From d84a3590168f06a903413d35a03820917f2cab1e Mon Sep 17 00:00:00 2001 From: Shain <45466083+shainw@users.noreply.github.com> Date: Fri, 27 Dec 2024 10:53:29 -0800 Subject: [PATCH 01/22] Removing Custom Entity mappings, these have not been used for years. --- .../FailedLoginsFromUnknownOrInvalidUser.yaml | 7 +++---- ...fromUsersfromDifferentCountrieswithin3hours.yaml | 7 +++---- .../Analytic Rules/PasswordSpray.yaml | 7 +++---- .../Analytic Rules/PaloAlto-NetworkBeaconing.yaml | 9 ++++----- .../Analytic Rules/PaloAlto-PortScanning.yaml | 10 +++++----- .../PulseConnectSecureVPN-BruteForce.yaml | 7 +++---- ...lseConnectSecureVPN-DistinctFailedUserLogin.yaml | 5 ++--- .../Analytic Rules/HighNumberofVulnDetectedV2.yaml | 7 +++---- ...RecordedFutureDomainMalwareC2inSyslogEvents.yaml | 9 ++++----- ...utureUrlReportedbyInsiktGroupinSyslogEvents.yaml | 10 +++++----- .../ExcessiveBlockedTrafficGeneratedbyUser.yaml | 13 ++++++++----- .../Analytic Rules/MalwareDetected.yaml | 12 ++++++------ .../Analytic Rules/ClientDeniedAccess.yaml | 7 +++---- ...ssiveFailedAuthenticationsfromInvalidInputs.yaml | 7 +++---- .../Analytic Rules/ExcessiveDeniedProxyTraffic.yaml | 7 +++---- .../UserAccessedSuspiciousURLCategories.yaml | 10 +++++----- .../Threat Intel Matches to GitHub Audit Logs.yaml | 8 ++++---- .../Analytic Rules/CriticalThreatDetected.yaml | 8 ++++---- .../Analytic Rules/KnownMalwareDetected.yaml | 10 +++++----- 19 files changed, 76 insertions(+), 84 deletions(-) diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml index 24a262f8b54..1bfc617dab2 100644 --- a/Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml +++ b/Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml @@ -31,16 +31,15 @@ query: | | where eventType_s =~ "user.session.start" and outcome_reason_s =~ "VERIFICATION_ERROR" | summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', ""), Country = column_ifexists('client_geographicalContext_country_s', ""), column_ifexists('published_t', now()) | sort by column_ifexists('published_t', now()) desc - | extend timestamp = column_ifexists('published_t', now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: actor_alternateId_s - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.1.0 + columnName: ClientIP +version: 1.1.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/LoginfromUsersfromDifferentCountrieswithin3hours.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/LoginfromUsersfromDifferentCountrieswithin3hours.yaml index 5e01ceade65..d73fa372603 100644 --- a/Solutions/Okta Single Sign-On/Analytic Rules/LoginfromUsersfromDifferentCountrieswithin3hours.yaml +++ b/Solutions/Okta Single Sign-On/Analytic Rules/LoginfromUsersfromDifferentCountrieswithin3hours.yaml @@ -18,7 +18,7 @@ triggerThreshold: 0 tactics: - InitialAccess relevantTechniques: - - T1078 + - T1078.004 query: | let timeframe = ago(3h); let threshold = 2; @@ -28,11 +28,10 @@ query: | | where outcome_result_s =~ "SUCCESS" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(column_ifexists('client_geographicalContext_country_s', int(null))) by actor_alternateId_s | where NumOfCountries >= threshold - | extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity -version: 1.1.0 + columnName: actor_alternateId_s +version: 1.1.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/PasswordSpray.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/PasswordSpray.yaml index ee8b17e490c..346741e6b3b 100644 --- a/Solutions/Okta Single Sign-On/Analytic Rules/PasswordSpray.yaml +++ b/Solutions/Okta Single Sign-On/Analytic Rules/PasswordSpray.yaml @@ -18,7 +18,7 @@ triggerThreshold: 0 tactics: - CredentialAccess relevantTechniques: - - T1110 + - T1110.003 query: | let FailureThreshold = 15; let FailedEvents = OktaSSO @@ -31,12 +31,11 @@ query: | | summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', ""), Country = column_ifexists('client_geographicalContext_country_s', ""), bin(TimeGenerated, 5m) | join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated | sort by TimeGenerated desc - | extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s entityMappings: - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.1.0 + columnName: client_ipAddress_s +version: 1.1.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml index 110e00a0d2f..3c190dc5b2e 100644 --- a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml +++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml @@ -48,19 +48,18 @@ query: | | where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount > MostFrequentTimeDeltaThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold - | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: SourceUserID - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: DeviceName - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.5 + columnName: DestinationIP +version: 1.0.6 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml index af0bd93a483..be34f7401b2 100644 --- a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml +++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml @@ -48,19 +48,19 @@ query: | | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP | where count_ >= 10 | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction - | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName + entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: SourceUserID - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: DeviceName - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.7 + columnName: SourceIP +version: 1.0.8 kind: Scheduled diff --git a/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml b/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml index 1d44039f7f8..97e0606a506 100644 --- a/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml +++ b/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml @@ -22,15 +22,14 @@ query: | | where Messages contains "Login failed" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP | where count_ > threshold - | extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: User - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.3 + columnName: Source_IP +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-DistinctFailedUserLogin.yaml b/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-DistinctFailedUserLogin.yaml index 9148ea8de04..df5a57c36cb 100644 --- a/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-DistinctFailedUserLogin.yaml +++ b/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-DistinctFailedUserLogin.yaml @@ -22,11 +22,10 @@ query: | | where Messages startswith "Login failed" | summarize dcount(User) by Computer, bin(TimeGenerated, 15m) | where dcount_User > threshold - | extend timestamp = TimeGenerated, HostCustomEntity = Computer entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity -version: 1.0.3 + columnName: Computer +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/QualysVM/Analytic Rules/HighNumberofVulnDetectedV2.yaml b/Solutions/QualysVM/Analytic Rules/HighNumberofVulnDetectedV2.yaml index 2ab896ccdd7..97276f03d35 100644 --- a/Solutions/QualysVM/Analytic Rules/HighNumberofVulnDetectedV2.yaml +++ b/Solutions/QualysVM/Analytic Rules/HighNumberofVulnDetectedV2.yaml @@ -22,15 +22,14 @@ query: | | where Severity_s == "5" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress | where count_ >= threshold - | extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: NetBios_s - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.1 + columnName: IPAddress +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inSyslogEvents.yaml b/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inSyslogEvents.yaml index 5e15ea3c722..8afe81922be 100644 --- a/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inSyslogEvents.yaml +++ b/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inSyslogEvents.yaml @@ -57,23 +57,22 @@ query: | | where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url - | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Computer - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity + columnName: HostIP - entityType: URL fieldMappings: - identifier: Url - columnName: URLCustomEntity + columnName: Url - entityType: DNS fieldMappings: - identifier: DomainName columnName: domain -version: 1.0.3 +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Recorded Future/Analytic Rules/RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents.yaml b/Solutions/Recorded Future/Analytic Rules/RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents.yaml index 2de2ef11dc7..9f8e52864de 100644 --- a/Solutions/Recorded Future/Analytic Rules/RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents.yaml +++ b/Solutions/Recorded Future/Analytic Rules/RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents.yaml @@ -43,19 +43,19 @@ query: | | where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, AdditionalInformation, HostIP - | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url + entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Computer - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity + columnName: HostIP - entityType: URL fieldMappings: - identifier: Url - columnName: URLCustomEntity -version: 1.0.2 + columnName: Url +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml b/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml index d79ce62ccd4..bcf777f71b8 100644 --- a/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml +++ b/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml @@ -33,19 +33,22 @@ query: | | where Action =~ "Blocked" | join kind=inner (NoteableEvents) on UserName | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by UserName, RuleName, ServerName, LocalHostIpAddr, LocalPortNumber, TrafficDirection, RemoteHostIpAddr, RemotePortNumber, ApplicationName - | extend timestamp = StartTimeUtc, AccountCustomEntity = UserName, HostCustomEntity = ServerName, IPCustomEntity = LocalHostIpAddr entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: UserName - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity + columnName: LocalHostIpAddr + - entityType: IP + fieldMappings: + - identifier: Address + columnName: RemoteHostIpAddr - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity -version: 1.0.2 + columnName: ServerName +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Symantec Endpoint Protection/Analytic Rules/MalwareDetected.yaml b/Solutions/Symantec Endpoint Protection/Analytic Rules/MalwareDetected.yaml index b888829e594..53d908d9ca6 100644 --- a/Solutions/Symantec Endpoint Protection/Analytic Rules/MalwareDetected.yaml +++ b/Solutions/Symantec Endpoint Protection/Analytic Rules/MalwareDetected.yaml @@ -15,26 +15,26 @@ triggerThreshold: 0 tactics: - Execution relevantTechniques: - - T1204 + - T1204.002 query: | SymantecEndpointProtection | where LogType == "Agent Risk Logs" | where CategorySet == "Malware" | where ActualAction !contains "Cleaned" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SrcIpAddr, SrcHostName, UserName, FilePath, ActualAction, CategorySet, CategoryType - | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr, HostCustomEntity = SrcHostName, AccountCustomEntity = UserName + entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: UserName - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity + columnName: SrcIpAddr - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity -version: 1.0.2 + columnName: SrcHostName +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml b/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml index 32d7f87ab08..11fd7114fe7 100644 --- a/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml +++ b/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml @@ -31,16 +31,15 @@ query: | | where RADIUSAuth =~ "Reject" | join kind=inner rejectedAccess on ClientIP | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User - | extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: User - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.2 + columnName: ClientIP +version: 1.0.3 status: Available kind: Scheduled \ No newline at end of file diff --git a/Solutions/Symantec VIP/Analytic Rules/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml b/Solutions/Symantec VIP/Analytic Rules/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml index cff1a3aeea0..f47c401304b 100644 --- a/Solutions/Symantec VIP/Analytic Rules/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml +++ b/Solutions/Symantec VIP/Analytic Rules/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml @@ -25,16 +25,15 @@ query: | | where RADIUSAuth =~ "Reject" | summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP | where Total > threshold - | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: User - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.2 + columnName: ClientIP +version: 1.0.3 status: Available kind: Scheduled \ No newline at end of file diff --git a/Solutions/SymantecProxySG/Analytic