adding kind to all analytic rules under solutions (including duplicated ciscoUmbrealla templates)

2021-10-19 14:02:40 +03:00 · 2021-10-19 14:02:40 +03:00 · f2137b69ae
--- a/Solutions/AristaAwakeSecurity/Analytic
+++ b/Solutions/AristaAwakeSecurity/Analytic
@ -62,3 +62,4 @@ incidentConfiguration:
    groupByCustomDetails:
      - Device
 version: 1.0.0
+kind: scheduled
--- a/Rules/HighSeverityMatchesByDevice.yaml
+++ b/Rules/HighSeverityMatchesByDevice.yaml
@ -60,3 +60,4 @@ incidentConfiguration:
    groupByCustomDetails:
      - Device
 version: 1.0.0
+kind: scheduled
--- a/Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml
+++ b/Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml
@ -60,3 +60,4 @@ incidentConfiguration:
    groupByCustomDetails:
      - Device
 version: 1.0.0
+kind: scheduled
--- a/Rules/BoxAbnormalUserActivity.yaml
+++ b/Rules/BoxAbnormalUserActivity.yaml
@ -50,3 +50,4 @@ entityMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Rules/BoxBinaryFile.yaml
+++ b/Rules/BoxBinaryFile.yaml
@ -24,4 +24,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/BoxDownloadForbiddenFiles.yaml
+++ b/Rules/BoxDownloadForbiddenFiles.yaml
@ -32,4 +32,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/BoxInactiveUserLogin.yaml
+++ b/Rules/BoxInactiveUserLogin.yaml
@ -37,4 +37,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/BoxItemSharedToExternalUser.yaml
+++ b/Rules/BoxItemSharedToExternalUser.yaml
@ -27,4 +27,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/BoxMultipleItemsDeletedByUser.yaml
+++ b/Rules/BoxMultipleItemsDeletedByUser.yaml
@ -27,4 +27,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/BoxNewExternalUser.yaml
+++ b/Rules/BoxNewExternalUser.yaml
@ -33,4 +33,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/BoxSensitiveFile.yaml
+++ b/Rules/BoxSensitiveFile.yaml
@ -29,4 +29,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/BoxUserLoginAsAdmin.yaml
+++ b/Rules/BoxUserLoginAsAdmin.yaml
@ -36,4 +36,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/BoxUserRoleChangedToOwner.yaml
+++ b/Rules/BoxUserRoleChangedToOwner.yaml
@ -37,4 +37,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoISEAdminPasswordReset.yaml
+++ b/Rules/CiscoISEAdminPasswordReset.yaml
@ -33,4 +33,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoISEAttempDeleteLocalStoreLogs.yaml
+++ b/Rules/CiscoISEAttempDeleteLocalStoreLogs.yaml
@ -35,4 +35,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoISEBackupFailed.yaml
+++ b/Rules/CiscoISEBackupFailed.yaml
@ -28,4 +28,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoISECertExpired.yaml
+++ b/Rules/CiscoISECertExpired.yaml
@ -35,4 +35,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoISECmdExecutionWithHighestPrivilegesNewIP.yaml
+++ b/Rules/CiscoISECmdExecutionWithHighestPrivilegesNewIP.yaml
@ -42,4 +42,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoISECmdExecutionWithHighestPrivilegesNewUser.yaml
+++ b/Rules/CiscoISECmdExecutionWithHighestPrivilegesNewUser.yaml
@ -42,4 +42,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoISEDeviceChangedIP.yaml
+++ b/Rules/CiscoISEDeviceChangedIP.yaml
@ -36,4 +36,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoISEDevicePostureStatusChanged.yaml
+++ b/Rules/CiscoISEDevicePostureStatusChanged.yaml
@ -33,4 +33,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoISELogCollectorSuspended.yaml
+++ b/Rules/CiscoISELogCollectorSuspended.yaml
@ -25,4 +25,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoISELogsDeleted.yaml
+++ b/Rules/CiscoISELogsDeleted.yaml
@ -35,4 +35,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml
+++ b/Rules/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml
@ -50,4 +50,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml
+++ b/Rules/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml
@ -40,4 +40,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml
+++ b/Rules/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml
@ -31,4 +31,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoUmbrellaEmptyUserAgentDetected.yaml
+++ b/Rules/CiscoUmbrellaEmptyUserAgentDetected.yaml
@ -31,4 +31,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoUmbrellaHackToolUserAgentDetected.yaml
+++ b/Rules/CiscoUmbrellaHackToolUserAgentDetected.yaml
@ -79,4 +79,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoUmbrellaPowershellUserAgentDetected.yaml
+++ b/Rules/CiscoUmbrellaPowershellUserAgentDetected.yaml
@ -32,4 +32,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoUmbrellaRareUserAgentDetected.yaml
+++ b/Rules/CiscoUmbrellaRareUserAgentDetected.yaml
@ -37,4 +37,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml
+++ b/Rules/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml
@ -50,4 +50,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoUmbrellaRequestBlocklistedFileType.yaml
+++ b/Rules/CiscoUmbrellaRequestBlocklistedFileType.yaml
@ -35,4 +35,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CiscoUmbrellaURIContainsIPAddress.yaml
+++ b/Rules/CiscoUmbrellaURIContainsIPAddress.yaml
@ -32,4 +32,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CloudflareBadClientIp.yaml
+++ b/Rules/CloudflareBadClientIp.yaml
@ -31,4 +31,5 @@ entityMappings:
    fieldMappings:
      - identifier: Url
        columnName: UrlCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Solutions/Cloudflare/Analytic
+++ b/Solutions/Cloudflare/Analytic
@ -25,4 +25,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CloudflareMultipleErrorsSource.yaml
+++ b/Rules/CloudflareMultipleErrorsSource.yaml
@ -28,4 +28,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CloudflareMultipleUAs.yaml
+++ b/Rules/CloudflareMultipleUAs.yaml
@ -28,4 +28,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CloudflareUnexpectedCountry.yaml
+++ b/Rules/CloudflareUnexpectedCountry.yaml
@ -31,4 +31,5 @@ entityMappings:
    fieldMappings:
      - identifier: Url
        columnName: UrlCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CloudflareUnexpectedPost.yaml
+++ b/Rules/CloudflareUnexpectedPost.yaml
@ -32,3 +32,4 @@ entityMappings:
      - identifier: Address
        columnName: IPCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Rules/CloudflareUnexpectedRequest.yaml
+++ b/Rules/CloudflareUnexpectedRequest.yaml
@ -27,4 +27,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CloudflareUnexpectedUrl.yaml
+++ b/Rules/CloudflareUnexpectedUrl.yaml
@ -27,4 +27,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CloudflareWafThreatAllowed.yaml
+++ b/Rules/CloudflareWafThreatAllowed.yaml
@ -31,4 +31,5 @@ entityMappings:
    fieldMappings:
      - identifier: Url
        columnName: UrlCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CloudflareXSSProbingPattern.yaml
+++ b/Rules/CloudflareXSSProbingPattern.yaml
@ -34,3 +34,4 @@ entityMappings:
      - identifier: Url
        columnName: UrlCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Rules/ContrastBlocks.yaml
+++ b/Rules/ContrastBlocks.yaml
@ -58,3 +58,4 @@ entityMappings:
      - identifier: Category
        columnName: Rule
 version: 1.0.0
+kind: scheduled
--- a/Rules/ContrastExploits.yaml
+++ b/Rules/ContrastExploits.yaml
@ -58,3 +58,4 @@ entityMappings:
      - identifier: Category
        columnName: Rule
 version: 1.0.0
+kind: scheduled
--- a/Rules/ContrastProbes.yaml
+++ b/Rules/ContrastProbes.yaml
@ -58,3 +58,4 @@ entityMappings:
      - identifier: Category
        columnName: Rule
 version: 1.0.0
+kind: scheduled
--- a/Rules/ContrastSuspicious.yaml
+++ b/Rules/ContrastSuspicious.yaml
@ -58,3 +58,4 @@ entityMappings:
      - identifier: Category
        columnName: Rule 
 version: 1.0.0
+kind: scheduled
--- a/Rules/CorelightC2RepetitiveFailures.yaml
+++ b/Rules/CorelightC2RepetitiveFailures.yaml
@ -30,3 +30,4 @@ entityMappings:
