = AggregationLastEventTime_t, TimeGenerated = TimeDiscovered_t, RequesterUpn = RequesterUpn_s, RequesterAppId = RequesterAppId_s, AuthenticationType = AuthenticationType_s\r\n| where AggregationLastEventTime {TimeRange_IS} or TimeGenerated {TimeRange_IS}\r\n| where \"{Subcriptions_IS}\" == \"'*'\" or '{Subcriptions_IS:id}' has ResourceSubscriptionId\r\n| where \"{ResourceGroup_IS}\" == \"'*'\" or ResourceGroup in ({ResourceGroup_IS}) ;\r\n\r\nfilteredLogs | where isnotempty(RequesterUpn)\r\n| distinct RequesterUpn, AuthenticationType\r\n| join kind = leftouter (IdentityInfo) on $left.RequesterUpn == $right.MailAddress\r\n| project AccountId = RequesterUpn, AccountDisplayName = iff(isempty(AccountDisplayName), RequesterUpn, AccountDisplayName), selected = true, group = AuthenticationType\r\n| distinct AccountId, AccountDisplayName, selected, group\r\n| union (filteredLogs\r\n| where isnotempty(RequesterAppId) | project AccountDisplayName = RequesterAppId, AccountId = RequesterAppId, selected = true, group = AuthenticationType\r\n | distinct AccountId, AccountDisplayName, selected, group )\r\n", + "crossComponentResources": [ + "value::selected" + ], + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "e652cebc-d5ee-49c2-95dd-d00d18cc7ee7", + "version": "KqlParameterItem/1.0", + "name": "Classification_IS", + "label": "Classification", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "GetClassificationList({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))", + "crossComponentResources": [ + "value::selected" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + }, + { + "id": "91768aeb-8cad-411b-bfcb-7012011468c0", + "version": "KqlParameterItem/1.0", + "name": "SensitivityLabel_IS", + "label": "Sensitivity label", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "//list of sensitivityLabels accoding to all investigation scope parameters.\r\nDSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| where \"{Classification_IS}\" == \"'*'\" or Classification has_any({Classification_IS})\r\n| project LabelName = iff(isempty(SensitivityLabelName), \"no label\", SensitivityLabelName)\r\n| distinct LabelName", + "crossComponentResources": [ + "value::selected" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "2318320d-70d3-4dad-a930-10fc51dfe62e", + "version": "KqlParameterItem/1.0", + "name": "IPAddress_IS", + "label": "IP address", + "type": 10, + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"contains\", \"label\": \"contains\", \"selected\":true},\r\n {\"value\": \"not contains\", \"label\": \"not contains\"}\r\n]" + }, + { + "id": "2987875a-e179-431d-93c1-b8540af04fcd", + "version": "KqlParameterItem/1.0", + "name": "IPRange_IS", + "label": "IP range", + "type": 1, + "typeSettings": { + "paramValidationRules": [ + { + "regExp": "(^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}(\\/[0-9][0-9]?)?$)|^(?![\\s\\S])$", + "match": true, + "message": "please enter a valid ip range" + } + ] + } + }, + { + "id": "a1470529-ff31-4723-a048-b73a0935805b", + "version": "KqlParameterItem/1.0", + "name": "AssetPath_IS", + "label": "Asset path", + "type": 10, + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"contains\", \"label\": \"contains\", \"selected\":true},\r\n {\"value\": \"not contains\", \"label\": \"not contains\"}\r\n]" + }, + { + "id": "f136c461-4943-47c1-b67c-7bf0cd679d08", + "version": "KqlParameterItem/1.0", + "name": "Path_IS", + "label": "path", + "type": 1, + "value": "" + } + ], + "style": "above", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "0", + "name": "InvestigationScope", + "styleSettings": { + "maxWidth": "60" + } + } + ], + "exportParameters": true + }, + "name": "Investigation scope", + "styleSettings": { + "margin": "0px 30px", + "padding": "-30px 0px" + } + }, + { + "type": 1, + "content": { + "json": "----\r\n## General Investigation Information" + }, + "name": "break ", + "styleSettings": { + "margin": "0px 30px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "value::selected" + ], + "parameters": [ + { + "id": "789877b3-4d79-4403-bb7e-0dff8e3d8aad", + "version": "KqlParameterItem/1.0", + "name": "WatchListEntities", + "type": 1, + "query": "DSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| project Classification, SensitivityLabelName, RequesterUpn\r\n| where \"'*'\" == \"{Classification_IS}\" or Classification has_any({Classification_IS})\r\n| where \"'*'\" == \"{SensitivityLabel_IS}\" or SensitivityLabelName in ({SensitivityLabel_IS})\r\n| where isnotempty(RequesterUpn)\r\n| join kind=inner (_GetWatchlist(\"VIPUsers\") | distinct SearchKey | union (_GetWatchlist(\"TerminatedEmployees\") | distinct SearchKey ) | union (_GetWatchlist(\"HighValueAssets\") | distinct SearchKey))\r\non $left.RequesterUpn == $right.SearchKey\r\n| distinct RequesterUpn", + "isHiddenWhenLocked": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "56682599-5018-4d5b-8139-57ac8703838d", + "version": "KqlParameterItem/1.0", + "name": "WatchListCount", + "type": 1, + "query": "print(iff(isempty('{WatchListEntities}'), 'no', tostring(array_length(parse_json(split('{WatchListEntities}', ','))))))", + "crossComponentResources": [ + "value::selected" + ], + "isHiddenWhenLocked": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "904c8770-9e80-4d0b-825b-f8f7a917218e", + "version": "KqlParameterItem/1.0", + "name": "TIIPEntities", + "type": 1, + "query": "//query purpose - get count of IP addresses that are part of threat inteligenceIndicator list.\r\nDSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| project Classification, SensitivityLabelName, CallerIPAddress\r\n| where \"'*'\" == \"{Classification_IS}\" or Classification has_any({Classification_IS})\r\n| where \"'*'\" == \"{SensitivityLabel_IS}\" or SensitivityLabelName in ({SensitivityLabel_IS})\r\n| join kind=inner (ThreatIntelligenceIndicator | where TimeGenerated {TimeRange_IS} | project NetworkSourceIP) on $right.NetworkSourceIP == $left.CallerIPAddress\r\n| distinct CallerIPAddress", + "crossComponentResources": [ + "value::selected" + ], + "isHiddenWhenLocked": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "b43321b8-99d1-4a2b-891d-02374da17074", + "version": "KqlParameterItem/1.0", + "name": "TIIPCount", + "type": 1, + "isRequired": true, + "query": "print(iff(isempty('{TIIPEntities}'), 'no', \r\ntostring(array_length(parse_json(split('{TIIPEntities}', ','))))))\r\n\r\n", + "crossComponentResources": [ + "value::selected" + ], + "isHiddenWhenLocked": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "70277b70-a538-4d81-b60f-1d73cfdc0bb6", + "version": "KqlParameterItem/1.0", + "name": "assetCounts", + "type": 1, + "query": "//Query purpose - present the num of unique assets that were accessed by an IP addres that is part of Threat Inteligence table\r\nDSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| project Classification, SensitivityLabelName, CallerIPAddress, Uri\r\n| where \"'*'\" == \"{Classification_IS}\" or Classification has_any({Classification_IS})\r\n| where \"'*'\" == \"{SensitivityLabel_IS}\" or SensitivityLabelName in ({SensitivityLabel_IS})\r\n| join kind=inner (ThreatIntelligenceIndicator | where TimeGenerated {TimeRange_IS} | project NetworkSourceIP) on $right.NetworkSourceIP == $left.CallerIPAddress\r\n| distinct Uri\r\n| summarize Count = count()\r\n| project Count = iff(Count == 0, \"no\", tostring(Count))", + "crossComponentResources": [ + "value::selected" + ], + "isHiddenWhenLocked": true, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "3b3341df-a8fe-42ba-94ee-4d1f4375babb", + "version": "KqlParameterItem/1.0", + "name": "UserAnomalies", + "type": 1, + "query": "//Get number of anomalies from Anomalies table that were matching to upn entities in accessLogs\r\nDSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| project Classification, SensitivityLabelName, RequesterUpn\r\n| where \"'*'\" == \"{Classification_IS}\" or Classification has_any({Classification_IS})\r\n| where \"'*'\" == \"{SensitivityLabel_IS}\" or SensitivityLabelName in ({SensitivityLabel_IS})\r\n| where isnotempty(RequesterUpn)\r\n| join kind=inner (Anomalies | where TimeGenerated between(datetime_add(\"day\", -5, {TimeRange_IS:start}) .. {TimeRange_IS:end}) | project AadUserId = UserPrincipalName, AnomalyTemplateId | where isnotempty(AadUserId)) on $left.RequesterUpn == $right.AadUserId\r\n| distinct RequesterUpn, AnomalyTemplateId\r\n| summarize countPerUser = count(AnomalyTemplateId) by RequesterUpn\r\n| summarize sum = sum(countPerUser)\r\n| project TotalSum = iff(sum == 0, \"no\", tostring(sum))", + "crossComponentResources": [ + "value::selected" + ], + "isHiddenWhenLocked": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "81217188-4340-4281-81bb-8b39b6905493", + "version": "KqlParameterItem/1.0", + "name": "IPAnomalies", + "type": 1, + "query": "//Get number of anomalies from Anomalies table that were matching to IP entities in accessLogs\r\nDSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| project Classification, SensitivityLabelName, CallerIPAddress\r\n| where \"'*'\" == \"{Classification_IS}\" or Classification has_any({Classification_IS})\r\n| where \"'*'\" == \"{SensitivityLabel_IS}\" or SensitivityLabelName in ({SensitivityLabel_IS})\r\n| where isnotempty(CallerIPAddress)\r\n| join kind=inner (Anomalies | where TimeGenerated between(datetime_add(\"day\", -5, {TimeRange_IS:start}) .. {TimeRange_IS:end}) | project Address = SourceIpAddress, AnomalyTemplateId | where isnotempty(Address)) on $left.CallerIPAddress == $right.Address\r\n| distinct CallerIPAddress, AnomalyTemplateId\r\n| summarize countPerIP = count(AnomalyTemplateId) by CallerIPAddress\r\n| summarize sum = sum(countPerIP)\r\n| project TotalSum = iff(sum == 0, \"no\", tostring(sum))", + "crossComponentResources": [ + "value::selected" + ], + "isHiddenWhenLocked": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "8a446749-7b6a-4aab-9818-7d4d75d34e0b", + "version": "KqlParameterItem/1.0", + "name": "TotalAnomalies", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "{UserAnomalies} + {IPAnomalies}" + } + } + ] + }, + { + "id": "b37715cd-5cde-4146-8fa8-3028e9fb7a16", + "version": "KqlParameterItem/1.0", + "name": "AnomaliesUserEntities", + "type": 1, + "query": "//Get unique count of user entities that are oart of the Anomalies table. Quering 5 days before the time range as recommended by Anomalies team\r\nDSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| project Classification, SensitivityLabelName, RequesterUpn\r\n| where \"'*'\" == \"{Classification_IS}\" or Classification has_any({Classification_IS})\r\n| where \"'*'\" == \"{SensitivityLabel_IS}\" or SensitivityLabelName in ({SensitivityLabel_IS})\r\n| where isnotempty(RequesterUpn)\r\n| join kind=inner (Anomalies | where TimeGenerated between(datetime_add(\"day\", -5, {TimeRange_IS:start}) .. {TimeRange_IS:end}) | project AadUserId = UserPrincipalName | where isnotempty(AadUserId)) on $left.RequesterUpn == $right.AadUserId\r\n| distinct RequesterUpn", + "crossComponentResources": [ + "value::selected" + ], + "isHiddenWhenLocked": true, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "c90199c6-e62d-4222-b0f5-1c5d645a3339", + "version": "KqlParameterItem/1.0", + "name": "AnomaliesIPEntities", + "type": 1, + "query": "//Get unique count of ip entities that are part of the Anomalies table. Quering 5 days before the time range as recommended by Anomalies team\r\nDSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| project Classification, SensitivityLabelName, CallerIPAddress\r\n| where \"'*'\" == \"{Classification_IS}\" or Classification has_any({Classification_IS})\r\n| where \"'*'\" == \"{SensitivityLabel_IS}\" or SensitivityLabelName in ({SensitivityLabel_IS})\r\n| where isnotempty(CallerIPAddress)\r\n| join kind=inner (Anomalies | where TimeGenerated between(datetime_add(\"day\", -5, {TimeRange_IS:start}) .. {TimeRange_IS:end})| project Address = SourceIpAddress | where isnotempty(Address)) on $left.CallerIPAddress == $right.Address\r\n| distinct CallerIPAddress", + "isHiddenWhenLocked": true, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "version": "KqlParameterItem/1.0", + "name": "AnomaliesUserEntitiesCount", + "type": 1, + "query": "print(iff(isempty('{AnomaliesUserEntities}'), '0', tostring(array_length(parse_json(split('{AnomaliesUserEntities}', ','))))))", + "crossComponentResources": [ + "value::selected" + ], + "isHiddenWhenLocked": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "933924e5-2e79-4e1d-8cb3-bafbc937d8e0" + }, + { + "version": "KqlParameterItem/1.0", + "name": "AnomaliesIPEntitiesCount", + "type": 1, + "query": "print(iff(isempty('{AnomaliesIPEntities}'), '0', tostring(array_length(parse_json(split('{AnomaliesIPEntities}', ','))))))", + "crossComponentResources": [ + "value::selected" + ], + "isHiddenWhenLocked": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "id": "27fcedd6-dd33-4353-9df3-7c63ed204b73" + }, + { + "id": "7a53c97b-2715-4f39-99dd-f6b452a4ff50", + "version": "KqlParameterItem/1.0", + "name": "TotalAnomaliesEntitiesCount", + "type": 1, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "{AnomaliesUserEntitiesCount} + {AnomaliesIPEntitiesCount}" + } + } + ] + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "default" + }, + "name": "Insightsparameters " + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Query purpose = represent KPI cards with data about the access logs.\r\n//Unique count of:Subscriptions, Resource Groups, Sensitive data sources accessed, Sensitive data assets accessed, Classifications accessed, Labels accessed and User Accounts.\r\n\r\nlet totalClassificationCount = GetClassificationList({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| count;\r\n\r\nlet ExtraTiles = datatable(TableName: string, Count: string, tabName: string, expectedTab: string) \r\n[\r\n \"Watchlist(s) match\", '{WatchListCount}', '{TabName}', 'UserAccount',\r\n \"User Anomalies match\", '{AnomaliesUserEntitiesCount}', '{TabName}', 'UserAccount',\r\n \"IP Anomalies match\", '{AnomaliesIPEntitiesCount}','{TabName}', 'IPAddress',\r\n \"TI match\", '{TIIPCount}','{TabName}', 'IPAddress'\r\n]\r\n| where tabName == expectedTab | project TableName, Count;\r\n\r\nlet basicTiles = DSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| summarize dcount(ResourceSubscriptionId), dcount(ResourceGroup), dcount(StorageAccountName),dcount(Uri), dcount(SensitivityLabelName), dcount(RequesterUpn), dcount(RequesterAppId)\r\n| project [\"Subscriptions\"] = dcount_ResourceSubscriptionId , [\"Resource Groups\"] = dcount_ResourceGroup , [\"Sensitive data sources accessed\"] = dcount_StorageAccountName, [\"Sensitive data assets accessed\"] = dcount_Uri, [\"User accounts\"] = iff(\"{UserAccount_IS}\" != \"'*'\", array_length(dynamic([{UserAccount_IS}])),(dcount_RequesterUpn + dcount_RequesterAppId)) , [\"Classifications accessed\"] = toscalar(totalClassificationCount), [\"Labels accessed\"] = dcount_SensitivityLabelName\r\n| evaluate narrow()\r\n| extend TableName = replace(@\"\\[|\\]|\\'\", @'',Column)\r\n| extend Count = Value\r\n| project TableName, Count\r\n| union ExtraTiles;\r\n\r\nbasicTiles", + "size": 3, + "color": "blue", + "exportFieldName": "TableName", + "exportParameterName": "TableName", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "TableName", + "formatter": 1 + }, + "subtitleContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + } + }, + "showBorder": true, + "sortOrderField": 1, + "size": "auto" + }, + "graphSettings": { + "type": 2, + "topContent": { + "columnMatch": "Subscriptions", + "formatter": 1, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + }, + "tooltipFormat": { + "tooltip": "Subscriptions" + } + }, + "centerContent": { + "columnMatch": "Subscriptions", + "formatter": 1 + }, + "nodeIdField": "Subscriptions", + "sourceIdField": "Subscriptions", + "targetIdField": "Subscriptions", + "graphOrientation": 3, + "showOrientationToggles": false, + "edgeLabel": "Subscriptions", + "nodeSize": null, + "staticNodeSize": 100, + "colorSettings": null, + "hivesMargin": 5 + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "Subscriptions", + "sizeAggregation": "Sum", + "legendMetric": "Subscriptions", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "Subscriptions", + "heatmapPalette": "greenRed" + } + }, + "textSettings": { + "style": "header" + } + }, + "customWidth": "0", + "showPin": true, + "name": "KPI cards", + "styleSettings": { + "maxWidth": "100" + } + } + ], + "exportParameters": true + }, + "customWidth": "100", + "name": "Tiles" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DSTIMAccess_CL \r\n| project ResourceSubscriptionId = ResourceSubscriptionId_g, ResourceGroup, AggregationLastEventTime = AggregationLastEventTime_t, TimeGenerated = TimeDiscovered_t, RequesterUpn = RequesterUpn_s, RequesterAppId = RequesterAppId_s\r\n| where TimeGenerated {TimeRange_IS} or AggregationLastEventTime {TimeRange_IS}\r\n| where '{Subcriptions_IS:id}' == '*' or '{Subcriptions_IS:id}' has ResourceSubscriptionId\r\n| where \"'*'\" == \"{ResourceGroup_IS}\" or ResourceGroup in ({ResourceGroup_IS}) \r\n| where \"'*'\" == \"{UserAccount_IS}\" or RequesterUpn in ({UserAccount_IS}) or RequesterAppId in ({UserAccount_IS})\r\n| distinct ResourceSubscriptionId", + "size": 0, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "Nothing" + }, + "name": "DSTIMSubscriptions" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resourcecontainers\r\n| project id, subscriptionId, type, tags\r\n| where '{Subcriptions_IS:id}' == '*' or '{Subcriptions_IS:id}' has subscriptionId\r\n| where type == \"microsoft.resources/subscriptions\"", + "size": 0, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "value::selected" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "SubscriptionName", + "formatter": 15, + "formatOptions": { + "linkTarget": null, + "showIcon": true + } + } + ] + }, + "sortBy": [] + }, + "conditionalVisibility": { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "nothing" + }, + "name": "ResourceSubscriptions" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"74022f16-9973-482c-a7df-962934df00a4\",\"mergeType\":\"innerunique\",\"leftTable\":\"DSTIMSubscriptions\",\"rightTable\":\"ResourceSubscriptions\",\"leftColumn\":\"ResourceSubscriptionId\",\"rightColumn\":\"subscriptionId\"}],\"projectRename\":[{\"originalName\":\"[ResourceSubscriptions].id\",\"mergedName\":\"id\",\"fromId\":\"74022f16-9973-482c-a7df-962934df00a4\"},{\"originalName\":\"[DSTIMSubscriptions].ResourceSubscriptionId\",\"mergedName\":\"ResourceSubscriptionId\",\"fromId\":\"74022f16-9973-482c-a7df-962934df00a4\"},{\"originalName\":\"[ResourceSubscriptions].tags\",\"mergedName\":\"tags\",\"fromId\":\"74022f16-9973-482c-a7df-962934df00a4\"},{\"originalName\":\"[ResourceSubscriptions].name\"},{\"originalName\":\"[ResourceSubscriptions].type\"},{\"originalName\":\"[ResourceSubscriptions].kind\"},{\"originalName\":\"[ResourceSubscriptions].location\"},{\"originalName\":\"[ResourceSubscriptions].resourceGroup\"},{\"originalName\":\"[ResourceSubscriptions].subscriptionId\"},{\"originalName\":\"[ResourceSubscriptions].sku\"},{\"originalName\":\"[ResourceSubscriptions].plan\"},{\"originalName\":\"[ResourceSubscriptions].identity\"},{\"originalName\":\"[ResourceSubscriptions].zones\"},{\"originalName\":\"[ResourceSubscriptions].tenantId\"},{\"originalName\":\"[ResourceSubscriptions].managedBy\"},{\"originalName\":\"[ResourceSubscriptions].properties\"},{\"originalName\":\"[ResourceSubscriptions].extendedLocation\"}]}", + "size": 4, + "title": "Subscription Details", + "showRefreshButton": true, + "queryType": 7, + "gridSettings": { + "labelSettings": [ + { + "columnId": "id", + "label": "Name" + }, + { + "columnId": "ResourceSubscriptionId", + "label": "Id" + } + ] + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "Subscriptions" + }, + "name": "SubscriptionsView", + "styleSettings": { + "maxWidth": "50" + } + } + ] + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "Subscriptions" + }, + "name": "SubscriptionViewGroup", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resourcecontainers\r\n| project id, name, type, subscriptionId, location, tags\r\n| where \"'*'\" == \"{ResourceGroup_IS}\" or name in ({ResourceGroup_IS})\r\n| where type == \"microsoft.resources/subscriptions/resourcegroups\"\r\n\r\n", + "size": 0, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "value::selected" + ], + "sortBy": [] + }, + "conditionalVisibility": { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "nothing" + }, + "name": "Resourcegroups" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DSTIMAccess_CL \r\n| project ResourceSubscriptionId = ResourceSubscriptionId_g, ResourceGroup, AggregationLastEventTime = AggregationLastEventTime_t, TimeGenerated = TimeDiscovered_t, RequesterUpn = RequesterUpn_s, RequesterAppId = RequesterAppId_s\r\n| where TimeGenerated {TimeRange_IS} or AggregationLastEventTime {TimeRange_IS}\r\n| where '{Subcriptions_IS:id}' == '*' or '{Subcriptions_IS:id}' has ResourceSubscriptionId\r\n| where \"'*'\" == \"{ResourceGroup_IS}\" or ResourceGroup in ({ResourceGroup_IS}) \r\n| where \"'*'\" == \"{UserAccount_IS}\" or RequesterUpn in ({UserAccount_IS}) or RequesterAppId in ({UserAccount_IS})\r\n| distinct ResourceGroup", + "size": 0, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "nothing" + }, + "name": "DSTIMResourcegroups" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"c7ec72da-8ab1-489f-a46b-d79d6489c082\",\"mergeType\":\"innerunique\",\"leftTable\":\"DSTIMResourcegroups\",\"rightTable\":\"Resourcegroups\",\"leftColumn\":\"ResourceGroup\",\"rightColumn\":\"name\"}],\"projectRename\":[{\"originalName\":\"[Resourcegroups].id\",\"mergedName\":\"Resource Group Name\",\"fromId\":\"c7ec72da-8ab1-489f-a46b-d79d6489c082\"},{\"originalName\":\"[Resourcegroups].subscriptionId\",\"mergedName\":\"subscriptionId\",\"fromId\":\"c7ec72da-8ab1-489f-a46b-d79d6489c082\"},{\"originalName\":\"[Resourcegroups].location\",\"mergedName\":\"location\",\"fromId\":\"c7ec72da-8ab1-489f-a46b-d79d6489c082\"},{\"originalName\":\"[Resourcegroups].tags\",\"mergedName\":\"tags\",\"fromId\":\"c7ec72da-8ab1-489f-a46b-d79d6489c082\"},{\"originalName\":\"[DSTIMResourcegroups].ResourceGroup\"},{\"originalName\":\"[Resourcegroups].name\"},{\"originalName\":\"[Resourcegroups].type\"},{\"originalName\":\"[Resourcegroups].tenantId\"},{\"originalName\":\"[Resourcegroups].kind\"},{\"originalName\":\"[Resourcegroups].resourceGroup\"},{\"originalName\":\"[Resourcegroups].managedBy\"},{\"originalName\":\"[Resourcegroups].sku\"},{\"originalName\":\"[Resourcegroups].plan\"},{\"originalName\":\"[Resourcegroups].properties\"},{\"originalName\":\"[Resourcegroups].identity\"},{\"originalName\":\"[Resourcegroups].zones\"},{\"originalName\":\"[Resourcegroups].extendedLocation\"}]}", + "size": 4, + "title": "Resource Group Details", + "showRefreshButton": true, + "queryType": 7, + "gridSettings": { + "formatters": [ + { + "columnMatch": "subscriptionId", + "formatter": 15, + "formatOptions": { + "linkTarget": null, + "showIcon": true + } + } + ], + "labelSettings": [ + { + "columnId": "subscriptionId", + "label": "Subscription Name" + }, + { + "columnId": "location", + "label": "Location" + }, + { + "columnId": "tags", + "label": "Tags" + } + ] + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "Resource Groups" + }, + "name": "ResourceGroupView", + "styleSettings": { + "maxWidth": "50" + } + } + ], + "exportParameters": true + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "Resource Groups" + }, + "name": "ResourceGroupViewGroup", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Resources\r\n| project id, name, subscriptionId, resourceGroup, type, tags, location\r\n| where '*' == '{Subcriptions_IS:id}' or '{Subcriptions_IS:id}' has subscriptionId\r\n| where \"'*'\" == \"{ResourceGroup_IS}\" or resourceGroup in~ ({ResourceGroup_IS})\r\n| where type =~ 'Microsoft.Storage/storageAccounts'\r\n", + "size": 0, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "value::selected" + ], + "gridSettings": { + "filter": true, + "sortBy": [ + { + "itemKey": "subscriptionId", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "subscriptionId", + "sortOrder": 1 + } + ] + }, + "conditionalVisibility": { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "nothing" + }, + "name": "StorageAccounts" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DSTIMAccess_CL \r\n| project ResourceSubscriptionId = ResourceSubscriptionId_g, ResourceGroup, AggregationLastEventTime = AggregationLastEventTime_t, TimeGenerated = TimeDiscovered_t, RequesterUpn = RequesterUpn_s, RequesterAppId = RequesterAppId_s, StorageAccountName = StorageAccountName_s\r\n| where TimeGenerated {TimeRange_IS} or AggregationLastEventTime {TimeRange_IS}\r\n| where '{Subcriptions_IS:id}' == '*' or '{Subcriptions_IS:id}' has ResourceSubscriptionId\r\n| where \"'*'\" == \"{ResourceGroup_IS}\" or ResourceGroup in ({ResourceGroup_IS}) \r\n| where \"'*'\" == \"{UserAccount_IS}\" or RequesterUpn in ({UserAccount_IS}) or RequesterAppId in ({UserAccount_IS})\r\n| distinct StorageAccountName", + "size": 0, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "nothing" + }, + "name": "DSTIMStorageAccounts" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"131846c4-cbc1-4e64-a5db-b914d56ed094\",\"mergeType\":\"innerunique\",\"leftTable\":\"DSTIMStorageAccounts\",\"rightTable\":\"StorageAccounts\",\"leftColumn\":\"StorageAccountName\",\"rightColumn\":\"name\"}],\"projectRename\":[{\"originalName\":\"[StorageAccounts].id\",\"mergedName\":\"Name\",\"fromId\":\"131846c4-cbc1-4e64-a5db-b914d56ed094\"},{\"originalName\":\"[StorageAccounts].location\",\"mergedName\":\"Location\",\"fromId\":\"131846c4-cbc1-4e64-a5db-b914d56ed094\"},{\"originalName\":\"[StorageAccounts].tags\",\"mergedName\":\"Tags\",\"fromId\":\"131846c4-cbc1-4e64-a5db-b914d56ed094\"},{\"originalName\":\"[StorageAccounts].subscriptionId\",\"mergedName\":\"Subscription Name\",\"fromId\":\"131846c4-cbc1-4e64-a5db-b914d56ed094\"},{\"originalName\":\"[StorageAccounts].resourceGroup\",\"mergedName\":\"Resource Group\",\"fromId\":\"131846c4-cbc1-4e64-a5db-b914d56ed094\"},{\"originalName\":\"[StorageAccounts].extendedLocation\"},{\"originalName\":\"[StorageAccounts].zones\"},{\"originalName\":\"[StorageAccounts].identity\"},{\"originalName\":\"[StorageAccounts].properties\"},{\"originalName\":\"[StorageAccounts].plan\"},{\"originalName\":\"[StorageAccounts].sku\"},{\"originalName\":\"[StorageAccounts].managedBy\"},{\"originalName\":\"[StorageAccounts].kind\"},{\"originalName\":\"[StorageAccounts].tenantId\"},{\"originalName\":\"[StorageAccounts].type\"},{\"originalName\":\"[StorageAccounts].name\"},{\"originalName\":\"[DSTIMStorageAccounts].StorageAccountName\"}]}", + "size": 4, + "title": "Data Source Details", + "showRefreshButton": true, + "queryType": 7, + "gridSettings": { + "formatters": [ + { + "columnMatch": "Subscription Name", + "formatter": 15, + "formatOptions": { + "linkTarget": null, + "showIcon": true + } + }, + { + "columnMatch": "Resource Group", + "formatter": 14, + "formatOptions": { + "linkTarget": null, + "showIcon": true + } + }, + { + "columnMatch": "subscriptionId", + "formatter": 15, + "formatOptions": { + "linkTarget": null, + "showIcon": true + } + } + ] + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "Sensitive data sources accessed" + }, + "name": "StorageAccountsView", + "styleSettings": { + "maxWidth": "50" + } + } + ], + "exportParameters": true + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "Sensitive data sources accessed" + }, + "name": "StorageAccountViewGroup", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DSTIMAccess_CL \r\n| project ResourceSubscriptionId = ResourceSubscriptionId_g, ResourceGroup, AggregationLastEventTime = AggregationLastEventTime_t, TimeGenerated = TimeDiscovered_t, RequesterUpn = RequesterUpn_s, RequesterAppId = RequesterAppId_s, AuthenticationType = AuthenticationType_s\r\n| where TimeGenerated {TimeRange_IS} or AggregationLastEventTime {TimeRange_IS}\r\n| where '{Subcriptions_IS:id}' == '*' or '{Subcriptions_IS:id}' has ResourceSubscriptionId\r\n| where \"'*'\" == \"{ResourceGroup_IS}\" or ResourceGroup in ({ResourceGroup_IS}) \r\n| where \"'*'\" == \"{UserAccount_IS}\" or RequesterUpn in ({UserAccount_IS})\r\n| where isnotempty(RequesterUpn)\r\n| join kind = leftouter (IdentityInfo) on $left.RequesterUpn == $right.MailAddress\r\n| project AccountDisplayName = iff(isempty(AccountDisplayName), RequesterUpn, AccountDisplayName), AccountID = RequesterUpn, AuthenticationType\r\n| distinct AccountID, AccountDisplayName, AuthenticationType\r\n| union (DSTIMAccess_CL \r\n| project ResourceSubscriptionId = ResourceSubscriptionId_g, ResourceGroup, AggregationLastEventTime = AggregationLastEventTime_t, TimeGenerated = TimeDiscovered_t, RequesterUpn = RequesterUpn_s, RequesterAppId = RequesterAppId_s, AuthenticationType = AuthenticationType_s\r\n| where TimeGenerated {TimeRange_IS} or AggregationLastEventTime {TimeRange_IS}\r\n| where '{Subcriptions_IS:id}' == '*' or '{Subcriptions_IS:id}' has ResourceSubscriptionId\r\n| where \"'*'\" == \"{ResourceGroup_IS}\" or ResourceGroup in ({ResourceGroup_IS}) \r\n| where \"'*'\" == \"{UserAccount_IS}\" or RequesterAppId in ({UserAccount_IS})\r\n| where isnotempty(RequesterAppId) | project AccountDisplayName = RequesterAppId, AccountID = RequesterAppId, AuthenticationType | distinct AccountID, AccountDisplayName, AuthenticationType)\r\n", + "size": 4, + "title": "User Account Details", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "value::selected" + ], + "gridSettings": { + "labelSettings": [ + { + "columnId": "AccountID", + "label": "Account ID" + }, + { + "columnId": "AccountDisplayName", + "label": "Display