Rules/ExcessiveDeniedProxyTraffic.yaml b/Solutions/SymantecProxySG/Analytic Rules/ExcessiveDeniedProxyTraffic.yaml index 6bdfaf5df73..b0e87f077d0 100644 --- a/Solutions/SymantecProxySG/Analytic Rules/ExcessiveDeniedProxyTraffic.yaml +++ b/Solutions/SymantecProxySG/Analytic Rules/ExcessiveDeniedProxyTraffic.yaml @@ -24,15 +24,14 @@ query: | | where sc_filter_result =~ "DENIED" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host | where count_ > threshold - | extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: cs_host - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.4 + columnName: c_ip +version: 1.0.5 kind: Scheduled \ No newline at end of file diff --git a/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml b/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml index 75f706b9b77..309a9915243 100644 --- a/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml +++ b/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml @@ -23,19 +23,19 @@ query: | | mv-expand cs_categories | where cs_categories has_any ("Suspicious","phishing", "hacking") | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories) - | extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer + entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: cs_userdn - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Computer - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.4 + columnName: c_ip +version: 1.0.5 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml b/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml index 6927bddd8af..41409859ee1 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml @@ -42,15 +42,15 @@ query: | ) on $left.TI_ipEntity == $right.IPaddress | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress - | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor + entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: Actor - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.4 + columnName: IPaddress +version: 1.0.5 kind: Scheduled \ No newline at end of file diff --git a/Solutions/VMware Carbon Black Cloud/Analytic Rules/CriticalThreatDetected.yaml b/Solutions/VMware Carbon Black Cloud/Analytic Rules/CriticalThreatDetected.yaml index 70768e6a864..4299f936656 100644 --- a/Solutions/VMware Carbon Black Cloud/Analytic Rules/CriticalThreatDetected.yaml +++ b/Solutions/VMware Carbon Black Cloud/Analytic Rules/CriticalThreatDetected.yaml @@ -23,15 +23,15 @@ query: | | extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d | project-away count_ - | extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP + entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Device_Name - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.1 + columnName: Internal_IP +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/VMware Carbon Black Cloud/Analytic Rules/KnownMalwareDetected.yaml b/Solutions/VMware Carbon Black Cloud/Analytic Rules/KnownMalwareDetected.yaml index bffb2c37c88..dae7af5b04c 100644 --- a/Solutions/VMware Carbon Black Cloud/Analytic Rules/KnownMalwareDetected.yaml +++ b/Solutions/VMware Carbon Black Cloud/Analytic Rules/KnownMalwareDetected.yaml @@ -21,19 +21,19 @@ query: | | extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec | where targetApp_effectiveReputation_s =~ "KNOWN_MALWARE" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s - | extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s + entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: processDetails_fullUserName_s - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: deviceDetails_deviceName_s - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.1 + columnName: deviceDetails_deviceIpAddress_s +version: 1.0.2 kind: Scheduled \ No newline at end of file From ec16e021061fdd118a7f9b1e424b05bc206dbefc Mon Sep 17 00:00:00 2001 From: moti-ba <131643892+moti-ba@users.noreply.github.com> Date: Sun, 29 Dec 2024 14:27:36 +0200 Subject: [PATCH 02/22] SWG file fixes and NetworkAccessAlerts table --- .../CustomTables/NetworkAccessAlerts.json | 93 +++++++++++++++++++ .../Identity - AfterHoursActivity.yaml | 2 +- .../Identity - SharedSessions.yaml | 62 ------------- .../SWG - Abnormal Deny Rate.yaml | 2 +- .../SWG - Abnormal Port to Protocol.yaml | 2 +- .../SWG - Source IP Port Scan.yaml | 2 +- 6 files changed, 97 insertions(+), 66 deletions(-) create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/NetworkAccessAlerts.json delete mode 100644 Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml diff --git a/.script/tests/KqlvalidationsTests/CustomTables/NetworkAccessAlerts.json b/.script/tests/KqlvalidationsTests/CustomTables/NetworkAccessAlerts.json new file mode 100644 index 00000000000..43f31e680dd --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/NetworkAccessAlerts.json @@ -0,0 +1,93 @@ +{ + "Name": "NetworkAccessAlerts", + + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Id", + "Type": "string" + }, + { + "Name": "DisplayName", + "Type": "string" + }, + { + "Name": "Severity", + "Type": "string" + }, + { + "Name": "ComponentName", + "Type": "string" + }, + { + "Name": "DetectionTechnology", + "Type": "string" + }, + { + "Name": "AlertType", + "Type": "string" + }, + { + "Name": "Description", + "Type": "string" + }, + { + "Name": "ProductName", + "Type": "string" + }, + { + "Name": "PolicyId", + "Type": "string" + }, + { + "Name": "LastActivityDateTime", + "Type": "datetime" + }, + { + "Name": "FirstActivityDateTime", + "Type": "datetime" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "Techniques", + "Type": "string" + }, + { + "Name": "SubTechniques", + "Type": "string" + }, + { + "Name": "ExtendedProperties", + "Type": "dynamic" + }, + { + "Name": "RelatedResources", + "Type": "dynamic" + }, + { + "Name": "IsPreview", + "Type": "bool" + }, + { + "Name": "CreationDateTime", + "Type": "datetime" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "VendorName", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml index 41d20c1937d..9d802d71f03 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml @@ -36,5 +36,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml b/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml deleted file mode 100644 index b518991bcb6..00000000000 --- a/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml +++ /dev/null @@ -1,62 +0,0 @@ -id: 57abf863-1c1e-46c6-85b2-35370b712c1e -name: GSA - Detect IP Address Changes and Overlapping Sessions -description: | - This query identifies network sessions based on DeviceId and