      - identifier: Address
        columnName: IPCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Rules/CorelightExternalProxyDetected.yaml
+++ b/Rules/CorelightExternalProxyDetected.yaml
@ -27,4 +27,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CorelightForcedExternalOutboundSMB.yaml
+++ b/Rules/CorelightForcedExternalOutboundSMB.yaml
@ -28,3 +28,4 @@ entityMappings:
      - identifier: Address
        columnName: IPCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Rules/CorelightMultipleCompressedFilesTransferredOverHTTP.yaml
+++ b/Rules/CorelightMultipleCompressedFilesTransferredOverHTTP.yaml
@ -31,3 +31,4 @@ entityMappings:
      - identifier: Address
        columnName: IPCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Rules/CorelightMultipleFilesSentOverHTTPAbnormalRequests.yaml
+++ b/Rules/CorelightMultipleFilesSentOverHTTPAbnormalRequests.yaml
@ -33,3 +33,4 @@ entityMappings:
      - identifier: Address
        columnName: IPCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Rules/CorelightNetworkServiceScanning.yaml
+++ b/Rules/CorelightNetworkServiceScanning.yaml
@ -32,3 +32,4 @@ entityMappings:
      - identifier: Address
        columnName: IPCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Rules/CorelightPossibleWebshell.yaml
+++ b/Rules/CorelightPossibleWebshell.yaml
@ -31,3 +31,4 @@ entityMappings:
      - identifier: Address
        columnName: IPCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Rules/CorelightPossibleWebshellRarePOST.yaml
+++ b/Rules/CorelightPossibleWebshellRarePOST.yaml
@ -34,3 +34,4 @@ entityMappings:
      - identifier: Address
        columnName: IPCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Rules/CorelightSMTPEmailSubjectNonAsciiCharacters.yaml
+++ b/Rules/CorelightSMTPEmailSubjectNonAsciiCharacters.yaml
@ -32,4 +32,5 @@ entityMappings:
    fieldMappings:
      - identifier: Recipient
        columnName: MailCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CorelightTypoSquattingOrPunycodePhishingHTTPRequest.yaml
+++ b/Rules/CorelightTypoSquattingOrPunycodePhishingHTTPRequest.yaml
@ -27,4 +27,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CriticalOrHighSeverityDetectionsByUser.yaml
+++ b/Rules/CriticalOrHighSeverityDetectionsByUser.yaml
@ -48,4 +48,5 @@ entityMappings:
        columnName: MD5
      - identifier: Value
        columnName: FileHashCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CriticalSeverityDetection.yaml
+++ b/Rules/CriticalSeverityDetection.yaml
@ -40,4 +40,5 @@ entityMappings:
        columnName: MD5
      - identifier: Value
        columnName: FileHashCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
+++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
@ -47,3 +47,4 @@ entityMappings:
      - identifier: Url
        columnName: URLCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
+++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
@ -47,3 +47,4 @@ entityMappings:
      - identifier: Url
        columnName: URLCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
+++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
@ -47,3 +47,4 @@ entityMappings:
      - identifier: Url
        columnName: URLCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
+++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
@ -47,3 +47,4 @@ entityMappings:
      - identifier: Url
        columnName: URLCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
+++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
@ -47,3 +47,4 @@ entityMappings:
      - identifier: Url
        columnName: URLCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
+++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
@ -47,3 +47,4 @@ entityMappings:
      - identifier: Url
        columnName: URLCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
+++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
