diff --git a/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml b/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml index af2a642b0a..e276982e5c 100644 --- a/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml +++ b/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml @@ -42,22 +42,19 @@ relevantTechniques: query: | _ASim_ProcessEvent | where EventType == 'ProcessCreated' - | extend CommandLineArgs = todynamic(array_slice(split(CommandLine, " "), 1, -1)) + | extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, " "), 1, -1), " ") | where strlen(CommandLineArgs) > 0 - | mv-apply CommandLineArgs on - ( - where CommandLineArgs contains "base64" - ) + | where CommandLineArgs contains "base64" | project - TimeGenerated, - DvcHostname, - DvcIpAddr, - DvcDomain, - TargetUsername, - TargetUsernameType, - TargetProcessName, - TargetProcessId, - CommandLine + TimeGenerated, + DvcHostname, + DvcIpAddr, + DvcDomain, + TargetUsername, + TargetUsernameType, + TargetProcessName, + TargetProcessId, + CommandLine | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername) | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername) | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username) @@ -94,5 +91,5 @@ eventGroupingSettings: alertDetailsOverride: alertDisplayNameFormat: "Process with suspicious command line arguments was created on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})" alertDescriptionFormat: "Process '{{TargetProcessName}}' ProcessId: '{{TargetProcessId}}' with commandline {{CommandLine}} was created." -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json b/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json index 9b2ae8d285..c60bdcd7f7 100644 --- a/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json +++ b/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json @@ -28,7 +28,7 @@ ], "WorkbooksDescription": "This workbook provides details about Suspicious Malware Activities from File, Process and Registry events generated by EDR (Endpoint Detection and Response) solutions.", "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Malware Protection Essentials\\", - "Version": "3.0.0", + "Version": "3.0.1", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Malware Protection Essentials/Package/3.0.1.zip b/Solutions/Malware Protection Essentials/Package/3.0.1.zip new file mode 100644 index 0000000000..f6e72dbf7e Binary files /dev/null and b/Solutions/Malware Protection Essentials/Package/3.0.1.zip differ diff --git a/Solutions/Malware Protection Essentials/Package/mainTemplate.json b/Solutions/Malware Protection Essentials/Package/mainTemplate.json index 99a590341f..ce74f16691 100644 --- a/Solutions/Malware Protection Essentials/Package/mainTemplate.json +++ b/Solutions/Malware Protection Essentials/Package/mainTemplate.json @@ -49,7 +49,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Malware Protection Essentials", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "azuresentinel.azure-sentinel-solution-malwareprotection", "_solutionId": "[variables('solutionId')]", "analyticRuleObject1": { @@ -67,11 +67,11 @@ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7edde3d4-9859-4a00-b93c-b19ddda55320','-', '1.0.0')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.0", + "analyticRuleVersion3": "1.0.1", "_analyticRulecontentId3": "fdbcc0eb-44fb-467e-a51d-a91df0780a81", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fdbcc0eb-44fb-467e-a51d-a91df0780a81')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fdbcc0eb-44fb-467e-a51d-a91df0780a81')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fdbcc0eb-44fb-467e-a51d-a91df0780a81','-', '1.0.0')))]" + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fdbcc0eb-44fb-467e-a51d-a91df0780a81','-', '1.0.1')))]" }, "analyticRuleObject4": { "analyticRuleVersion4": "1.0.0", @@ -145,7 +145,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "StartupRegistryModified_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "StartupRegistryModified_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -155,7 +155,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -173,46 +173,46 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CrowdStrikeFalconEndpointProtection", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CrowdStrikeFalconEndpointProtection" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne_CL" - ] + ], + "connectorId": "SentinelOne" }, { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackEvents_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" }, { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint_CL" - ] + ], + "connectorId": "CiscoSecureEndpoint" }, { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -228,16 +228,16 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Host" @@ -245,16 +245,16 @@ { "fieldMappings": [ { - "columnName": "Username", - "identifier": "Name" + "identifier": "Name", + "columnName": "Username" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Account" @@ -262,12 +262,12 @@ { "fieldMappings": [ { - "columnName": "ActingProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ActingProcessId" }, { - "columnName": "ActingProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ActingProcessCommandLine" } ], "entityType": "Process" @@ -275,12 +275,12 @@ { "fieldMappings": [ { - "columnName": "RegHive", - "identifier": "Hive" + "identifier": "Hive", + "columnName": "RegHive" }, { - "columnName": "RegKey", - "identifier": "Key" + "identifier": "Key", + "columnName": "RegKey" } ], "entityType": "RegistryKey" @@ -288,16 +288,16 @@ { "fieldMappings": [ { - "columnName": "RegistryValue", - "identifier": "Name" + "identifier": "Name", + "columnName": "RegistryValue" }, { - "columnName": "RegistryValueData", - "identifier": "Value" + "identifier": "Value", + "columnName": "RegistryValueData" }, { - "columnName": "RegistryValueType", - "identifier": "ValueType" + "identifier": "ValueType", + "columnName": "RegistryValueType" } ], "entityType": "RegistryValue" @@ -363,7 +363,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PrintProcessersModified_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "PrintProcessersModified_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -373,7 +373,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -391,46 +391,46 