UserPrincipalName, then checks for changed IP addresses and overlapping session times. -severity: High -status: Available -requiredDataConnectors: - - connectorId: AzureActiveDirectory - dataTypes: - - EnrichedMicrosoft365AuditLogs -queryFrequency: 1h -queryPeriod: 24h -triggerOperator: gt -triggerThreshold: 0 -tactics: - - InitialAccess -relevantTechniques: - - T1078 - - T1133 -query: | - // Identify sessions - let sessions = - NetworkAccessTraffic - | summarize - StartTime = min(TimeGenerated), - EndTime = max(TimeGenerated), - SourceIps = make_set(SourceIp) - by DeviceId, UserPrincipalName, SessionId - | sort by StartTime asc; - // Check for changed IP addresses and overlapping session times - sessions - | extend PreviousSourceIps = prev(SourceIps, 1) - | extend PreviousEndTime = prev(EndTime, 1) - | extend PreviousDeviceId = prev(DeviceId, 1) - | extend PreviousUserPrincipalName = prev(UserPrincipalName, 1) - | where DeviceId == PreviousDeviceId - and UserPrincipalName == PreviousUserPrincipalName - | where array_length(set_difference(SourceIps, PreviousSourceIps)) > 0 // Check if the current and previous IP sets differ - | where PreviousEndTime > StartTime // Check for overlapping session times - | project - DeviceId, - UserPrincipalName, - SourceIps, - PreviousSourceIps, - StartTime, - EndTime, - PreviousEndTime - | extend - IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), - PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), - AccountCustomEntity = UserPrincipalName -entityMappings: - - entityType: Account - fieldMappings: - - identifier: Name - columnName: AccountCustomEntity - - entityType: IP - fieldMappings: - - identifier: Address - columnName: IPCustomEntity -version: 1.0.2 -kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml index 8cae3de7ca2..c801861d7e9 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml @@ -54,5 +54,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: DestinationIp -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml index a195c01775c..ce384309e5c 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml @@ -50,5 +50,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: FqdnCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml index 9cb257bc4b7..4a72ca58554 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml @@ -37,5 +37,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: DestinationFqdn -version: 1.0.1 +version: 1.0.2 kind: Scheduled From 03aeeab525786804f72d8285e140a0b1993b85d5 Mon Sep 17 00:00:00 2001 From: moti-ba <131643892+moti-ba@users.noreply.github.com> Date: Sun, 29 Dec 2024 14:53:20 +0200 Subject: [PATCH 03/22] Fix table --- .../Analytic Rules/Identity - AfterHoursActivity.yaml | 2 +- .../Analytic Rules/SWG - Abnormal Port to Protocol.yaml | 2 +- .../Analytic Rules/SWG - Source IP Port Scan.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml index 9d802d71f03..0ec64b81071 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml @@ -6,7 +6,7 @@ status: Available requiredDataConnectors: - connectorId: AzureActiveDirectory dataTypes: - - EnrichedMicrosoft365AuditLogs + - NetworkAccessTrafficLogs queryFrequency: 1h queryPeriod: 24h triggerOperator: gt diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml index ce384309e5c..cda25a0ed56 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml @@ -11,7 +11,7 @@ status: Available requiredDataConnectors: - connectorId: AzureActiveDirectory dataTypes: - - EnrichedMicrosoft365AuditLogs + - NetworkAccessTrafficLogs queryFrequency: 1h queryPeriod: 8d triggerOperator: gt diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml index 4a72ca58554..7aad8a9d9d1 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml @@ -10,7 +10,7 @@ status: Available requiredDataConnectors: - connectorId: AzureActiveDirectory dataTypes: - - EnrichedMicrosoft365AuditLogs + - NetworkAccessTrafficLogs queryFrequency: 1d queryPeriod: 1d triggerOperator: gt From 677b6f1aeaead39814a022e79cfd50474ec93ac6 Mon Sep 17 00:00:00 2001 From: moti-ba <131643892+moti-ba@users.noreply.github.com> Date: Sun, 29 Dec 2024 15:56:39 +0200 Subject: [PATCH 04/22] fixes --- .../Identity - AfterHoursActivity.yaml | 3 ++- .../Analytic Rules/SWG - Abnormal Deny Rate.yaml | 15 ++++++++------- .../SWG - Abnormal Port to Protocol.yaml | 8 ++++---- .../Analytic Rules/SWG - Source IP Port Scan.yaml | 7 ++++--- 4 files changed, 18 insertions(+), 15 deletions(-) diff --git a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml index 0ec64b81071..9da19546efe 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml @@ -1,6 +1,7 @@ id: 4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa name: GSA - Detect Connections Outside Operational Hours -description: This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations. +description: | + 'This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.' severity: High status: Available requiredDataConnectors: diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml index c801861d7e9..d894d730a7f 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml @@ -1,13 +1,14 @@ id: e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b name: GSA - Detect Abnormal Deny Rate for Source to Destination IP description: | - Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules. -configurableParameters: - - minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3. - - learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5. - - binTime: Learning buckets time in hours. Default is set to 1 hour. - - minimumThreshold: Minimum threshold for alert. Default is set to 5. - - minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5. + 'Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules. + + configurableParameters: + - minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3. + - learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5. + - binTime: Learning buckets time in hours. Default is set to 1 hour. + - minimumThreshold: Minimum threshold for alert. Default is set to 5. + - minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5.' severity: Medium status: Available requiredDataConnectors: diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml index cda25a0ed56..8b678753cfb 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml @@ -1,11 +1,11 @@ id: f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a name: GSA - Detect Protocol Changes for Destination Ports description: | - Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes. - -Configurable