@ -47,3 +47,4 @@ entityMappings:
      - identifier: Url
        columnName: URLCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
+++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
@ -47,3 +47,4 @@ entityMappings:
      - identifier: Url
        columnName: URLCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Rules/System&CommunicationsProtectionControlFamilyMonitoring.yaml
+++ b/Rules/System&CommunicationsProtectionControlFamilyMonitoring.yaml
@ -47,3 +47,4 @@ entityMappings:
      - identifier: Url
        columnName: URLCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
+++ b/Solutions/CybersecurityMaturityModelCertification(CMMC)/Analytic
@ -47,3 +47,4 @@ entityMappings:
      - identifier: Url
        columnName: URLCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Rules/DynamicsEncryptionSettingsChanged.yaml
+++ b/Rules/DynamicsEncryptionSettingsChanged.yaml
@ -31,4 +31,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/MassExportOfDynamicstoExcel.yaml
+++ b/Rules/MassExportOfDynamicstoExcel.yaml
@ -50,4 +50,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/NewDynamicsAdminActivity.yaml
+++ b/Rules/NewDynamicsAdminActivity.yaml
@ -35,4 +35,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/NewDynamicsUserAgent.yaml
+++ b/Rules/NewDynamicsUserAgent.yaml
@ -43,4 +43,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/NewOfficeUserAgentinDynamics.yaml
+++ b/Rules/NewOfficeUserAgentinDynamics.yaml
@ -34,4 +34,5 @@ query: |
  on UserAgent
  | summarize MostRecentActivity=max(TimeGenerated), IPs=make_set(IPAddress), Users=make_set(UserId), Actions=make_set(OriginalObjectId) by UserAgent
  | extend timestamp = MostRecentActivity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/UserBulkRetreivalOutsideNormalActivity.yaml
+++ b/Rules/UserBulkRetreivalOutsideNormalActivity.yaml
@ -53,4 +53,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Solutions/ESETPROTECT/Analytic
+++ b/Solutions/ESETPROTECT/Analytic
@ -38,4 +38,5 @@ entityMappings:
        columnName: FileHashAlgo
      - identifier: Value
        columnName: FileHashCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Solutions/ESETPROTECT/Analytic
+++ b/Solutions/ESETPROTECT/Analytic
@ -41,4 +41,5 @@ entityMappings:
    fieldMappings:
      - identifier: Url
        columnName: URLCustomEntity
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/AzureADRareUserAgentAppSignin.yaml
+++ b/Rules/AzureADRareUserAgentAppSignin.yaml
@ -102,4 +102,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/AzureADUserAgentOSmissmatch.yaml
+++ b/Rules/AzureADUserAgentOSmissmatch.yaml
@ -65,4 +65,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Solutions/FalconFriday/Analytic
+++ b/Solutions/FalconFriday/Analytic
@ -42,4 +42,5 @@ entityMappings:
    fieldMappings:
      - identifier: CommandLine
        columnName: ProcessCommandLine
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CertutilIngressToolTransfer.yaml
+++ b/Rules/CertutilIngressToolTransfer.yaml
@ -57,4 +57,5 @@ entityMappings:
    fieldMappings:
      - identifier: CommandLine
        columnName: ProcessCommandLine
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/CreateProcessWithToken.yaml
+++ b/Rules/CreateProcessWithToken.yaml
@ -59,4 +59,5 @@ entityMappings:
    fieldMappings:
      - identifier: CommandLine
        columnName: ProcessCommandLine
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Solutions/FalconFriday/Analytic
+++ b/Solutions/FalconFriday/Analytic
@ -59,4 +59,5 @@ entityMappings:
    fieldMappings:
      - identifier: CommandLine
        columnName: DCOMCmdLine
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Solutions/FalconFriday/Analytic
+++ b/Solutions/FalconFriday/Analytic
@ -53,4 +53,5 @@ entityMappings:
    fieldMappings:
      - identifier: CommandLine
        columnName: ProcessCommandLine
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/DisableOrModifyWindowsDefender.yaml