Name" + }, + { + "columnId": "AuthenticationType", + "label": "Authentication Type" + } + ] + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "User accounts" + }, + "name": "StorageAccountView", + "styleSettings": { + "maxWidth": "50" + } + } + ], + "exportParameters": true + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "User accounts" + }, + "name": "UserAccountViewGroup", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let TIIP = DSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| project Classification, SensitivityLabelName, CallerIPAddress, RequesterUpn, Uri\r\n| where \"'*'\" == \"{Classification_IS}\" or Classification has_any({Classification_IS})\r\n| where \"'*'\" == \"{SensitivityLabel_IS}\" or SensitivityLabelName in ({SensitivityLabel_IS})\r\n| join kind=inner (ThreatIntelligenceIndicator | where TimeGenerated {TimeRange_IS} | project NetworkSourceIP, ThreatType, ConfidenceScore, DomainName, SourceSystem) on $right.NetworkSourceIP == $left.CallerIPAddress\r\n| join kind=leftouter (SigninLogs) on $left.CallerIPAddress == $right.IPAddress\r\n| extend Geolocation = tostring(LocationDetails.countryOrRegion), Latitude = tostring(LocationDetails.geoCoordinates.latitude), Longitude = tostring(LocationDetails.geoCoordinates.longitude)\r\n| extend Latitude = tostring(LocationDetails.geoCoordinates.latitude)\r\n| extend Longitude = tostring(LocationDetails.geoCoordinates.longitude)\r\n| distinct NetworkSourceIP, Geolocation, Latitude, Longitude, DomainName, ThreatType, ConfidenceScore, SourceSystem;\r\n\r\nTIIP", + "size": 4, + "title": "Sensitive data access done by IP address with TI match", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "value::selected" + ], + "gridSettings": { + "sortBy": [ + { + "itemKey": "SourceSystem", + "sortOrder": 1 + } + ], + "labelSettings": [ + { + "columnId": "NetworkSourceIP", + "label": "IP Address" + }, + { + "columnId": "DomainName", + "label": "Domain" + }, + { + "columnId": "ThreatType", + "label": "Threat type" + }, + { + "columnId": "ConfidenceScore", + "label": "Confidence" + }, + { + "columnId": "SourceSystem", + "label": "Source" + } + ] + }, + "sortBy": [ + { + "itemKey": "SourceSystem", + "sortOrder": 1 + } + ] + }, + "customWidth": "0", + "conditionalVisibilities": [ + { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "TI match" + }, + { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "IPAddress" + } + ], + "name": "TIIPExtendedInfo", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Query purpose - get the list of entities that are part of one or more of this watchlists: \"VIPUsers\", \"TerminatedEmployees\", \"HighValueAssets\"\r\nlet watchList = DSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , parse_json(split('{WatchListEntities}', ',')))\r\n| project Classification, SensitivityLabelName, CallerIPAddress, RequesterUpn, Uri\r\n| where \"'*'\" == \"{Classification_IS}\" or Classification has_any({Classification_IS})\r\n| where \"'*'\" == \"{SensitivityLabel_IS}\" or SensitivityLabelName in ({SensitivityLabel_IS})\r\n| where isnotempty(RequesterUpn)\r\n| join kind=inner (_GetWatchlist(\"VIPUsers\") | distinct SearchKey | extend watchList = \"VIP Users\" | union (_GetWatchlist(\"TerminatedEmployees\") | distinct SearchKey | extend watchList = \"Terminated Employees\" ) | union (_GetWatchlist(\"HighValueAssets\") | distinct SearchKey | extend watchList = \"High //Value Assets\" ))\r\non $left.RequesterUpn == $right.SearchKey\r\n| join kind=leftouter (Anomalies | where TimeGenerated {TimeRange_IS} | project AadUserId = UserPrincipalName, AnomalyTemplateId | where isnotempty(AadUserId)) on $left.RequesterUpn == $right.AadUserId\r\n| join kind=leftouter (SecurityAlert | where TimeGenerated {TimeRange_IS}| mv-expand entities = todynamic(Entities) | project AlertUser = tostring(entities.['DisplayName']), SystemAlertId, IsIncident) on $left.RequesterUpn == $right.AlertUser\r\n| distinct RequesterUpn, Uri, Classification, watchList, AnomalyTemplateId, AlertUser, SystemAlertId, IsIncident\r\n| mv-expand classification = todynamic(Classification)\r\n| where isnotempty( classification.['Name'])\r\n| extend clasType = tostring(classification.['Name']), clasCount = toint(classification.['UniqueCount'])\r\n| summarize Instances = sum(clasCount), class_list = make_set_if(clasType, isnotempty(clasType)), watchListNames = make_set_if(watchList, isnotempty(watchList)), Anomalies = countif(isnotempty(AnomalyTemplateId)), Alerts = countif(isnotempty(SystemAlertId) and IsIncident == false), Incidents = countif(isnotempty(SystemAlertId) and IsIncident == true) by RequesterUpn\r\n| project Entity = RequesterUpn, EntityType = \"User Account\", Instances, Classifications = trim(@'[\\[ \\]]', iff(isempty(class_list), 'N/A', class_list)), Watchlist = trim(@'[\\[ \\]]', iff(watchListNames == '[\"\"]', 'N/A', watchListNames)), ThreatType = 'N/A', Anomalies, Alerts, Incidents; \r\n\r\nwatchList;", + "size": 4, + "title": "Watchlist(s) user entities details", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "0", + "conditionalVisibilities": [ + { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "UserAccount" + }, + { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "Watchlist(s) match" + } + ], + "name": "UserWatchList", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Query purpose - get the list of entities that are part Anomalies table\r\nlet CorrelatedLogs = DSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| project Classification, SensitivityLabelName, CallerIPAddress, RequesterUpn, Uri\r\n| where \"'*'\" == \"{Classification_IS}\" or Classification has_any({Classification_IS})\r\n| where \"'*'\" == \"{SensitivityLabel_IS}\" or SensitivityLabelName in ({SensitivityLabel_IS});\r\n\r\nlet UserAnomalies = CorrelatedLogs\r\n| join kind=inner (Anomalies | where TimeGenerated {TimeRange_IS} | project AadUserId = UserPrincipalName, AnomalyTemplateId | where isnotempty(AadUserId)) on $left.RequesterUpn == $right.AadUserId\r\n| join kind=leftouter (_GetWatchlist(\"VIPUsers\") | distinct SearchKey | extend watchList = \"VIP Users\" | union (_GetWatchlist(\"TerminatedEmployees\") | distinct SearchKey | extend watchList = \"Terminated Employees\" ) | union (_GetWatchlist(\"HighValueAssets\") | distinct SearchKey | extend watchList = \"High Value Assets\" ))\r\non $left.RequesterUpn == $right.SearchKey\r\n| join kind=leftouter (SecurityAlert | where TimeGenerated {TimeRange_IS}| mv-expand entities = todynamic(Entities) | project AlertUser = tostring(entities.['DisplayName']), SystemAlertId, IsIncident) on $left.RequesterUpn == $right.AlertUser\r\n| distinct RequesterUpn, Uri, Classification, watchList, AnomalyTemplateId, SystemAlertId, IsIncident\r\n| mv-expand classification = todynamic(Classification)\r\n| where isnotempty( classification.['Name'])\r\n| extend clasType = tostring(classification.['Name']), clasCount = toint(classification.['UniqueCount'])\r\n| summarize Instances = sum(clasCount), class_list = make_set_if(clasType, isnotempty(clasType)), watchListNames = make_set_if(watchList, isnotempty(watchList)), Anomalies = dcount(AnomalyTemplateId), Alerts = countif(isnotempty(SystemAlertId) and IsIncident == false), Incidents = countif(isnotempty(SystemAlertId) and IsIncident == true) by RequesterUpn\r\n| project Entity = RequesterUpn, EntityType = \"User Account\", Instances, Classifications = trim(@'[\\[ \\]]', iff(isempty(class_list), 'N/A', class_list)), Watchlist = trim(@'[\\[ \\]]', iff(watchListNames == '[]', 'N/A', watchListNames)), ThreatType = 'N/A', Anomalies, Alerts, Incidents; \r\n\r\nUserAnomalies", + "size": 4, + "title": "Anomalies user entities details", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "value::selected" + ] + }, + "customWidth": "0", + "conditionalVisibilities": [ + { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "UserAccount" + }, + { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "User Anomalies match" + } + ], + "name": "UserAnomaliesDetails", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Query purpose - get the list of IP entities that are part Anomalies table\r\nlet CorrelatedLogs = DSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| project Classification, SensitivityLabelName, CallerIPAddress, RequesterUpn, Uri\r\n| where \"'*'\" == \"{Classification_IS}\" or Classification has_any({Classification_IS})\r\n| where \"'*'\" == \"{SensitivityLabel_IS}\" or SensitivityLabelName in ({SensitivityLabel_IS});\r\n\r\nlet IPAnomalies = CorrelatedLogs\r\n| join kind=inner (Anomalies | where TimeGenerated between(datetime_add(\"day\", -5, {TimeRange_IS:start}) .. {TimeRange_IS:end})| project Address = SourceIpAddress, AnomalyTemplateId | where isnotempty(Address)) on $left.CallerIPAddress == $right.Address\r\n| join kind=leftouter (SecurityAlert | where TimeGenerated {TimeRange_IS}| project IpAddress = tostring(todynamic(ExtendedProperties).['IpAddress']), SystemAlertId, IsIncident) on $left.CallerIPAddress == $right.IpAddress\r\n| distinct CallerIPAddress, Uri, Classification, AnomalyTemplateId, SystemAlertId, IsIncident\r\n| mv-expand classification = todynamic(Classification)\r\n| where isnotempty( classification.['Name'])\r\n| extend clasType = tostring(classification.['Name']), clasCount = toint(classification.