Parameters: + 'Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes. + + Configurable Parameters: - Learning period - the time range to establish the baseline. Default is set to 7 days. - - Run time - the time range for current analysis. Default is set to 1 day. + - Run time - the time range for current analysis. Default is set to 1 day.' severity: Medium status: Available requiredDataConnectors: diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml index 7aad8a9d9d1..e197378ecfd 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml @@ -1,10 +1,11 @@ id: 82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1 name: GSA - Detect Source IP Scanning Multiple Open Ports description: | - Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access. -Configurable Parameters: + 'Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.' + + Configurable Parameters: - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds. - - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100. + - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100.' severity: Medium status: Available requiredDataConnectors: From 12ff3d7c0919f873b5c32a952b257f8f0f9fe3b7 Mon Sep 17 00:00:00 2001 From: moti-ba <131643892+moti-ba@users.noreply.github.com> Date: Sun, 29 Dec 2024 16:07:20 +0200 Subject: [PATCH 05/22] KQL fixes --- .../Identity - AfterHoursActivity.yaml | 6 ++--- .../SWG - Abnormal Deny Rate.yaml | 22 +++++++++---------- .../SWG - Abnormal Port to Protocol.yaml | 8 +++---- .../SWG - Source IP Port Scan.yaml | 7 +++--- 4 files changed, 21 insertions(+), 22 deletions(-) diff --git a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml index 9da19546efe..e43e3af3e3d 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml @@ -1,7 +1,7 @@ id: 4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa name: GSA - Detect Connections Outside Operational Hours -description: | - 'This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.' +description: | + This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations. severity: High status: Available requiredDataConnectors: @@ -23,7 +23,7 @@ query: | let operational_start_hour = 8; // Start of operational hours (8 AM) let operational_end_hour = 18; // End of operational hours (6 PM) NetworkAccessTraffic - | where TimeGenerated between(starttime .. endtime) + | where TimeGenerated between (starttime .. endtime) | extend HourOfDay = datetime_part('hour', TimeGenerated) | where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour | project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml index d894d730a7f..62685ab4617 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml @@ -1,14 +1,14 @@ id: e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b name: GSA - Detect Abnormal Deny Rate for Source to Destination IP description: | - 'Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules. - - configurableParameters: - - minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3. - - learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5. - - binTime: Learning buckets time in hours. Default is set to 1 hour. - - minimumThreshold: Minimum threshold for alert. Default is set to 5. - - minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5.' + Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules. + + Configurable Parameters: + - minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3. + - learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5. + - binTime: Learning buckets time in hours. Default is set to 1 hour. + - minimumThreshold: Minimum threshold for alert. Default is set to 5. + - minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5. severity: Medium status: Available requiredDataConnectors: @@ -31,11 +31,11 @@ query: | let MinThreshold = 5.0; let MinLearningBuckets = 5; let TrafficLogs = NetworkAccessTraffic - | where Action == 'Denied' + | where Action == "Denied" | where isnotempty(DestinationIp) and isnotempty(SourceIp); let LearningSrcIpDenyRate = TrafficLogs | where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d)) - | summarize count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp + | summarize count_ = count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp | summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp | where LearningTimeBuckets > MinLearningBuckets; let AlertTimeSrcIpDenyRate = TrafficLogs @@ -45,7 +45,7 @@ query: | | join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp | extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold) | where AlertTimeSrcIpDenyRateCount > LearningThreshold - | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold + | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold entityMappings: - entityType: IP fieldMappings: diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml index 8b678753cfb..df45813bdf7 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml @@ -1,11 +1,11 @@ id: f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a name: GSA - Detect Protocol Changes for Destination Ports description: | - 'Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes. - + Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. + This can indicate potential protocol misuse or configuration changes. Configurable Parameters: - - Learning period - the time range to establish the baseline. Default is set to 7 days. - - Run time - the time range for current analysis. Default is set to 1 day.' + - Learning period: The time range to establish the baseline. Default is set to 7 days. + - Run time: The time range for current analysis. Default is set to 1 day. severity: Medium status: Available requiredDataConnectors: diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml index e197378ecfd..c06bc282481 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml @@ -1,11 +1,10 @@ id: 82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1 name: GSA - Detect Source IP Scanning Multiple Open Ports description: | - 'Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.' - + 'Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access. Configurable Parameters: - - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds. - - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100.' + - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds. + - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100. severity: Medium status: Available requiredDataConnectors: From 4e01f02ceefc27021eaefa62d66ed3cb74ad9325 Mon Sep 17 00:00:00 2001 From: moti-ba <131643892+moti-ba@users.noreply.github.com> Date: Sun, 29 Dec 2024 17:58:14 +0200 Subject: [PATCH 06/22] json fix --- .../Analytic Rules/Identity - AfterHoursActivity.yaml | 2 +- .../Analytic Rules/SWG - Abnormal Deny Rate.yaml | 2 +- .../Analytic Rules/SWG - Abnormal Port to Protocol.yaml | 2 +- .../Analytic Rules/SWG - Source IP Port Scan.yaml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml index e43e3af3e3d..f228301f879 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml @@ -38,4 +38,4 @@ entityMappings: - identifier: Address columnName: IPCustomEntity version: 1.0.2 -kind: Scheduled +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml index 62685ab4617..63a64ea79cb 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml @@ -56,4 +56,4 @@ entityMappings: - identifier: Url columnName: DestinationIp version: 1.0.2 -kind: Scheduled +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml index df45813bdf7..a40a457d7f9 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml @@ -51,4 +51,4 @@ entityMappings: - identifier: Url columnName: FqdnCustomEntity version: 1.0.2 -kind: Scheduled +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml index c06bc282481..74f63b52357 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml @@ -1,7 +1,7 @@ id: 82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1 name: GSA - Detect Source IP Scanning Multiple Open Ports description: | - 'Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access. + Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access. Configurable Parameters: - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds. - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100. @@ -38,4 +38,4 @@ entityMappings: - identifier: Url columnName: DestinationFqdn version: 1.0.2 -kind: Scheduled +kind: Scheduled \ No newline at end of file From a5620ef80e2a4884b4cdbd02dae72d18a2a23350 Mon Sep 17 00:00:00 2001 From: moti-ba <131643892+moti-ba@users.noreply.github.com> Date: Sun, 29 Dec 2024 19:34:23 +0200 Subject: [PATCH 07/22] Update NetworkAccessAlerts.json fix file --- .../CustomTables/NetworkAccessAlerts.json | 182 +++++++++--------- 1 file changed, 91 insertions(+), 91 deletions(-) diff --git a/.script/tests/KqlvalidationsTests/CustomTables/NetworkAccessAlerts.json b/.script/tests/KqlvalidationsTests/CustomTables/NetworkAccessAlerts.json index 43f31e680dd..8ad31260523 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/NetworkAccessAlerts.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/NetworkAccessAlerts.json @@ -1,93 +1,93 @@ { - "Name": "NetworkAccessAlerts", - - { - "Name": "TenantId", - "Type": "string" - }, - { - "Name": "TimeGenerated", - "Type": "datetime" - }, - { - "Name": "Id", - "Type": "string" - }, - { - "Name": "DisplayName", - "Type": "string" - }, - { - "Name": "Severity", - "Type": "string" - }, - { - "Name": "ComponentName", - "Type": "string" - }, - { - "Name": "DetectionTechnology", - "Type": "string" - }, - { - "Name": "AlertType", - "Type": "string" - }, - { - "Name": "Description", - "Type": "string" - }, - { - "Name": "ProductName", - "Type": "string" - }, - { - "Name": "PolicyId", - "Type": "string" - }, - { - "Name": "LastActivityDateTime", - "Type": "datetime" - }, - { - "Name": "FirstActivityDateTime", - "Type": "datetime" - }, - { - "Name": "SourceSystem", - "Type": "string" - }, - { - "Name": "Techniques", - "Type": "string" - }, - { - "Name": "SubTechniques", - "Type": "string" - }, - { - "Name": "ExtendedProperties", - "Type": "dynamic" - }, - { - "Name": "RelatedResources", - "Type": "dynamic" - }, - { - "Name": "IsPreview", - "Type": "bool" - }, - { - "Name": "CreationDateTime", - "Type": "datetime" - }, - { - "Name": "Type", - "Type": "string" - }, - { - "Name": "VendorName", - "Type": "string" - } - ] + "Name": "NetworkAccessAlerts", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Id", + "Type": "string" + }, + { + "Name": "DisplayName", + "Type": "string" + }, + { + "Name": "Severity", + "Type": "string" + }, + { + "Name": "ComponentName", + "Type": "string" + }, + { + "Name": "DetectionTechnology", + "Type": "string" + }, + { + "Name": "AlertType", + "Type": "string" + }, + { + "Name": "Description", + "Type": "string" + }, + { + "Name": "ProductName", + "Type": "string" + }, + { + "Name": "PolicyId", + "Type": "string" + }, + { + "Name": "LastActivityDateTime", + "Type": "datetime" + }, + { + "Name": "FirstActivityDateTime", + "Type": "datetime" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "Techniques", + "Type": "string" + }, + { + "Name": "SubTechniques", + "Type": "string" + }, + { + "Name": "ExtendedProperties", + "Type": "dynamic" + }, + { + "Name": "RelatedResources", + "Type": "dynamic" + }, + { + "Name": "IsPreview", + "Type": "bool" + }, + { + "Name": "CreationDateTime", + "Type": "datetime" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "VendorName", + "Type": "string" + } + ] } \ No newline at end of file From eba11c7e1adf5b2008e1df94163d8be73f5910b6 Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Tue, 31 Dec 2024 13:37:07 +0530 Subject: [PATCH 08/22] Solution packaged --- .../Data/Solution_GlobalSecureAccess.json | 1 - .../Global Secure Access/Package/3.0.0.zip | Bin 48635 -> 48714 bytes .../Package/createUiDefinition.json | 82 +- .../Package/mainTemplate.json | 1216 ++++++++--------- 4 files changed, 579 insertions(+), 720 deletions(-) diff --git a/Solutions/Global Secure Access/Data/Solution_GlobalSecureAccess.json b/Solutions/Global Secure Access/Data/Solution_GlobalSecureAccess.json index abe547db913..184af92ad2f 100644 --- a/Solutions/Global Secure Access/Data/Solution_GlobalSecureAccess.json +++ b/Solutions/Global Secure Access/Data/Solution_GlobalSecureAccess.json @@ -12,7 +12,6 @@ ], "Analytic Rules": [ "Analytic Rules/Identity - AfterHoursActivity.yaml", - "Analytic Rules/Identity - SharedSessions.yaml", "Analytic Rules/Office 365 - exchange_auditlogdisabled.yaml", "Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml", "Analytic Rules/Office 365 - ExternalUserAddedRemovedInTeams.yaml", diff --git a/Solutions/Global Secure Access/Package/3.0.0.zip b/Solutions/Global Secure Access/Package/3.0.0.zip index 6145e17ffcdc98e487c355692dc60764c7cdafcc..b522ab0c58b4dabeac228891f50dc8ca429fc5a2 100644 GIT binary patch delta 47183 zcmY)U<9FXp|NRfgwi~OlZ8Ub1G`4N?72CGaIE`)l9ou#qv)6HcKfgQIA25&g+$6&IgCF9kb#Fh>TGYnd~7U%9(Qo3nu*YaN4*WsdpF)2^v# z*TxeR;!>ldHEq>boX`2?a!X$}dcUI4VE>hUWX5y{Q|}w9V`X}?5uQ^AugY~*#F(id zbs0?RqI__0?Nsc6b^%Yv`B`T#qKVgAEvD`tUmyFw6bC371~|TT(G`<_d?)