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CrowdStrikeFalconEndpointProtection", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CrowdStrikeFalconEndpointProtection" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne_CL" - ] + ], + "connectorId": "SentinelOne" }, { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackEvents_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" }, { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint_CL" - ] + ], + "connectorId": "CiscoSecureEndpoint" }, { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -444,16 +444,16 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Host" @@ -461,16 +461,16 @@ { "fieldMappings": [ { - "columnName": "Username", - "identifier": "Name" + "identifier": "Name", + "columnName": "Username" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Account" @@ -478,12 +478,12 @@ { "fieldMappings": [ { - "columnName": "ActingProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ActingProcessId" }, { - "columnName": "ActingProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ActingProcessCommandLine" } ], "entityType": "Process" @@ -491,12 +491,12 @@ { "fieldMappings": [ { - "columnName": "RegHive", - "identifier": "Hive" + "identifier": "Hive", + "columnName": "RegHive" }, { - "columnName": "RegKey", - "identifier": "Key" + "identifier": "Key", + "columnName": "RegKey" } ], "entityType": "RegistryKey" @@ -504,16 +504,16 @@ { "fieldMappings": [ { - "columnName": "RegistryValue", - "identifier": "Name" + "identifier": "Name", + "columnName": "RegistryValue" }, { - "columnName": "RegistryValueData", - "identifier": "Value" + "identifier": "Value", + "columnName": "RegistryValueData" }, { - "columnName": "RegistryValueType", - "identifier": "ValueType" + "identifier": "ValueType", + "columnName": "RegistryValueType" } ], "entityType": "RegistryValue" @@ -579,7 +579,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousProcessCreation_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "SuspiciousProcessCreation_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -589,14 +589,14 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { "description": "This analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed.", "displayName": "Process Creation with Suspicious CommandLine Arguments", "enabled": false, - "query": "_ASim_ProcessEvent\n| where EventType == 'ProcessCreated'\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\n| where strlen(CommandLineArgs) > 0\n| mv-apply CommandLineArgs on \n (\n where CommandLineArgs contains \"base64\"\n )\n| project\n TimeGenerated,\n DvcHostname,\n DvcIpAddr,\n DvcDomain,\n TargetUsername,\n TargetUsernameType,\n TargetProcessName,\n TargetProcessId,\n CommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[1]), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[0]), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')\n", + "query": "_ASim_ProcessEvent\n| where EventType == 'ProcessCreated'\n| extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, \" \"), 1, -1), \" \")\n| where strlen(CommandLineArgs) > 0\n| where CommandLineArgs contains \"base64\"\n| project\nTimeGenerated,\nDvcHostname,\nDvcIpAddr,\nDvcDomain,\nTargetUsername,\nTargetUsernameType,\nTargetProcessName,\nTargetProcessId,\nCommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')), '')\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -607,46 +607,46 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CrowdStrikeFalconEndpointProtection", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CrowdStrikeFalconEndpointProtection" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne_CL" - ] + ], + "connectorId": "SentinelOne" }, { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackEvents_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" }, { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint_CL" - ] + ], + "connectorId": "CiscoSecureEndpoint" }, { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -661,16 +661,16 @@ { "fieldMappings": [ { - "columnName": "DvcHostname", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DvcHostname" }, { - "columnName": "DvcDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DvcDomain" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Host" @@ -678,8 +678,8 @@ { "fieldMappings": [ { - "columnName": "DvcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "DvcIpAddr" } ], "entityType": "IP" @@ -687,16 +687,16 @@ { "fieldMappings": [ { - "columnName": "Username", - "identifier": "Name" + "identifier": "Name", + "columnName": "Username" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Account" @@ -704,12 +704,12 @@ { "fieldMappings": [ { - "columnName": "TargetProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "TargetProcessId" }, { - "columnName": "CommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "CommandLine" } ], "entityType": "Process" @@ -775,7 +775,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BackupDeletionDetected_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "BackupDeletionDetected_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -785,7 +785,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -803,46 +803,46 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CrowdStrikeFalconEndpointProtection", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CrowdStrikeFalconEndpointProtection" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne_CL" - ] + ], + "connectorId": "SentinelOne" }, { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackEvents_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" }, { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint_CL" - ] + ], + "connectorId": "CiscoSecureEndpoint" }, { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -855,16 +855,16 @@ { "fieldMappings": [ { - "columnName": "DvcHostname", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DvcHostname" }, { - "columnName": "DvcDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DvcDomain" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Host" @@ -872,8 +872,8 @@ { "fieldMappings": [ { - "columnName": "DvcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "DvcIpAddr" } ], "entityType": "IP" @@ -881,16 +881,16 @@ { "fieldMappings": [ { - "columnName": "Username", - "identifier": "Name" + "identifier": "Name", + "columnName": "Username" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Account" @@ -898,12 +898,12 @@ { "fieldMappings": [ { - "columnName": "TargetProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "TargetProcessId" }, { - "columnName": "CommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "CommandLine" } ], "entityType": "Process" @@ -969,7 +969,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WindowsUpdateDisabled_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "WindowsUpdateDisabled_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -979,7 +979,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -997,46 +997,46 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CrowdStrikeFalconEndpointProtection", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CrowdStrikeFalconEndpointProtection" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne_CL" - ] + ], + "connectorId": "SentinelOne" }, { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackEvents_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" }, { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint_CL" - ] + ], + "connectorId": "CiscoSecureEndpoint" }, { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -1049,16 +1049,16 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Host" @@ -1066,16 +1066,16 @@ { "fieldMappings": [ { - "columnName": "Username", - "identifier": "Name" + "identifier": "Name", + "columnName": "Username" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Account" @@ -1083,12 +1083,12 @@ { "fieldMappings": [ { - "columnName": "ActingProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ActingProcessId" }, { - "columnName": "ActingProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ActingProcessCommandLine" } ], "entityType": "Process" @@ -1096,12 +1096,12 @@ { "fieldMappings": [ { - "columnName": "RegHive", - "identifier": "Hive" + "identifier": "Hive", + "columnName": "RegHive" }, { - "columnName": "RegKey", - "identifier": "Key" + "identifier": "Key", + "columnName": "RegKey" } ], "entityType": "RegistryKey" @@ -1109,16 +1109,16 @@ { "fieldMappings": [ { - "columnName": "RegistryValue", - "identifier": "Name" + "identifier": "Name", + "columnName": "RegistryValue" }, { - "columnName": "RegistryValueData", - "identifier": "Value" + "identifier": "Value", + "columnName": "RegistryValueData" }, { - "columnName": "RegistryValueType", - "identifier": "ValueType" + "identifier": "ValueType", + "columnName": "RegistryValueType" } ], "entityType": "RegistryValue" @@ -1184,7 +1184,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WindowsAllowFirewallRuleAdded_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "WindowsAllowFirewallRuleAdded_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1194,7 +1194,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -1212,46 +1212,46 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CrowdStrikeFalconEndpointProtection", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CrowdStrikeFalconEndpointProtection" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne_CL" - ] + ], + "connectorId": "SentinelOne" }, { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackEvents_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" }, { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint_CL" - ] + ], + "connectorId": "CiscoSecureEndpoint" }, { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -1264,16 +1264,16 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Host" @@ -1281,16 +1281,16 @@ { "fieldMappings": [ { - "columnName": "Username", - "identifier": "Name" + "identifier": "Name", + "columnName": "Username" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Account" @@ -1298,12 +1298,12 @@ { "fieldMappings": [ { - "columnName": "ActingProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ActingProcessId" }, { - "columnName": "ActingProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ActingProcessCommandLine" } ], "entityType": "Process" @@ -1311,12 +1311,12 @@ { "fieldMappings": [ { - "columnName": "RegHive", - "identifier": "Hive" + "identifier": "Hive", + "columnName": "RegHive" }, { - "columnName": "RegKey", - "identifier": "Key" + "identifier": "Key", + "columnName": "RegKey" } ], "entityType": "RegistryKey" @@ -1324,16 +1324,16 @@ { "fieldMappings": [ { - "columnName": "RegistryValue", - "identifier": "Name" + "identifier": "Name", + "columnName": "RegistryValue" }, { - "columnName": "RegistryValueData", - "identifier": "Value" + "identifier": "Value", + "columnName": "RegistryValueData" }, { - "columnName": "RegistryValueType", - "identifier": "ValueType" + "identifier": "ValueType", + "columnName": "RegistryValueType" } ], "entityType": "RegistryValue" @@ -1399,7 +1399,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewMaliciousScheduledTask_HuntingQueries Hunting Query with template version 3.0.0", + "description": "NewMaliciousScheduledTask_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -1484,7 +1484,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileCretaedInStartupFolder_HuntingQueries Hunting Query with template version 3.0.0", + "description": "FileCretaedInStartupFolder_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -1569,7 +1569,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FilesWithRansomwareExtensions_HuntingQueries Hunting Query with template version 3.0.0", + "description": "FilesWithRansomwareExtensions_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -1654,7 +1654,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.0", + "description": "NewScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -1739,7 +1739,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SystemFilesModifiedByUser_HuntingQueries Hunting Query with template version 3.0.0", + "description": "SystemFilesModifiedByUser_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -1824,7 +1824,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExecutableInUncommonLocation_HuntingQueries Hunting Query with template version 3.0.0", + "description": "ExecutableInUncommonLocation_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -1927,7 +1927,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MalwareProtectionEssentialsWorkbook Workbook with template version 3.0.0", + "description": "MalwareProtectionEssentialsWorkbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -2011,12 +2011,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Malware Protection Essentials", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Malware Protection Essentials is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the ASIM.