['UniqueCount'])\r\n| summarize Instances = sum(clasCount), class_list = make_set_if(clasType, isnotempty(clasType)), Anomalies = dcount(AnomalyTemplateId), Alerts = countif(isnotempty(SystemAlertId) and IsIncident == false), Incidents = countif(isnotempty(SystemAlertId) and IsIncident == true) by CallerIPAddress\r\n| project Entity = CallerIPAddress, EntityType = \"IP Address\", Instances, Classifications = trim(@'[\\[ \\]]', iff(isempty(class_list), 'N/A', class_list)), Anomalies, Alerts, Incidents; \r\n\r\nIPAnomalies", + "size": 4, + "title": "IP entities matching anomalies", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "value::selected" + ] + }, + "customWidth": "0", + "conditionalVisibilities": [ + { + "parameterName": "TableName", + "comparison": "isEqualTo", + "value": "IP Anomalies match" + }, + { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "IPAddress" + } + ], + "name": "IpAnomaliesDetails", + "styleSettings": { + "maxWidth": "50" + } + } + ], + "exportParameters": true + }, + "customWidth": "0", + "name": "KPI Cards", + "styleSettings": { + "margin": "0px", + "padding": "0px 30px", + "maxWidth": "100%" + } + }, + { + "type": 1, + "content": { + "json": "----\r\n## Insights" + }, + "name": "break - Copy", + "styleSettings": { + "margin": "0px 30px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### ![Image Name](https://azure.microsoft.com/svghandler/insights?width=20&height=20) Insights based on investigation scope" + }, + "name": "text - 1", + "styleSettings": { + "padding": "0px 10px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "paragraph", + "links": [ + { + "id": "28f5ce79-5c16-4482-88b9-298e5377d293", + "cellValue": "LinkName", + "linkTarget": "parameter", + "linkLabel": "{TotalAnomaliesEntitiesCount}", + "subTarget": "Anomalies", + "preText": "{TotalAnomalies} anomalies were found pertaining to ", + "postText": "entities", + "style": "link" + } + ] + }, + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "Summary" + }, + "name": "TotalAnomalies", + "styleSettings": { + "margin": "5px" + } + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "paragraph", + "links": [ + { + "id": "18fc1e15-b469-470d-9144-284e622c9468", + "cellValue": "LinkName", + "linkTarget": "parameter", + "linkLabel": "{AnomaliesUserEntitiesCount}", + "subTarget": "Anomalies", + "preText": "{UserAnomalies} anomalies were found pertaining to ", + "postText": "entities", + "style": "link" + } + ] + }, + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "UserAccount" + }, + "name": "UserAccountAnomalies", + "styleSettings": { + "margin": "5px" + } + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "paragraph", + "links": [ + { + "id": "99ec4f7a-0b38-4abd-8b62-e88b28ed9b00", + "cellValue": "LinkName", + "linkTarget": "parameter", + "linkLabel": "{AnomaliesIPEntitiesCount}", + "subTarget": "Anomalies", + "preText": "{IPAnomalies} anomalies were found pertaining to ", + "postText": "entities", + "style": "link" + } + ] + }, + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "IPAddress" + }, + "name": "IPAnomalies", + "styleSettings": { + "margin": "5px" + } + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "paragraph", + "links": [ + { + "id": "55522733-e216-493b-b05b-0394257bb829", + "cellValue": "LinkName", + "linkTarget": "parameter", + "linkLabel": "{TIIPCount}", + "subTarget": "TIIP", + "preText": "{assetCounts} sensitive files were accessed from ", + "postText": "IP addreses with TI match.", + "style": "link" + } + ] + }, + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isNotEqualTo", + "value": "UserAccount" + }, + "name": "TIInsights", + "styleSettings": { + "margin": "5px" + } + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "paragraph", + "links": [ + { + "id": "cf73b9da-13bd-4597-905e-6f089cb2aa76", + "cellValue": "LinkName", + "linkTarget": "parameter", + "linkLabel": "{WatchListCount}", + "subTarget": "WatchList", + "preText": "", + "postText": " entities are part of Built-in Watchlist(s).", + "style": "link" + } + ] + }, + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isNotEqualTo", + "value": "IPAddress" + }, + "name": "WatchListLink", + "styleSettings": { + "margin": "5px" + } + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "paragraph", + "links": [ + { + "id": "0391b466-1c76-4987-beb2-02253d0d2e13", + "cellValue": "LinkName", + "linkTarget": "parameter", + "linkLabel": "Click here to reset insights filters", + "subTarget": "default", + "style": "secondary" + } + ] + }, + "name": "links - 5", + "styleSettings": { + "margin": "5px" + } + } + ], + "exportParameters": true + }, + "customWidth": "0", + "name": "InsightsLinks", + "styleSettings": { + "padding": "0px 10px", + "maxWidth": "100" + } + } + ], + "exportParameters": true + }, + "customWidth": "0", + "name": "InsightsView", + "styleSettings": { + "padding": "0px", + "maxWidth": "40%" + } + }, + { + "type": 1, + "content": { + "json": "To get insights details view, select a link in the Entities insights section shown on the left.", + "style": "info" + }, + "customWidth": "0", + "conditionalVisibilities": [ + { + "parameterName": "LinkName", + "comparison": "isNotEqualTo", + "value": "Anomalies" + }, + { + "parameterName": " WatchListVisible", + "comparison": "isNotEqualTo", + "value": "true" + }, + { + "parameterName": "LinkName", + "comparison": "isNotEqualTo", + "value": "TIIP" + }, + { + "parameterName": "LinkName", + "comparison": "isNotEqualTo", + "value": "WatchList" + } + ], + "name": "noInfoText", + "styleSettings": { + "maxWidth": "60%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Query purpose - get the list of entities that are part of one or more of this watchlists: \"VIPUsers\", \"TerminatedEmployees\", \"HighValueAssets\"\r\nlet watchList = DSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , parse_json(split('{WatchListEntities}', ',')))\r\n| project Classification, SensitivityLabelName, CallerIPAddress, RequesterUpn, Uri\r\n| where \"'*'\" == \"{Classification_IS}\" or Classification has_any({Classification_IS})\r\n| where \"'*'\" == \"{SensitivityLabel_IS}\" or SensitivityLabelName in ({SensitivityLabel_IS})\r\n| where isnotempty(RequesterUpn)\r\n| join kind=inner (_GetWatchlist(\"VIPUsers\") | distinct SearchKey | extend watchList = \"VIP Users\" | union (_GetWatchlist(\"TerminatedEmployees\") | distinct SearchKey | extend watchList = \"Terminated Employees\" ) | union (_GetWatchlist(\"HighValueAssets\") | distinct SearchKey | extend watchList = \"High //Value Assets\" ))\r\non $left.RequesterUpn == $right.SearchKey\r\n| join kind=leftouter (Anomalies | where TimeGenerated between(datetime_add(\"day\", -5, {TimeRange_IS:start}) .. {TimeRange_IS:end}) | project AadUserId = UserPrincipalName, AnomalyTemplateId | where isnotempty(AadUserId)) on $left.RequesterUpn == $right.AadUserId\r\n| join kind=leftouter (SecurityAlert | where TimeGenerated {TimeRange_IS}| mv-expand entities = todynamic(Entities) | project AlertUser = tostring(entities.['DisplayName']), SystemAlertId, IsIncident) on $left.RequesterUpn == $right.AlertUser\r\n| distinct RequesterUpn, Uri, Classification, watchList, AnomalyTemplateId, AlertUser, SystemAlertId, IsIncident\r\n| mv-expand classification = todynamic(Classification)\r\n| where isnotempty( classification.['Name'])\r\n| extend clasType = tostring(classification.['Name']), clasCount = toint(classification.['UniqueCount'])\r\n| summarize Instances = sum(clasCount), class_list = make_set_if(clasType, isnotempty(clasType)), watchListNames = make_set_if(watchList, isnotempty(watchList)), Anomalies = countif(isnotempty(AnomalyTemplateId)), Alerts = countif(isnotempty(SystemAlertId) and IsIncident == false), Incidents = countif(isnotempty(SystemAlertId) and IsIncident == true) by RequesterUpn\r\n| project Entity = RequesterUpn, EntityType = \"User Account\", Instances, Classifications = trim(@'[\\[ \\]]', iff(isempty(class_list), 'N/A', class_list)), Watchlist = trim(@'[\\[ \\]]', iff(watchListNames == '[\"\"]', 'N/A', watchListNames)), ThreatType = 'N/A', Anomalies, Alerts, Incidents; \r\n\r\nwatchList;", + "size": 1, + "title": "Watchlists Entities Details", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Classifications", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + } + } + ] + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "LinkName", + "comparison": "isEqualTo", + "value": "WatchList" + }, + "name": "WatchListQuery" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Query purpose - get the list of entities that are part Anomalies table, for both user entities and IP entities.Correlate with matching watchlist, threatIntelligence, alerts and incident.\r\nlet CorrelatedLogs = DSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| project Classification, SensitivityLabelName, CallerIPAddress, RequesterUpn, Uri\r\n| where \"'*'\" == \"{Classification_IS}\" or Classification has_any({Classification_IS})\r\n| where \"'*'\" == \"{SensitivityLabel_IS}\" or SensitivityLabelName in ({SensitivityLabel_IS});\r\n\r\nlet UserAnomalies = CorrelatedLogs\r\n| join kind=inner (Anomalies | where TimeGenerated between(datetime_add(\"day\", -5, {TimeRange_IS:start}) .. {TimeRange_IS:end}) | project AadUserId = UserPrincipalName, AnomalyTemplateId | where isnotempty(AadUserId)) on $left.RequesterUpn == $right.AadUserId\r\n| join kind=leftouter (_GetWatchlist(\"VIPUsers\") | distinct SearchKey | extend watchList = \"VIP Users\" | union (_GetWatchlist(\"TerminatedEmployees\") | distinct SearchKey | extend watchList = \"Terminated Employees\" ) | union (_GetWatchlist(\"HighValueAssets\") | distinct SearchKey | extend watchList = \"High Value Assets\" ))\r\non $left.RequesterUpn == $right.SearchKey\r\n| join kind=leftouter (SecurityAlert | where TimeGenerated {TimeRange_IS}| mv-expand entities = todynamic(Entities) | project AlertUser = tostring(entities.['DisplayName']), SystemAlertId, IsIncident) on $left.RequesterUpn == $right.AlertUser\r\n| distinct RequesterUpn, Uri, Classification, watchList, AnomalyTemplateId, SystemAlertId, IsIncident\r\n| mv-expand classification = todynamic(Classification)\r\n| where isnotempty( classification.['Name'])\r\n| extend clasType = tostring(classification.['Name']), clasCount = toint(classification.