@8D;?iK z@fKK~k_(bP=2)(pn^jF!jOveguYEMc{|{A2VZDhr<(uo(jynkvJGam69TM)JB|l*G z2p0e2k?Uh=5>gWJGDK8m25 zJ0@up`9btHZ%oy(WYJ4QrIJ*c-d|$oOsxXXQag-IH$EB0e4p9ZU2jG7eLu;iOEF}$ z4Qc&2%{17Eu^h@ACr(@LTK&&rVATZ-x!G`A;wG02EEp;bW?!CCi9R z>hD(+J$c7hRL`$6!Ty|Qo){{>hVQ{Zf^-BQ21uDA2CHGbv9fT6wh9`8ewM)Kqt&NC z&9P+t68P362W~R!yH{TMQ_1tpf?j8jw($EB-oxLKv*wavbk6Ov*Cif>IxP6OB&vPfBe1|?+9LS#W zTP`*O5XnKyv79}G-EMLfvz3~rnq4{L&S+ zX~6#G_j?ZrI?`FX(2X>+)Rd3t?mL^5G{CO%vx1Qb7{B!&Vph3^ZLtmG9JZ29o_Mmo_LG-SiF5y?F}p16ptZJ&w~p z$B1?k&A+nlNKq(2=ORb1fTy#U<7)8lMAqIV%PLk2;NI*@jMxZm;T}x4 zQ$oMDWse6!XZ4KOBWN@cz#WUOH-y+^5!;PPIgHZQTPCJAJ;nWN@~3Fo-gFSL=_^it zFjYe(jgdZLc?*P>R;NCVZQ-NoV_-vH1LzWD-De?VT9~b zGiMSXzmv)|9rTx1C+>c6siie%RP$aUca4s~wcW;E7o| zDK1Qd$KGUc7HitZy2qi)6>K)`2o21dU{&zQSq#2qDi!^p%#s!4 z2w{&x(I_lT4nv&u=*p$>Rj`I;${*t;quaGbVqOY=&bLtOY~1#~AMqyOGTE*sy8LIk zU7f#2!s)OHOs#V}EJiUdxazM}L=tYpwlx^%sEpmwNn%=lWfKky+I6B$LrSy9+vZCu zT|*TKQY~@7y%5wB(?$8;Ekib;4q5H6IPEa2C64U$bmI+ug|m2ik8m07)I30DN0FSf zCQa)QqlooKUPN_W=-AEPUrEd*477r21G9I1=AnOx$pcYIDW6T`Pqd z46oCD|FX1<{)m_Cu@*E2dnvL?qVf}OV98SPhRdnk`$-;8(xY!uIVYocoFOzrsf8c< z1%W{dghm*VX!66vY;7eY2QOug*2(zEwLrh`ze%xJa%2WVM7?TB*6w7_}m<0Gnl=)Wbri3soD zPY|OZkkJ8HXRnTzrkzh)2zOuUA7_-`?H@-bEOQZ~P7zPrKBoT60RzP|I z5r2(ZU{0}GvfaDOHES{*8QoKYkIuqOtDA%EpDt7iLI^y@sOxNV1+V^G6SOi_oS_bx7 z#mQ3zLRGVn&yff+)effcY=ahelNqyv`D1%g|Mo4#{M~g7qOa9$5?u#rL5GQ#W z{|3#sTQQQ2V?cFE?Fg|8)Ez>6RreJpLQzICLhp_Ei5nqJg4mgq1;9d**To@0)>5uvg$)?9;dnI4#y$5{fOD@UePmzy&5`X%WUw-ow%17;k zW-)*D%|l)K;U!8)CFXm`NFvk$Xq!rHqp84?2%DZF6nVb&Z~UxP>DRL4)0l+P_X&!GKFYQF>wU~P_`8)F7LKi z!BIqrW>SI$OgihThW88A_9$oW9=(J6N}$A8=G)hm?MU&df`pniGk2cdvM`4GtZzP? zl8v-dZYF$RII!DWXa{zCnlS8b zX!*IGj|+Ru{VffGThEa8&?o(R6=rr5sjDbEGQ|4r=GsH9N~AOC8~|%lxdzLUhocB|rW}C*EAx z!BZ#mEN66``!*XFud|oMeF-+el)pBH@boCvhW+mF!_90%{p>9JB8 zlm&h_d@M;vn+$fg^!Qc3Oewjn!9+zeM#(45j)3bbq`(>=4=S;NMoa6|b%fXkpY{)1 zh7|7Q*?@3jl}4(f z#p!~S`n?RthXwH%{!>|L)!2qRu-3;(GEV0~+8jF6$cR&HU+l~UEa(!&{Xlt0L~K=| zYE+#~ip~&V1g}}|+!fEAxdxR_gXvglLQsW-1gES(1dkM-7g{Ueog9j8SoZF)t;1g` zRAc%{dpQf~tAqD0_N_=I&>r|6AUOiPcwkSwx$jAA#3rD_H0jSI4b4oVlos2c3d&Lt zjb(=66R@eWeg)HI+}^Dii@S+^`i1o-f$#*ofwX{h6P&%T*WcZntrpOmnvdl)-P#l@ z5*;UzvJo*vc$j+j=z+$2@kAsR=l9YYLoqngFxoxdR;N&sr!*qr(?M9Bffe~Y8%*y| zGb@CABky$;JR}5e=S#D1krEge`guNx?gFaF)pYDp1wUmWbmzDd1J8Zcj+z!9%Q&2i z3{HRnE~bHT*@^9vLRSin}zxk?S>=FW8E?Su!aS6Y!EptO> zR;bhDA7$(e8|udo1{x76U&Cb7Rr-}Vzv05~LpB**sE`yTwy{!lWc(@^pk8UYj))jl zoN4iT=*OKYM*Zr&{T+zl>t6o2=T z4_NS!?V!m>Z|7f}OZ}|GAq{Zq@tW~#!(GlRg&+n+uKpA?n=c=XsempXgdY{Yz}lmL zXAsGqwCK3owJ5!`Q_Q2gH9#Q!g+pMVD*C0GOLV?;0G3weCSUmXVN5&i_lLAv!MZMR z)85voIBGn5(}*dHLm8`!DESLrH$=TSWk#AS&q+@b-rRP7l(2wwQDg1YO6W1^RzvWU zH3L4GK&}Tb^htD-o_dTeQ`HD&wB;2AQOB}Rv6I~+dn$P{q@^hSR~=={7hK8$ zs?rO2?8LtMOOiulKn6Qzr8q@gfY3JphA^79M&2mr=UMJMBtMQSk*bghg6jDqX8-s} zPEZvl$Z}=HUEzRy^Y=3HT^}+lN^+_H==a}ZRx*@-K;h%e`d5dV)MSk4Ws*r6Z{zb` z*~}tsekx^EH=a~Bd@<_BZ|xLK3{WI?a&UQMiwWd!RC(Xxp=&ysUVf_^B2sSwQtzbi z*82D^6tQK{TPO1=L2mt{p)Jb?##Op8s6-$6EZedA&HFQa4!SB!-e)tuPny9QUfd4zjs#jq_xn36;KOhPo5i z2_4H!4`PRCkC;+03D3As)1XdZ5%MLaWrW`+QP;3)$m(^1X$Sgh&x1SW2c6qit_Ba4 zRcgE9jz&NJ3a4w~b$mlG-Sl>_^+{Fc>X{cKtGwN%8=Y=>W?{4wduss8W)rn$>}J`> zd)J_V)HJeRO#wj;jxr;4cnO2k!=|TMig$~o6NxgXe3s)n0kX-X8k!2AM(vb&U96(v zS5y7)NzAjRF-~lItN}Aj4J$0fw=TMLB5!~rA>$#k@-{zPidc$b&(z;lb40>8WIJQ~ zuab58BP4T|x{9T+Q2x^GOkv&E`;bAjZq;4p7{ji2u|vLbiV;g~8LrKex<_FDG$5|H zk+2+5T=%di?`I3^@QNmIIODn_*V7m3DMpQTam3xctX-%Xz z{m>HC?vVeMUNt}rAFQP|!s^`L5;V63{bzbQ#5Vg3`rNos@_Y`kqcmn&CTwF7%4)WK zs30y|9>Fr6Yp9GUMhv`$a_9b5`4!W^?O+q?5G!%T#n}^?q0P27BDZ}F@k57c?XYGq zpllSL@olyA;m@QU+KRU=bSFR4W*1Rov$2WZRZ;GudJFjxNcYMXVj5~uy8)_Pc2`H0 z7Ls%u9tsF7Es6z>u7atQwrl?k2y!ws;l*XA7)7h^h&V&W zHc6B@IMY;1xKkIroyyhi*)X^}Kt15mE}&X+{_o5TX5Ngw+@hWB1+Ws$F#S| zv(Nm9S-}*Od&zoP<}T#E*?Vp1Usa@~?_@KktMC<+ib4jI+n~k$yUX3fgdk@utft%A z0(oNQ_`!$L=wvh|(@ANpwu%|V3bg2(Ku<(i{0uaoO>H5g=4Tj&wIC4{-pz@_xN6H` zGGv@OKJ?nNwKjsWEz_o0x?Cw&Iiw>=M?Q|^a14xD_!@`T_4d}hqI~6rczxhuUt;%BuE z*{X3|ehlUo@!1gIMEGSrr(dcE*wRxa+Uj+yrmpbCb9uJAR(0R?P)p&##a; zC?z^a!M2DX11=ktKNVz-@+%U-6W4`2y5|R^duumqcEWT@h`y)j*|}5H3?;lv z7d>!~#2|j;v0{`*)q$`q=`dAKe^lFy0JX)*j+ZVm7rXiE+M*Wp6`cwva|Oj9^VKa; zODi+aEgdpB-u1nO+?BpZNj$wdqm@TyK))N$Q-yD-nFUqZpWn3z~^2p4t7rTrvsD@yqITd6?z4La;4NGS>nWEBv_w0pF?LIDERBz#Op`}+PqQVwkR zN>%*EVHJv8EN4-$1HajV`N2V=zXTy8zR*)YzTcZc60(Ef?}7V8n8_mm@8POglm_@~ z=}TR|Q*nr2c&z-*GWZNohBh8;PPRquQ04-%Z z-O`heKFW6;HzIAShIGe`S%NmOwgQ?7cU&Xcv14J3p?>hDW3dp8QE8#InlD( zpll61VBomrvZleK40z0>KX{_n3i#lJx|WEwu#+6Ai^1`!dPI+&Zw;%T1^l|luWlb1 z_gLJc$4tBaV3F){k=;UHZNXIkUcG$1Qcq-#B3d zxdwIDd};ax3ufYL-q+FD5PY%yVXxf!c}`c>L;>Eozi!)cC)`WnJ|V*&sGl}2=e0~& z9cg0v{39SyW6=}OlD$P0%(dy67S4u_3Tp>UwD)@J1-*JQ#Kf}0b6+ziE7 zh2tfb_23Ksc{*@CfsrLvGvH@??do>>`Sfzzopj1%R25b{wF>pxyF5JG>dXm=CeBdkA)%5nH5zQK)S^5*m}m!LB*$UB;kvtsx`20G;eyA z3}aQeBl-9TfdBs&Ezs)$A)F;(V9S0mVCetVFLp*&_P@;R9BqwU&6uoR9PBT_aNtN)CyWDz=9+PQ$H5=|)CgZA|qkk<$NNEcdFl>WTsw8KNWDfZJqGqmFs+kx@UAZ} zDYzH*>lBqA`we`QL}72MH&JHymEt4L?dR~ngPU+u>&_=EpId&R0I4Ti?*pa!Q=i$) zm%yET{4(^Z5fgyzbMmLaAj%)fQ;V?GP%xX^_uw@wA#-`J@R%N9R)69bK_9~$OaK}4h=|S~;qR+$Dmd+arwfxy6Xa~Lw)4`RoBf#WN@@DMR+Z)oM z=Jb!;+mkKJC$|qv@uQHE^zJMb%B$D@?1;}h>^{B0VT+3Eo*nee5W&6B)yKY4td_`T z6ewFE7M+aADYn8P=8BZ%a(pgF5$J{Z7F2OZa`PfJbx#0rIV$|N?jb)mxQe`Z`FSOb zf^?u^>{)CmYm2MHS;jr|63-9(<;2@SVU^(iH`vyBmqRd!h?FkhrSoD6?4w%Ud5lVG z2CCo!J&guS#9?^4!82z@T*Bw?KkL#W6_~j~9V9UgzwZ|OhI~}Vl=dUS>;3z5 z|6N{H6AC;*S>nV+N<+uk73fW%C=ts(ND{{v(A^Y#S7)JD+vn6dQ`FNw22Sn|p8LjwdUrPG zmuR)ZaZxlvR6QKHQ$is7nZk=a>vdR5h|7EB)s+5H80!gNHpr zjCm71naSP`|6Hp%T;jU%KDIaG`uoL7Aus<_5@$f`!}P4DOwMai$+aI`-u;S~#3gYS z0TPaZKlREm@Igai0~T|nA7cV5y{9|`EHHO+d5uPS`^%m*Fp5K_+)~Z4Wmhu3V&c(S7C)_rO_-B z7t$;`O9VdhSv=t9X!$hdXic6>QD)lq6uL#eh zAUX}6Jyp4(X)3WWG`!c& zJeNi)xf)SS1_;Xh?K!3?shG}4DaEQ5)XIn*tYLo&Z7$-bdg|AkaI_7GWVFZ%weez* zmuQ1wba&Ru0RDSiBp0l?v&~1Zm!>6~*EoH0trsX`%^~&M(>5$k8yxMtaF$vXr+aM@NltPfph zmux$|*LY_)*-|HmUeM1C;P0$h?7fvW)i2W^)H{Bn1C~a)tf34@Naf=Lu>v^ur;RL( z)@!*vY8Nfj+FSM+vHs0A>&@1)m+E$!v^m~YMrIC__>+zGGtZA&ZGXscmI)-laqMmL zLYqgLz!16bHQQ)4+cGBynrNJIdsHdZ8ts<~iyy;G+$*ob)|xBR7OFM2!j`5@_m2NE zRNwpg0XX*d5uuNg$^oI-*%n4MtTGIni>7<(#E7j!`faKIfqrkftuvM%3@~*gOiHBl zn76{(NX}ki&O7_Kow`#Ywx(Ga<=$L0I@*XaRC7l`Fl??1Alk&rtRuE^Xtm{z4%qqq z=ggLVl`MXDnw1B>f+mwS(LxK~+y>0qqwNM@$6IsR?dStN${YJXijV3jZ;djR;ocJk z&&*kj6*$iI;U7n-ddDxxARM<1h4~7%jxrlw!KQo;k*VEVtqX2^_Z90E{3}H&L=W}8 z|MPdIOjFYa3tF@79!^u!LLLM0!k)6ji(zwVWuVEj+2PSfu*&YK(|*#njT6{ts`|{c zYPBPLRuyX@?-Pem*$g6G7e2!ptj~nLc_IpOp+c%v3)C)7}qt%h$8HezR zX!^zoTo$d6i{U7QVU%)b3UG`Lbv1|>3)^c9%{Gu%2UiGo)m%ID8bQ}feO0Hw6v~w; z9=%&{IQVO9CG`Va70V%^@w`;8`MQm;j1HxC>lW}A$#tT2!-@XOpJH?uj7+uD9`vfN zINr?