+++ b/Rules/DisableOrModifyWindowsDefender.yaml
@ -43,4 +43,5 @@ entityMappings:
    fieldMappings:
      - identifier: CommandLine
        columnName: ProcessCommandLine
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Solutions/FalconFriday/Analytic
+++ b/Solutions/FalconFriday/Analytic
@ -37,4 +37,5 @@ entityMappings:
    fieldMappings:
      - identifier: CommandLine
        columnName: InitiatingProcessCommandLine
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/ExpiredAccessCredentials.yaml
+++ b/Rules/ExpiredAccessCredentials.yaml
@ -53,4 +53,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: FailedIp
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/MatchLegitimateNameOrLocation.yaml
+++ b/Rules/MatchLegitimateNameOrLocation.yaml
@ -57,4 +57,5 @@ entityMappings:
    fieldMappings:
      - identifier: CommandLine
        columnName: ProcessCommandLine
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/OfficeASRFromBrowser.yaml
+++ b/Rules/OfficeASRFromBrowser.yaml
@ -43,4 +43,5 @@ entityMappings:
    fieldMappings:
      - identifier: CommandLine
        columnName: ProcessCommandLine
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/OfficeProcessInjection.yaml
+++ b/Rules/OfficeProcessInjection.yaml
@ -42,4 +42,5 @@ entityMappings:
    fieldMappings:
      - identifier: CommandLine
        columnName: InitiatingProcessCommandLine
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/PasswordSprayingWithMDE.yaml
+++ b/Rules/PasswordSprayingWithMDE.yaml
@ -46,4 +46,5 @@ entityMappings:
    fieldMappings:
      - identifier: CommandLine
        columnName: ProcessCommandLine
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/RecognizingBeaconingTraffic.yaml
+++ b/Rules/RecognizingBeaconingTraffic.yaml
@ -75,4 +75,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: SourceUserName
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/RemoteDesktopProtocol.yaml
+++ b/Rules/RemoteDesktopProtocol.yaml
@ -44,4 +44,5 @@ entityMappings:
    fieldMappings:
      - identifier: CommandLine
        columnName: ProcessCommandLine
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/RenameSystemUtilities.yaml
+++ b/Rules/RenameSystemUtilities.yaml
@ -48,4 +48,5 @@ entityMappings:
    fieldMappings:
      - identifier: CommandLine
        columnName: ProcessCommandLine
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/SMBWindowsAdminShares.yaml
+++ b/Rules/SMBWindowsAdminShares.yaml
@ -88,4 +88,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: RemoteIP
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/SuspiciousParentProcessRelationship.yaml
+++ b/Rules/SuspiciousParentProcessRelationship.yaml
@ -45,4 +45,5 @@ entityMappings:
    fieldMappings:
      - identifier: CommandLine
        columnName: ProcessCommandLine
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/TrustedDeveloperUtilitiesProxyExecution.yaml
+++ b/Rules/TrustedDeveloperUtilitiesProxyExecution.yaml
@ -43,4 +43,5 @@ entityMappings:
    fieldMappings:
      - identifier: CommandLine
        columnName: ProcessCommandLine
-version: 1.0.0
+version: 1.0.0
+kind: scheduled
--- a/Rules/GCPIAMDisableDataAccessLogging.yaml
+++ b/Rules/GCPIAMDisableDataAccessLogging.yaml
@ -31,3 +31,4 @@ entityMappings:
      - identifier: Address
        columnName: IPCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Solutions/GoogleCloudPlatformIAM/Analytic
+++ b/Solutions/GoogleCloudPlatformIAM/Analytic
@ -29,3 +29,4 @@ entityMappings:
      - identifier: Address
        columnName: IPCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Solutions/GoogleCloudPlatformIAM/Analytic
+++ b/Solutions/GoogleCloudPlatformIAM/Analytic
@ -35,3 +35,4 @@ entityMappings:
      - identifier: Address
        columnName: IPCustomEntity
 version: 1.0.0
+kind: scheduled
--- a/Показать больше
+++ b/Показать больше