['UniqueCount'])\r\n| summarize Instances = sum(clasCount), class_list = make_set_if(clasType, isnotempty(clasType)), watchListNames = make_set_if(watchList, isnotempty(watchList)), Anomalies = dcount(AnomalyTemplateId), Alerts = countif(isnotempty(SystemAlertId) and IsIncident == false), Incidents = countif(isnotempty(SystemAlertId) and IsIncident == true) by RequesterUpn\r\n| project Entity = RequesterUpn, EntityType = \"User Account\", Instances, Classifications = trim(@'[\\[ \\]]', iff(isempty(class_list), 'N/A', class_list)), Watchlist = trim(@'[\\[ \\]]', iff(watchListNames == '[\"\"]', 'N/A', watchListNames)), ThreatType = 'N/A', Anomalies, Alerts, Incidents; \r\n\r\nlet IPAnomalies = CorrelatedLogs\r\n| join kind=inner (Anomalies | where TimeGenerated between(datetime_add(\"day\", -5, {TimeRange_IS:start}) .. {TimeRange_IS:end})| project Address = SourceIpAddress, AnomalyTemplateId | where isnotempty(Address)) on $left.CallerIPAddress == $right.Address\r\n| join kind=leftouter (ThreatIntelligenceIndicator | where TimeGenerated {TimeRange_IS} | project NetworkSourceIP, ThreatType) on $right.NetworkSourceIP == $left.CallerIPAddress\r\n| join kind=leftouter (SecurityAlert | where TimeGenerated {TimeRange_IS}| project IpAddress = tostring(todynamic(ExtendedProperties).['IpAddress']), SystemAlertId, IsIncident) on $left.CallerIPAddress == $right.IpAddress\r\n| distinct CallerIPAddress, Uri, Classification, ThreatType, AnomalyTemplateId, SystemAlertId, IsIncident\r\n| mv-expand classification = todynamic(Classification)\r\n| where isnotempty( classification.['Name'])\r\n| extend clasType = tostring(classification.['Name']), clasCount = toint(classification.['UniqueCount'])\r\n| summarize Instances = sum(clasCount), class_list = make_set_if(clasType, isnotempty(clasType)), ThreatType = make_set_if(ThreatType, isnotempty(ThreatType)), Anomalies = dcount(AnomalyTemplateId), Alerts = countif(isnotempty(SystemAlertId) and IsIncident == false), Incidents = countif(isnotempty(SystemAlertId) and IsIncident == true) by CallerIPAddress\r\n| project Entity = CallerIPAddress, EntityType = \"IP Address\", Instances, Classifications = trim(@'[\\[ \\]]', iff(isempty(class_list), 'N/A', class_list)), Watchlist = 'N/A', ThreatType = trim(@'[\\[ \\]]', iff(ThreatType =='[\"\"]', 'N/A', ThreatType)), Anomalies, Alerts, Incidents; \r\n\r\nUserAnomalies\r\n| union IPAnomalies", + "size": 1, + "title": "Anomalies Entities Details", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "value::selected" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Classifications", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + } + } + ] + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "LinkName", + "comparison": "isEqualTo", + "value": "Anomalies" + }, + "name": "AnomaliesQuery" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Query purpose - get the list of IP entities that are part of ThreatInteligence table, correlate with matching annomalies, incidents and alerts.\r\nlet TIIP = DSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| project Classification, SensitivityLabelName, CallerIPAddress, RequesterUpn, Uri\r\n| where \"'*'\" == \"{Classification_IS}\" or Classification has_any({Classification_IS})\r\n| where \"'*'\" == \"{SensitivityLabel_IS}\" or SensitivityLabelName in ({SensitivityLabel_IS})\r\n| join kind=inner (ThreatIntelligenceIndicator | where TimeGenerated {TimeRange_IS} | project NetworkSourceIP, ThreatType) on $right.NetworkSourceIP == $left.CallerIPAddress\r\n| join kind=leftouter (Anomalies | where TimeGenerated between(datetime_add(\"day\", -5, {TimeRange_IS:start}) .. {TimeRange_IS:end}) | project Entities, RuleId | project Address = tostring(Entities[1].Address), RuleId | where isnotempty(Address)) on $left.CallerIPAddress == $right.Address\r\n| join kind=leftouter (SecurityAlert | where TimeGenerated {TimeRange_IS}| project IpAddress = tostring(todynamic(ExtendedProperties).['IpAddress']), SystemAlertId, IsIncident) on $left.CallerIPAddress == $right.IpAddress\r\n| distinct CallerIPAddress, Uri, Classification, ThreatType, RuleId, SystemAlertId, IsIncident\r\n| mv-expand classification = todynamic(Classification)\r\n| extend clasType = tostring(classification.['Name']), clasCount = toint(classification.['UniqueCount'])\r\n| summarize Instances = sum(clasCount), class_list = make_set_if(clasType, isnotempty(clasType)), ThreatType = make_set_if(ThreatType, isnotempty(ThreatType)), Anomalies = countif(isnotempty(RuleId)), Alerts = countif(isnotempty(SystemAlertId) and IsIncident == false), Incidents = countif(isnotempty(SystemAlertId) and IsIncident == true) by CallerIPAddress\r\n| project Entity = CallerIPAddress, EntityType = \"IP Address\", Instances, Classifications = trim(@'[\\[ \\]]', iff(isempty(class_list), 'N/A', class_list)), Watchlist = 'N/A', ThreatType = trim(@'[\\[ \\]]', iff(ThreatType =='[\"\"]', 'N/A', ThreatType)), Anomalies, Alerts, Incidents; \r\n\r\nTIIP;", + "size": 1, + "title": "Threat Intelligence Entities Details", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "value::selected" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Classifications", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + } + }, + { + "columnMatch": "class_list", + "formatter": 1 + } + ] + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "LinkName", + "comparison": "isEqualTo", + "value": "TIIP" + }, + "name": "TIIPQuery", + "styleSettings": { + "maxWidth": "100" + } + } + ], + "exportParameters": true + }, + "customWidth": "0", + "name": "EntitiesDetailsGroup", + "styleSettings": { + "margin": "0px", + "maxWidth": "100%" + } + } + ], + "exportParameters": true + }, + "customWidth": "0", + "name": "Insights", + "styleSettings": { + "margin": "0px 30px", + "maxWidth": "100%" + } + }, + { + "type": 1, + "content": { + "json": "----\r\n## Classification details\r\n\r\n" + }, + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "Summary" + }, + "name": "break", + "styleSettings": { + "margin": "0px 30px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "c0307511-30f8-4dcc-b128-bcb247141db6", + "version": "KqlParameterItem/1.0", + "name": "Classifications_f", + "label": "Classifications", + "type": 2, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "GetClassificationList({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))", + "typeSettings": { + "limitSelectTo": 5, + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "GraphParameter" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Query purpose - present a timechart of access to classification types over time, with 1d bin, per asset(Uri/path)\r\n//Classification types can be filtered by \"Classification_f\" parameter.\r\n\r\nDSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| where iff('{Classifications_f:id}' == '*', true, tostring(Classification) has_any({Classifications_f}))\r\n| mv-expand classification = todynamic(Classification)\r\n| where isnotempty(classification.['Name'])\r\n| where iff('{Classifications_f:id}' == '*', true, tostring(classification.['Name']) has_any({Classifications_f}))\r\n| summarize TotalAssets=dcount(Uri) by tostring(classification.['Name']), bin(TimeGenerated, 1d)\r\n", + "size": 1, + "showAnnotations": true, + "title": "Access over time", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "linechart", + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "Classification", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "count_", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "chartSettings": { + "showLegend": true + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "Summary" + }, + "name": "AccessOverTime", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//query purpose - Get the access details per classification type.\r\n//TotalAccess - total accesses to this classification type, including the aggregation count.\r\n//DataSource - total unique storage accounts that were accessed per classification type.\r\n//TotalAssets - total unique assets(Uri/path) that were accessed per classification type.\r\n//TotalInstances - total classification instnces per type that were accesed. this is calculated by unique count * aggregation count per access.\r\n\r\nDSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| extend classification = parse_json(Classification)\r\n| mv-expand classification = todynamic(Classification)\r\n| where isnotempty( classification.['Name'])\r\n| summarize\r\n TotalAccess=sum(toint(AggregationCount)),\r\n DataSource=dcount(StorageAccountName),\r\n TotalAssets=dcount(Uri),\r\n TotalInstances = sum(toint(classification.['UniqueCount'])*toint(AggregationCount))\r\n by tostring(classification.['Name'])\r\n| project Classification=classification_Name, DataSource, TotalAssets=min_of(TotalAccess, TotalAssets), TotalAccess, TotalInstances\r\n| order by TotalAccess desc", + "size": 1, + "title": "Access by classification type", + "exportMultipleValues": true, + "exportedParameters": [ + { + "fieldName": "Classification", + "parameterName": "ClassificationFilter", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true, + "sortBy": [ + { + "itemKey": "Classification", + "sortOrder": 1 + } + ], + "labelSettings": [ + { + "columnId": "DataSource", + "label": "Data Source" + }, + { + "columnId": "TotalAssets", + "label": "Assets" + }, + { + "columnId": "TotalAccess", + "label": "Accesses" + }, + { + "columnId": "TotalInstances", + "label": "Instances" + } + ] + }, + "sortBy": [ + { + "itemKey": "Classification", + "sortOrder": 1 + } + ] + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "Summary" + }, + "name": "AccessPerClassificationView", + "styleSettings": { + "margin": "0px 0px 0px 20px", + "maxWidth": "50" + } + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "Summary" + }, + "name": "Graphs", + "styleSettings": { + "margin": "0px 30px 0px 30px" + } + }, + { + "type": 1, + "content": { + "json": "----\r\n## Access Details" + }, + "name": "break", + "styleSettings": { + "margin": "0px 30px" + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "8be86c8b-b566-44c2-8cc7-d7c3b501a060", + "version": "KqlParameterItem/1.0", + "name": "FilterParam", + "type": 1, + "isGlobal": true, + "isHiddenWhenLocked": true, + "criteriaData": [ + { + "criteriaContext": { + "leftOperand": "Classification_IS", + "operator": "!