Update mainTemplate.json

Azure · Oct 23, 2024 · 8a30d5b · 8a30d5b
1 parent 530557c
commit 8a30d5b
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/Solutions/Threat Intelligence/Package/mainTemplate.json b/Solutions/Threat Intelligence/Package/mainTemplate.json
@@ -462,7 +462,7 @@
       "_analyticRulecontentId49": "47b9bb10-d216-4359-8cef-08ca2c67e5be",
       "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '47b9bb10-d216-4359-8cef-08ca2c67e5be')]",
       "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('47b9bb10-d216-4359-8cef-08ca2c67e5be')))]",
-      "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','47b9bb10-d216-4359-8cef-08ca2c67e5be','-', '1.0.2')))]"
+      "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','47b9bb10-d216-4359-8cef-08ca2c67e5be','-', '1.0.3')))]"
     },
     "analyticRuleObject50": {
       "analyticRuleVersion50": "1.0.3",
@@ -472,11 +472,11 @@
       "_analyticRulecontentProductId50": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4','-', '1.0.3')))]"
     },
     "analyticRuleObject51": {
-      "analyticRuleVersion51": "1.0.2",
+      "analyticRuleVersion51": "1.0.3",
       "_analyticRulecontentId51": "4e0a6fc8-697e-4455-be47-831b41ea91ac",
       "analyticRuleId51": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4e0a6fc8-697e-4455-be47-831b41ea91ac')]",
       "analyticRuleTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4e0a6fc8-697e-4455-be47-831b41ea91ac')))]",
-      "_analyticRulecontentProductId51": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4e0a6fc8-697e-4455-be47-831b41ea91ac','-', '1.0.2')))]"
+      "_analyticRulecontentProductId51": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4e0a6fc8-697e-4455-be47-831b41ea91ac','-', '1.0.3')))]"
     },
     "analyticRuleObject52": {
       "analyticRuleVersion52": "1.0.3",
@@ -9143,7 +9143,7 @@
                 "description": "Identifies compromises and attacks and detect malicious activities in one's email entity from TI",
                 "displayName": "Preview - TI map Email entity to Cloud App Events",
                 "enabled": false,
-                "query": "let dt_lookBack = 10d;\nlet ioc_lookBack = 30d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n  | where Active == true and ExpirationDateTime > now()\n  | where isnotempty(EmailSenderAddress)\n  | join kind=innerunique (CloudAppEvents\n| extend User_Id = tostring(RawEventData.UserId)\n| where User_Id != \"\"\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)\n| extend CloudAppEvents_TimeGenerated = TimeGenerated \n| extend User_id = tostring(User_Id)\n| where User_id matches regex emailregex) on $left.EmailSenderAddress == $right.User_id\n| where CloudAppEvents_TimeGenerated < ExpirationDateTime\n| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_id\n| extend Name = tostring(split(User_id, '@', 0)[0]), UPNSuffix = tostring(split(User_id, '@', 1)[0])\n| extend timestamp = CloudAppEvents_TimeGenerated\n",
+                "query": "let dt_lookBack = 10d;\nlet ioc_lookBack = 30d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n  | where Active == true and ExpirationDateTime > now()\n  | where isnotempty(EmailSenderAddress)\n  | join kind=innerunique (CloudAppEvents\n| extend User_Id = tostring(RawEventData.UserId)\n| where isnotempty(User_Id)\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)\n| extend CloudAppEvents_TimeGenerated = TimeGenerated \n| where User_Id matches regex emailregex) on $left.EmailSenderAddress == $right.User_Id\n| where CloudAppEvents_TimeGenerated < ExpirationDateTime\n| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_Id\n| extend Name = tostring(split(User_Id, '@', 0)[0]), UPNSuffix = tostring(split(User_Id, '@', 1)[0])\n| extend timestamp = CloudAppEvents_TimeGenerated\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "P14D",
                 "severity": "Medium",
@@ -9180,7 +9180,7 @@
                         "identifier": "DisplayName"
                       },
                       {
-                        "columnName": "User_id",
+                        "columnName": "User_Id",
                         "identifier": "FullName"
                       },
                       {
@@ -9408,7 +9408,7 @@
                 "description": "Identifies compromises and attacks and detect malicious activities in one's IP entity from TI",
                 "displayName": "Preview - TI map IP entity to Cloud App Events",
                 "enabled": false,
-                "query": "let dt_lookBack = 1d;\nlet ioc_lookBack = 14d; \nlet IP_Indicators = ThreatIntelligenceIndicator\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n  | where Active == true and ExpirationDateTime > now()\n  | where isnotempty(NetworkIP)\nor isnotempty(EmailSourceIpAddress)\nor isnotempty(NetworkDestinationIP)\nor isnotempty(NetworkSourceIP)\n  | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n  | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n  | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity);\nIP_Indicators\n  | join kind=innerunique (\n  CloudAppEvents\n    | where TimeGenerated >= ago(dt_lookBack)\n    | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress\n    | where CloudAppEvents_TimeGenerated < ExpirationDateTime\n    | summarize CloudAppEventsTimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, IPAddress\n    | extend\n        Description = max_CloudAppEvents_TimeGenerated_Description,\n        ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames,\n        ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType,\n        ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime,\n        ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore,\n        TI_ipEntity = max_CloudAppEvents_TimeGenerated_TI_ipEntity,\n        NetworkDestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP,\n        NetworkSourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP,\n        EmailSourceIPAddress = max_CloudAppEvents_TimeGenerated_EmailSourceIpAddress\n    | project CloudAppEventsTimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, NetworkDestinationIP, NetworkSourceIP, EmailSourceIPAddress\n",
+                "query": "let dt_lookBack = 1d;\nlet ioc_lookBack = 14d; \nlet IP_Indicators = ThreatIntelligenceIndicator\n  | where TimeGenerated >= ago(ioc_lookBack)\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n  | where Active == true and ExpirationDateTime > now()\n  | where isnotempty(NetworkIP)\nor isnotempty(EmailSourceIpAddress)\nor isnotempty(NetworkDestinationIP)\nor isnotempty(NetworkSourceIP)\n  | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n  | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n  | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity);\nIP_Indicators\n  | join kind=innerunique (\n  CloudAppEvents\n    | where isnotempty(IPAddress)\n    | where TimeGenerated >= ago(dt_lookBack)\n    | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress\n    | where CloudAppEvents_TimeGenerated < ExpirationDateTime\n    | summarize CloudAppEventsTimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, IPAddress\n    | extend\n        Description = max_CloudAppEvents_TimeGenerated_Description,\n        ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames,\n        ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType,\n        ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime,\n        ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore,\n        TI_ipEntity = max_CloudAppEvents_TimeGenerated_TI_ipEntity,\n        NetworkDestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP,\n        NetworkSourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP,\n        EmailSourceIPAddress = max_CloudAppEvents_TimeGenerated_EmailSourceIpAddress\n    | project CloudAppEventsTimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, NetworkDestinationIP, NetworkSourceIP, EmailSourceIPAddress\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "P14D",
                 "severity": "Medium",