\n

Prerequisite :-

\n

Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.

\n
    \n
  1. Amazon Web Services
    2. \n
  2. Azure Firewall
    3. \n
  3. Azure Network Security Groups
    4. \n
  4. Check Point
    5. \n
  5. Cisco ASA
    6. \n
  6. Cisco Meraki Security Events
    7. \n
  7. Corelight
    8. \n
  8. Fortinet FortiGate
    9. \n
  9. Microsoft Defender for IoT
    10. \n
  10. Microsoft Defender for Cloud
    11. \n
  11. Microsoft Sysmon For Linux
    12. \n
  12. Windows Firewall
    13. \n
  13. Palo Alto PANOS
    14. \n
  14. Vectra AI Stream
    15. \n
  15. WatchGuard Firebox
    16. \n
  16. Zscaler Internet Access
    17. \n
\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Product solutions as described above
    2. \n
  2. Logic app for data summarization
    3. \n
\n

Recommendation :-

\n

It is highly recommended to use the Summarize data logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.

\n

Workbooks: 1, Analytic Rules: 6, Hunting Queries: 6, Watchlists: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Malware Protection Essentials is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the ASIM.

\n

Prerequisite :-

\n

Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.

\n
    \n
  1. Amazon Web Services
    2. \n
  2. Azure Firewall
    3. \n
  3. Azure Network Security Groups
    4. \n
  4. Check Point
    5. \n
  5. Cisco ASA
    6. \n
  6. Cisco Meraki Security Events
    7. \n
  7. Corelight
    8. \n
  8. Fortinet FortiGate
    9. \n
  9. Microsoft Defender for IoT
    10. \n
  10. Microsoft Defender for Cloud
    11. \n
  11. Microsoft Sysmon For Linux
    12. \n
  12. Windows Firewall
    13. \n
  13. Palo Alto PANOS
    14. \n
  14. Vectra AI Stream
    15. \n
  15. WatchGuard Firebox
    16. \n
  16. Zscaler Internet Access
    17. \n
\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Product solutions as described above
    2. \n
  2. Logic app for data summarization
    3. \n
\n

Recommendation :-

\n

It is highly recommended to use the Summarize data logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.

\n

Workbooks: 1, Analytic Rules: 6, Hunting Queries: 6, Watchlists: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2104,7 +2104,7 @@ { "kind": "Watchlist", "contentId": "[variables('_Ransomware File Extensions')]", - "version": "3.0.0" + "version": "3.0.1" }, { "kind": "Workbook",