=", + "rightValType": "static", + "rightVal": "*", + "resultValType": "static", + "resultVal": "{Classification_IS:label}" + } + }, + { + "criteriaContext": { + "leftOperand": "Classifications_f", + "operator": "!=", + "rightValType": "static", + "rightVal": "*", + "resultValType": "static", + "resultVal": "{Classifications_f:label}" + } + }, + { + "criteriaContext": { + "leftOperand": "ClassificationFilter", + "operator": "isNotNull", + "rightValType": "static", + "rightVal": "*", + "resultValType": "static", + "resultVal": "{ClassificationFilter:label}" + } + }, + { + "criteriaContext": { + "operator": "Default", + "resultValType": "static", + "resultVal": "All" + } + } + ], + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "Summary" + }, + "name": "FilterParameter" + }, + { + "type": 1, + "content": { + "json": "Filtered by -\r\nSubscriptions: {Subcriptions_IS:label}, Resource groups: {ResourceGroup_IS:label}, User accounts: {UserAccount_IS:label}, Insights: {LinkName}, IP range {IPAddress_IS} {IPRange_IS}, Asset path {AssetPath_IS} {Path_IS}, Classification type: {FilterParam:label}", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "Summary" + }, + "name": "FilteredByText", + "styleSettings": { + "margin": "0px 30px" + } + }, + { + "type": 1, + "content": { + "json": "Filtered by -\r\nSubscriptions: {Subcriptions_IS:label}, Resource groups: {ResourceGroup_IS:label}, User accounts: {UserAccount_IS:label}, Insights: {LinkName}, IP range {IPAddress_IS} {IPRange_IS}, Asset path {AssetPath_IS} {Path_IS}", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "UserAccount" + }, + "name": "FilteredByText - UserTab", + "styleSettings": { + "margin": "0px 30px" + } + }, + { + "type": 1, + "content": { + "json": "Filtered by -\r\nSubscriptions: {Subcriptions_IS:label}, Resource groups: {ResourceGroup_IS:label}, User accounts: {UserAccount_IS:label}, Insights: {LinkName}, IP range {IPAddress_IS} {IPRange_IS}, Asset path {AssetPath_IS} {Path_IS}", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "IPAddress" + }, + "name": "FilteredByText - ipTab", + "styleSettings": { + "margin": "0px 30px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let clasFilter = dynamic([{ClassificationFilter}]);\r\nlet linkName = '{LinkName}';\r\n\r\nDSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| where iff(linkName =~ 'Watchlist', RequesterUpn has_any(parse_json(split('{WatchListEntities}', ','))), true)\r\n| where iff(linkName =~ 'TIIP', CallerIPAddress has_any(parse_json(split('{TIIPEntities}', ','))), true)\r\n| where iff(linkName =~ 'Anomalies', CallerIPAddress has_any(parse_json(split('{AnomaliesIPEntities}', ','))) or RequesterUpn has_any(parse_json(split('{AnomaliesUserEntities}', ','))), true)\r\n| where '*' in ({Classification_IS}) or Classification has_any({Classification_IS})\r\n| where '*' in ({Classifications_f}) or Classification has_any({Classifications_f})\r\n| where iff(array_length(clasFilter) == 0 , true, Classification has_any(clasFilter))\r\n| where '*' in ({SensitivityLabel_IS}) or SensitivityLabelName in ({SensitivityLabel_IS})\r\n| where iff(isnotempty('{IPRange_IS}') and '{IPAddress_IS}' == \"contains\", ipv4_is_in_range(CallerIPAddress, \"{IPRange_IS:value}\"), iff(isnotempty('{IPRange_IS}'), ipv4_is_in_range(CallerIPAddress, \"{IPRange_IS:value}\") == false, true))\r\n| where iff(isnotempty('{Path_IS}') and '{AssetPath_IS}' == \"contains\", Uri has '{Path_IS}',iff(isnotempty('{Path_IS}'), Uri !has '{Path_IS}', true))\r\n| project ResourceSubscriptionId, ResourceGroup, StorageAccountName, Uri, Location, TimeGenerated, CallerIPAddress, AuthenticationType, RequesterUpn, RequesterAppId, parse_json(Classification)[\"Id\"], parse_json(Classification), SensitivityLabelName, OperationName, Category, StatusCode, UserAgentHeader, AggregationLastEventTime, AggregationCount", + "size": 3, + "showAnalytics": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "$gen_group", + "formatter": 13, + "formatOptions": { + "linkTarget": null, + "showIcon": true + } + }, + { + "columnMatch": "Uri", + "formatter": 7, + "formatOptions": { + "linkTarget": "GenericDetails", + "linkIsContextBlade": true + } + }, + { + "columnMatch": "Classification", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + } + ], + "rowLimit": 1000, + "filter": true, + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "ResourceSubscriptionId", + "ResourceGroup", + "StorageAccountName" + ], + "expandTopLevel": true + }, + "labelSettings": [ + { + "columnId": "ResourceSubscriptionId", + "label": "Resource Subscription Id" + }, + { + "columnId": "ResourceGroup", + "label": "Resource Group" + }, + { + "columnId": "StorageAccountName", + "label": "Storage Account Name" + }, + { + "columnId": "TimeGenerated", + "label": "Time Generated" + }, + { + "columnId": "CallerIPAddress", + "label": "Caller IP Address" + }, + { + "columnId": "AuthenticationType", + "label": "Authentication Type" + }, + { + "columnId": "RequesterUpn", + "label": "Requester Upn" + }, + { + "columnId": "RequesterAppId", + "label": "Requester App Id" + }, + { + "columnId": "SensitivityLabelName", + "label": "Sensitivity Label Name" + }, + { + "columnId": "OperationName", + "label": "Operation Name" + }, + { + "columnId": "StatusCode", + "label": "Status Code" + }, + { + "columnId": "UserAgentHeader", + "label": "User Agent Header" + }, + { + "columnId": "AggregationLastEventTime", + "label": "Aggregation Last Event Time" + }, + { + "columnId": "AggregationCount", + "label": "Aggregation Count" + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "Summary" + }, + "name": "Access Logs", + "styleSettings": { + "margin": "0px 40px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| where iff('{LinkName}' =~ 'Watchlist', RequesterUpn has_any(parse_json(split('{WatchListEntities}', ','))), true)\r\n| where iff('{LinkName}' =~ 'TIIP', CallerIPAddress has_any(parse_json(split('{TIIPEntities}', ','))), true)\r\n| where iff('{LinkName}' =~ 'Anomalies', CallerIPAddress has_any(parse_json(split('{AnomaliesIPEntities}', ','))) or RequesterUpn has_any(parse_json(split('{AnomaliesUserEntities}', ','))), true)\r\n| where '*' in ({Classification_IS}) or Classification has_any({Classification_IS})\r\n| where '*' in ({Classifications_f}) or Classification has_any({Classifications_f})\r\n| where '*' in ({SensitivityLabel_IS}) or SensitivityLabelName in ({SensitivityLabel_IS})\r\n| where iff(isnotempty('{IPRange_IS}') and '{IPAddress_IS}' == \"contains\", ipv4_is_in_range(CallerIPAddress, \"{IPRange_IS:value}\"), iff(isnotempty('{IPRange_IS}'), ipv4_is_in_range(CallerIPAddress, \"{IPRange_IS:value}\") == false, true))\r\n| where iff(isnotempty('{Path_IS}') and '{AssetPath_IS}' == \"contains\", Uri has '{Path_IS}',iff(isnotempty('{Path_IS}'), Uri !has '{Path_IS}', true))\r\n| project RequesterUpn, ResourceGroup, StorageAccountName, ResourceSubscriptionId, Uri, Location, TimeGenerated, CallerIPAddress, AuthenticationType, RequesterAppId, Classification, SensitivityLabelName, OperationName, Category, StatusCode, UserAgentHeader, AggregationLastEventTime, AggregationCount", + "size": 0, + "showAnalytics": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "$gen_group", + "formatter": 13, + "formatOptions": { + "linkTarget": null, + "showIcon": true + } + }, + { + "columnMatch": "Uri", + "formatter": 7, + "formatOptions": { + "linkTarget": "GenericDetails", + "linkIsContextBlade": true + } + } + ], + "rowLimit": 1000, + "filter": true, + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "RequesterUpn", + "ResourceGroup", + "StorageAccountName" + ], + "expandTopLevel": true + }, + "labelSettings": [ + { + "columnId": "RequesterUpn", + "label": "Requester Upn" + }, + { + "columnId": "ResourceGroup", + "label": "Resource Group" + }, + { + "columnId": "StorageAccountName", + "label": "Storage Account Name" + }, + { + "columnId": "ResourceSubscriptionId", + "label": "Resource Subscription Id" + }, + { + "columnId": "TimeGenerated", + "label": "Time Generated" + }, + { + "columnId": "CallerIPAddress", + "label": "Caller IP Address" + }, + { + "columnId": "AuthenticationType", + "label": "Authentication Type" + }, + { + "columnId": "RequesterAppId", + "label": "Requester App Id" + }, + { + "columnId": "SensitivityLabelName", + "label": "Sensitivity Label Name" + }, + { + "columnId": "OperationName", + "label": "Operation Name" + }, + { + "columnId": "StatusCode", + "label": "Status Code" + }, + { + "columnId": "UserAgentHeader", + "label": "User Agent Header" + }, + { + "columnId": "AggregationLastEventTime", + "label": "Aggregation Last Event Time" + }, + { + "columnId": "AggregationCount", + "label": "Aggregation Count" + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "UserAccount" + }, + "name": "Access Logs - Users", + "styleSettings": { + "margin": "0px 40px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DSTIMCorrelatedLogs({TimeRange_IS:start}, {TimeRange_IS:end}, '{Subcriptions_IS:id}', dynamic([{ResourceGroup_IS}]) , dynamic([{UserAccount_IS}]))\r\n| where iff('{LinkName}' =~ 'Watchlist', RequesterUpn has_any(parse_json(split('{WatchListEntities}', ','))), true)\r\n| where iff('{LinkName}' =~ 'TIIP', CallerIPAddress has_any(parse_json(split('{TIIPEntities}', ','))), true)\r\n| where iff('{LinkName}' =~ 'Anomalies', CallerIPAddress has_any(parse_json(split('{AnomaliesIPEntities}', ','))) or RequesterUpn has_any(parse_json(split('{AnomaliesUserEntities}', ','))), true)\r\n| where '*' in ({Classification_IS}) or Classification has_any({Classification_IS})\r\n| where '*' in ({Classifications_f}) or Classification has_any({Classifications_f})\r\n| where '*' in ({SensitivityLabel_IS}) or SensitivityLabelName in ({SensitivityLabel_IS})\r\n| where iff(isnotempty('{IPRange_IS}') and '{IPAddress_IS}' == \"contains\", ipv4_is_in_range(CallerIPAddress, \"{IPRange_IS:value}\"), iff(isnotempty('{IPRange_IS}'), ipv4_is_in_range(CallerIPAddress, \"{IPRange_IS:value}\") == false, true))\r\n| where iff(isnotempty('{Path_IS}') and '{AssetPath_IS}' == \"contains\", Uri has '{Path_IS}',iff(isnotempty('{Path_IS}'), Uri !has '{Path_IS}', true))\r\n| project CallerIPAddress, ResourceGroup, StorageAccountName, Uri, Location, TimeGenerated, ResourceSubscriptionId, AuthenticationType, RequesterUpn, RequesterAppId, Classification, SensitivityLabelName, OperationName, Category, StatusCode, UserAgentHeader, AggregationLastEventTime, AggregationCount", + "size": 0, + "showAnalytics": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "$gen_group", + "formatter": 13, + "formatOptions": { + "linkTarget": null, + "showIcon": true + } + }, + { + "columnMatch": "Uri", + "formatter": 7, + "formatOptions": { + "linkTarget": "GenericDetails", + "linkIsContextBlade": true + } + } + ], + "rowLimit": 1000, + "filter": true, + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "CallerIPAddress", + "ResourceGroup", + "StorageAccountName" + ], + "expandTopLevel": true + }, + "labelSettings": [ + { + "columnId": "CallerIPAddress", + "label": "Caller IP Address" + }, + { + "columnId": "ResourceGroup", + "label": "Resource Group" + }, + { + "columnId": "StorageAccountName", + "label": "Storage Account Name" + }, + { + "columnId": "TimeGenerated", + "label": "Time Generated" + }, + { + "columnId": "ResourceSubscriptionId", + "label": "Resource Subscription Id" + }, + { + "columnId": "AuthenticationType", + "label": "Authentication Type" + }, + { + "columnId": "RequesterUpn", + "label": "Requester Upn" + }, + { + "columnId": "RequesterAppId", + "label": "Requester App Id" + }, + { + "columnId": "SensitivityLabelName", + "label": "Sensitivity Label Name" + }, + { + "columnId": "OperationName", + "label": "Operation Name" + }, + { + "columnId": "StatusCode", + "label": "Status Code" + }, + { + "columnId": "UserAgentHeader", + "label": "User Agent Header" + }, + { + "columnId": "AggregationLastEventTime", + "label": "Aggregation Last Event Time" + }, + { + "columnId": "AggregationCount", + "label": "Aggregation Count" + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "TabName", + "comparison": "isEqualTo", + "value": "IPAddress" + }, + "name": "Access Logs - IP", + "styleSettings": { + "margin": "0px 40px" + } + } + ], + "styleSettings": { + "paddingStyle": "none", + "spacingStyle": "none" + }, + "fromTemplateId": "sentinel-DSTIMWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Workbooks/Images/Logos/DSTIM.svg b/Workbooks/Images/Logos/DSTIM.svg new file mode 100644 index 0000000000..6c2e825256 --- /dev/null +++ b/Workbooks/Images/Logos/DSTIM.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/Workbooks/Images/Preview/DSTIMWorkbookBlack.png b/Workbooks/Images/Preview/DSTIMWorkbookBlack.png new file mode 100644 index 0000000000..ca5e4ab4b1 Binary files /dev/null and b/Workbooks/Images/Preview/DSTIMWorkbookBlack.png differ diff --git a/Workbooks/Images/Preview/DSTIMWorkbookWhite.png b/Workbooks/Images/Preview/DSTIMWorkbookWhite.png new file mode 100644 index 0000000000..a00a0d284e Binary files /dev/null and b/Workbooks/Images/Preview/DSTIMWorkbookWhite.png differ diff --git a/Workbooks/InvestigationInsights.json b/Workbooks/InvestigationInsights.json index fbf5b706c9..e325265984 100644 --- a/Workbooks/InvestigationInsights.json +++ b/Workbooks/InvestigationInsights.json @@ -306,7 +306,7 @@ { "type": 1, "content": { - "json": "### Change Log\r\nBrian Delaney, Clive Watson, Jon Shectman - Microsoft\r\n\t\r\n\tVersion v1.2\r\n\tAdded Tag based filters to Incident View\r\n\tAdded Incident Number filter to Incident View\r\n\tAdded Application Consent to User IOCs\r\n\tAdded Logon Type filter for User Account Logons\r\n\tAdded Defender ATP DeviceLogonEvents to User Account Logons table\r\n\tEnabled support for nesting custom workbooks\r\n\tImproved samAccountName detection using IdentityInfo table\r\n\tImproved Location Anomalies map to color datapoints based on distance\r\n\tOther minor improvements\r\n\t\r\n\tVersion v1.1\r\n\tAdded Investigate by Bookmark\r\n\tAdded Related Bookmarks to each Investigation type\r\n\tAdded Investigate FileHash\r\n\tAdded BehaviorAnalytics for Account Investigation\r\n\tAdded MFA Fraud Query for Account Investigation\r\n\tAdded Owner and Status Filters to Incident View\r\n\tAdded Normalized Network Schema view\r\n\tUpdated Entity Parsing to add additional entity types\r\n\tUpdated Incident Timeline to be based on CreatedTime of Incident\r\n\tOther minor improvements\r\n\t\r\n\t\r\n\tVersion v1.0\r\n\tInitial Release", + "json": "### Change Log\r\nBrian Delaney, Clive Watson, Jon Shectman - Microsoft\r\n\t\r\n\tVersion v1.4\r\n\tFixing issue in table names in FullSearch output\r\n\tAdding open external query/export to excel to FullSearch Results\r\n\t\r\n\tVersion v1.2\r\n\tAdded Tag based filters to Incident View\r\n\tAdded Incident Number filter to Incident View\r\n\tAdded Application Consent to User IOCs\r\n\tAdded Logon Type filter for User Account Logons\r\n\tAdded Defender ATP DeviceLogonEvents to User Account Logons table\r\n\tEnabled support for nesting custom workbooks\r\n\tImproved samAccountName detection using IdentityInfo table\r\n\tImproved Location Anomalies map to color datapoints based on distance\r\n\tOther minor improvements\r\n\t\r\n\tVersion v1.1\r\n\tAdded Investigate by Bookmark\r\n\tAdded Related Bookmarks to each Investigation type\r\n\tAdded Investigate FileHash\r\n\tAdded BehaviorAnalytics for Account Investigation\r\n\tAdded MFA Fraud Query for Account Investigation\r\n\tAdded Owner and Status Filters to Incident View\r\n\tAdded Normalized Network Schema view\r\n\tUpdated Entity Parsing to add additional entity types\r\n\tUpdated Incident Timeline to be based on CreatedTime of Incident\r\n\tOther minor improvements\r\n\t\r\n\t\r\n\tVersion v1.0\r\n\tInitial Release", "style": "info" }, "customWidth": "50", @@ -5562,14 +5562,14 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "search in ({Table}) \"{SearchString}\"\r\n| where * contains \"{IncludeString:label}\" or \"{IncludeString:label}\" == \"\"\r\n| where * !contains \"{ExcludeString:label}\" or \"{ExcludeString:label}\" == \"\"\r\n| summarize Count=count() by $table\r\n| sort by Count desc", + "query": "search in ({Table}) \"{SearchString}\"\r\n| where * contains \"{IncludeString:label}\" or \"{IncludeString:label}\" == \"\"\r\n| where * !contains \"{ExcludeString:label}\" or \"{ExcludeString:label}\" == \"\"\r\n| summarize Count=count() by Type\r\n| sort by Count desc", "size": 1, "title": "Search Results by Table", "timeContext": { "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", - "exportFieldName": "$table", + "exportFieldName": "Type", "exportParameterName": "SelectedTable", "exportDefaultValue": "Usage", "queryType": 0, @@ -5581,7 +5581,7 @@ "tileSettings": { "showBorder": false, "titleContent": { - "columnMatch": "$table", + "columnMatch": "Type", "formatter": 1 }, "leftContent": { @@ -5608,12 +5608,14 @@ "version": "KqlItem/1.0", "query": "search in ({SelectedTable}) \"{SearchString}\"\r\n| where * contains \"{IncludeString:label}\" or \"{IncludeString:label}\" == \"\"\r\n| where * !contains \"{ExcludeString:label}\" or \"{ExcludeString:label}\" == \"\"\r\n| project-away TenantId, $table\r\n| sort by TimeGenerated desc", "size": 0, + "showAnalytics": true, "noDataMessage": "Select a tile to see detailed results.", "noDataMessageStyle": 2, "timeContext": { "durationMs": 7776000000 }, "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 20668a37df..c706d50726 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -1085,7 +1085,7 @@ "dataTypesDependencies": [ "AuditLogs", "AzureActivity", "CommonSecurityLog", "OfficeActivity", "SecurityEvent", "SigninLogs", "ThreatIntelligenceIndicator" ], "dataConnectorsDependencies": [ "AzureActivity", "SecurityEvents", "Office365", "AzureActiveDirectory", "ThreatIntelligence", "ThreatIntelligenceTaxii", "WindowsSecurityEvents" ], "previewImagesFileNames": [ "InvestigationInsightsWhite1.png", "InvestigationInsightsBlack1.png", "InvestigationInsightsWhite2.png", "InvestigationInsightsBlack2.png" ], - "version": "1.3", + "version": "1.4", "title": "Investigation Insights", "templateRelativePath": "InvestigationInsights.json", "subtitle": "", @@ -1397,8 +1397,8 @@ "dataTypesDependencies": [], "dataConnectorsDependencies": [], "previewImagesFileNames": [ "AzureSentinelCostWhite.png", "AzureSentinelCostBlack.png"], - "version": "1.2", - "title": "Azure Sentinel Cost", + "version": "1.3", + "title": "Microsoft Sentinel Cost", "templateRelativePath": "AzureSentinelCost.json", "subtitle": "", "provider": "Azure Sentinel Community" @@ -1481,6 +1481,20 @@ "templateRelativePath": "AdvancedKQL.json", "subtitle": "", "provider": "Azure Sentinel Community" + }, + { + "workbookKey": "DSTIMWorkbook", + "logoFileName": "DSTIM.svg", + "description": "Identify sensitive data blast radius (i.e., who accessed sensitive data, what kinds of sensitive data, from where and when) in a given data security incident investigation or as part of Threat Hunting. Prioritize your investigation based on insights provided with integrations with Watchlists, Threat Intelligence feed, UEBA baselines and much more.", + "dataTypesDependencies": [ "DSTIMAccess_CL", "DSTIMClassification_CL", "DSTIMSensitivity_CL", "DSTIMCorrelatedLogs", "GetClassificationList", "Anomalies", "_GetWatchlist", "ThreatIntelligenceIndicator", "IdentityInfo", "SecurityAlert" ], + "dataConnectorsDependencies": [], + "previewImagesFileNames": [ "DSTIMWorkbookBlack.png", "DSTIMWorkbookWhite.png" ], + "version": "1.0", + "title": "Data Security – Sensitive data Impact Assessment", + "templateRelativePath": "DSTIMWorkbook.json", + "subtitle": "", + "provider": "Azure Sentinel Community", + "featureFlag": "DSTIMWorkbook" } ]