{tOI?z)<*|vz@fZG&s_I8AMgISf(!7BGYix|uPjbd>1B8JE zR?T^)IZr}cl+)c%hH{BNAj z1^g5!hU7TMzoe#%kQPn=92?JJ!NXmWPsN zP-9WB3=b7}Zy&;xLlQ{>VU=utB8mi7>*5kK79x(9n8|dnK}yzbDh+;LNMnk!U6~^f6F#Ky$5Lq#^U?p%Q=5T8)mB4QpBgtnVD+iDCQBh znsHC_ojn-|-}G_)KHyTQ(ztLd?6vdEoF1dUJvwtO0Hbi2$SmiMA&>ch>+;eL)(%N@ z+45=%VWL=Q$jw@4)#G?ehC{Hgf9HoO`e3zTw-}$1nCAZEYXL*7T z_EV4Q>~8ID8$SCw(e-X2+cTp7xZL9Uxn!0}t%*|laXX6DPO|?ksp%2RYD>HXpGW6P zR|r@GJKntHi*@ftDbwgIoa~N8PSmh~%R00>PHe4E(${X<0M4{)6bHE&f3#l3;`F6e zx;1Y9_Q+P>I^(^nr1HupAg`N2;~3wVpm31O?`pEF0$r&S;1pO@;=DLVBFc-r1+3Wh zNj4avvlyH?JJ_ghRo6N$5IIUZyh%sqRFcz zFymsW?WeFYpz41Xx&Iy802!=Xf|$3tt^8G>!ry6Z;spIIEj`~uqT4e3@mHq#-Q&9bv z%Ph87PBjho|tv4h)^6GJ0#wpgjS_1!%dZ7W&AO^kB+TQF1PeY|~I zPt<=myP1y%%V@gUkRCD*FFK>ernSHaXB(}FAt3EM$y2qQJD2q|iRbwR$4HffWMHJFDAgl=0kP@? z%{_7*Zmrjr4(nWQl?(s#)Fs|+YOO%VSUb(tR)B_?5-3x$`n2L zOy(Y~5A&`q;T13%8{Art)N`!|q3G#~z7gHp@dogNHPT7WRV-yQYOMVEQ?Zcye|kHL zzq`uF1Cv1tmCH_>TrhYdhb~(Koiuih#}D2^*N^yyo=e~F{vZBl63;^;Rd*-ii+gbY zK#v}}2|v*!vzmI`UV6;)gvpBxy7l18Bun0`?bKOc=gkSsHBuxAVI1{W&B;J33UB+5 zf`H3U5+9Y9HEnDG1&*e6-n;~z_)QrJFB-tm>~=UMEXD+>1ergwnv%@Y z=I$U(5uD#wrf)F1QEM?;xsUbkkT2adyaR&%3vV^E=A3)a`btwSgJc4PF%T&U(+EkF z?d{BCtd?P7#<0aA(ByQY;83J_(`ri>tBGf{em?gkX`HlA;u|3HvKP(+qKtbN;08V_ zhY(^c|L{ES959>Qr{I{RiBg6o2-;w_AV;8tIMM}U)V}Lx;My7Ww@kFvwyspV5 zMYo`3NZ7zg!$LOvpYncDn%I5n8G4secJd%xu@UAx`=tQYK4Mbv>!l2$=URi*s<}+Lv zkMHg%wwt}|^qHAis?2Jj_qI2h0Ao6;h%5hS6>3co;8MVnltuF0K&F%2C3yataApw(=iR}fxnB0t3(Hx;ZN4I7s2yG=q|4dWJ82im#e%#ffPD0++SPplM(-Y62nU*AyMikE41n7o{77T zX?`ZA_t@Qy5#E75V*B_3I68n)VgY}j0LK-)sbyCwHUdor>F+& z)Ow3a1H@lE>MZ&fNn{DDXDffzW0{rAj^(VL1wu4c=dD$n)Ng6mSi9>5XfO6BZCXB6 zGLkMp9c3wx(Z{a`}d?EAi%Iq4R=z}OZ zB`w9|;8%Yzun&l$h(3^EZ3VicMmy^X2iikgA_1e5U0v(?KZ6tgray;M>i7T+M!ucK zMVeB=_p#7;Ol1iwmq3AEPEjqwbEVW`yzH;S#7L)_v;YVw`P7yEqmC)Dt@vRyridU& zMZa_Idz9TuF8w!=kP5rU&|BEhF0Q*jKut6DI^C3Fy$DQBbNU5mT-J`73=a1(T!ujezg^eQjOh?>0h_t)a3AS9}~&W*_saz+=uy#K7v_z;$S>{%W!fTP!N0uS{uR&pQ}oe+|{eb2YVEbT0yb{Nuqz8L~)-Hg*8< zv^DCkp`9kT57TZc*afKOSsSOrQ)7A0MW8$P)v=QIgN2+r!+>Eby993tS`c)I((h({ zR}!X!s%PO{+s^ylE5FNUS+0* z6DVW(fR1X+4OWl%ZZ+AEtvCu^rPkQmfUb+?gLn9xjidVfAt(Rx8!KS58PixJo7#Q< zR%+oew80}52-OYCJ9b9su4bn73EwcB~cIEszw-Z^`F_aj+mGkG4}T5a?! z1q@yb6L9*cy9~d52r|ea`_|sE-zn`Sz{@Rh-qqc9d4;~7)^^=tSJM>S1a-TZKM>py zgolqfflV?oNEiaAvyvRjL>x!ZjyXe%0ge4&1VykbL+Pveo*d^w&F2&gZep3s16@+Si`#G6Pm z6C*ib=D@DM6&_+_vs31djp(r2=L<8!dBZIP^HD2UrZ50t^7HP9!W4z_WNJQ1mvOCa ztQcMpH-tgau4yGqGi*qN0CV2H{_TIrKcbWM&mkSyeBFHg1j$yEXJ;)2Pj@qGsXKnu ziVo~x?g~+5g#3Yv#K3GzP(Q8~vh%cWy9*?J1S$W&&neu0YJlaG(1dN6#Sjv%5=;+1%|pi0PrT@V__=Y)dcX_a*58(jmeJE|SJCM{>Fu zXL2oYc;yyF0h-u!m!I&fgnNP>FoDK=y{LwlMI1gvJ=n~c<&CD?w>j#%b^(FYoI*g3 zu*8*e2xd+A@z5Ly*BM*7#_MvxU1SkV}2FD(vap)4qMtcPZrxq-Zeyer_fV#`xuNwogzhl&s34`C~?(OnoM-*4UPJ1dkum5ncNvc8ArGy#n8F54)4QdJzjr! z-SzH^g$=zfcan`z;RvEeq}U!D;HASwlniBfvbDXm|yp&%z>~;3`sHVA>@hsy@OXCjM+?kLi-mU~-+6x~e)q`8h(--(JdB+~U5{f_nvn zT}PcqkiOE>hAVqBjy>@9i^LT*>(A$qegr>aBz-#fu5GCRTI@C1cQz|d)ObTL6gG2c z*g+mAicAyK%q1P~nAkkDpK+H)XA=G_zcEzw2Mh%CW>+9dNSl>_wq;CSjiB3aB;C6g zp9JWGuzFJ0f-z$*Pp9i*Ju>v?EVo6%-UX`z!a0SMYa%DcQ*b<>l zc{{qwcVVa3;(ts)k+m3_yrqwcx8Y zrui2h6-T`A?KE!(C8DyKK~|~qo_dt{jQ+2<+R24fD!v`y@pS%$#uWqwk2uk*1$@Vt&j1Tv@s-iH6p|QlNtjURpoTmGU6Xff3=DnCQ(<8wzBSm<_L0KV13<|9C38Z zWH}~3IN72|UO$s7*jeDhK|W6Z)N72B_t^QNA18>Bo|4Hp@F5)gk_9=~0VQn(xrHO8 zE75Zp`v?6PKJ}rCo9SYWYH-S$5<6fxq3CaY*p7AndozARz=%6D_O|r z{dKM9y~j&apo~jg7ka%=R;f5W2&(>*N8g%@RR?i5gNbS^3v_fxeBiB&aAL#R9>#tz=?9tC7t4t)#kR&=xkE!-sHkMFwB zrl|yy^8QKlXt7pC?b2L-azexruOKH7>}PkWeGp!wisoR7{;hg!0*S-!`)$ynu$_g0 zp13WmodQ>cSNlv`FLD&6f@P)RmmcalIPwX5_e_X&OsNU9_g>sZvAR?ee`Y&V%vIt| z@dviE&2@rD%bA{!J~7z^As8vQaiVL3;!XEMvJ#T1yhObAvDj*U{+J&vJ#5R6|2eSA zw*qdNLnFYfhbu@yhDG>EaaL^e-vQ<;C2-BFhBoMa4NC^+!a|jqWgHK(rSX=iV3J9@ zI!~tLq6HUCR^<8y6_jLY90dAs1 z5NF9PzaLMXxS#YD&7rk*wvAv*sNoT0@S48ULg-mSv^^Ev7GqASX1EY|neXN`-6<({ zRy%GGajK9v;EEETQlKm)l2&EJ3vQ~AKl%6GEVUuy1M4|kysfmFIkzKHeb@xL!OtvWVA&E++0ErtpM{!;d5fw86b4Cl&4WZ`FR>NSfg z3M0$mzl!VY5H?CnHez(nmynhvGztG9=wb$RLb+>5NrwLr;~%+u9~(!be+kRFW>Bv+ z%jsST3&yXS8(IxV{lsKhCi=#G+qvU$_1>Ma$5fbDgb%17e-rwa>Y0ge6K4E2cayCt zj$)My6y_fXiuK2c4z#Iz_0k>^Jg?{arUfg;L zgxw2#&!ufB%91wXpoIz-JYC(J3v&aU$FfQm!kAGrVt4s}SA!IfdjD~UImY;h_+A2C zEbbxZeY0NICFngSxj8ILT$Nt^s8(a6jsmuS4Q&xLe|(2qgEUqn=R`UnPzQ zp9Xj)(|e7=#eaYo{7=&+endKE4|vb}N<5Sz67vzyZ9i z>3D7t!e5M16h{{GvzR17xnJvBb(hJzyr_VJqYaXw_A^Ar*O`9MgC>M7ebd^O--~jB zzXjp;LHJiG4IH$iXtw8~egwtKh|3PmyEr)Cacg8g1|p-3+o9TSmo|Zj4leXpBs| z0y*reXyubLRyEvqaSQ)oT9)P*X+56sWL=z0O2GncTDD44+LfvRAc}U$b*sd?q-L%0 zELM1&FznQT=lNT15cUv3iMMz@&Z#^LLGd_qBR6UKs+z!_f{{Ur*n%{YKJbodnQk4> z^%YE+bANQ4^LWe*a)(`Bjd?po>pwSECPwpNFZsH^z&3WAz=B&vs0#U z@;-O6fqZ{Gl9#1#SSfopKc9-FKqb2N6+829=8l>ATQH<@cl*4m|_>aTEz3Y!-(mrIIvt0b*GB|n;1}@qjNwd`$xN!ZiRF{{fdD9=HOzgo07-{ zBWrYYgQ+dKDEXMLg>7KIIJt!4Oe7?6;z~mE*oqP@XA88(*yFhUfv`ec4N_ESyFO{?0`rOEp^hbXd8 zIu^m-r6Cl}3@~uyPHr>Bj(Asni?mT;<=Qok#DXPTrKnaEfS9e`Z2-(Nn#n|FI}i@{%qeInqWM@C8TWVhhwbpNB^!iIHONWLy!{1XT8UWD^C`>!a@k3RGQ2z z4;I9$%ingU^lGUcRxt#I#$+rsM4R=7ar)0y1ZRtI!OGG!X6@$*K2*ik)i9zVnK^Z| zc~J6%$w-5L??TnubeWYK{(s%2m8+r8=1s=XH7CI|{@D|2GPe*HDuTLXV)X)|P!cd@ zIC)8x>?_0r*tpxMnKAL&^u+3PLCC+q9J3U0VnX-Ft2Y`rv=KFmS=X*Pp6fLpU>HA1 z*X-DN7JUxSA~vJrq8T30GAa{2w0;X@I0x3TEyQ1>Bcd2pT`d^&Ou?4{Sy4p z+}=$A*rAFNxvJXepLe@)2bz0PcPORk`rz8IcDGR&o%N;zqJhQF9!}tJeJ}PbfBPnU zOn)9V=j1amZl$zcQk>2kgJ3RMRO&4G2R`Vqcoxt`gTYI|a??q~A^@W!xo=)3Owwec z<3&L4Ex07)6AHJ7!n7M*zTuBiq#-%7W4aT0~&lIMiXpaQ$dLW{xp^CEQD&E>9ih9$P zEc3xiUh{I0WyYs<^BKo_u6^D3&qb6(Er={A33M(xy)C$Kw4Rb531HlY|I7s|v_I5V z-Kt4;p7<1Vo7O+G*6P&W&5M=m8tm!-9lO?xZu_OHzr`RrJ|tsO#oj2P!Hv~P-fsK# zlC@J#J07+c(ZT2S+iZ#d9{{O9R=+IMBF%QARcku7U0+$RKYe@$y2Ss=p_}ne!%O+y zoIbZYPP5g56K=QJCa^x$`(~%tYMJeNweP@gwBGFZR@P@>{S1u^imrYm5(la$p# zh}wToB-$L}E>(*skM=NcU1dk_@B+6K|BEh=UNC}T4ad{_^o8zdc?2q74ef79gxHUC zp_H!ul97#u##CU6bMJcOjc^6yJ&qp4`+0hH?7E;YgLxed3l;5YSTX9VxSEX%?PNkB z2xv8rjUe9p^j+xz=>t4+>dCi)vt~=aCA@#|)X?kLKj3E%B7%Wo<%bCh$3fU4w!(^u z;Yy{%BURi_iE)w3xIc>L^jI`zZ1Z2=m9uGTo9O#Iz>90undN%Q#D+z*k0i& zUh~xnprp)^TpZ3S>0?a{Vx(vFGSg<-km)r)dL15j=(sF_aX5lkf%j){A9x~x(RzOe zC9QiZJM+V*+g;3*on@USPRFTtoDLi&TMe_(1qV#WbzIYKb=`WW+iZ5by+w>LAK%HR zL`!+X@Pc!|o;WwJ{BOn0O^H3W-2=bQI`-HbVz1bazN;%Ze=w3KbtTWPCSwXN-{Md@ zXS8tf$`P{C_{fB$9KBS;bEQG-UH^D3mri8o-gy~xl}hq+rzlQ zAR@y%503b7n$9s4@W5Ia>n5@laLWL~EUDMeHU`j|_|)*$WH*mON?_#f_=mBrH>?o$ z9jmjZFoHS^1A(8Q*OQlaWmCt*8(z_1HZ;6B>nM8)C1cORu&%r|Kxb(OE}(y~0Z=a& z{g|{X6Huo3hw!FkecbE!_xMy^sN6JoT{etT76IAbhtI>VFshQs+JYEYbuIX+A%7G+ zfU1wCcX^*i9&l(h126y#DRdQ(X+)EsXir#L9D0eIULc>*s?vnZJ3X1vGcSF@)(5(A zpCFz+nb`MN12Vdv-s~m&w{L&EG^*0PCEugrijnpg*geE9Ql_K%IsU+ck0!by-RBHO z_87K3C=A#XFBr~HMAFQdHfcJr9czjf_yZdP(4GrW#F|GDD}y4eBWbEglu30+qK$$+ zVQ~e8_(xObzpx2q{F=s=+;5q}MoetDlZjsGww*&u*puWPQ9&cNJmG&aWNvYsJhr`{ zv8motpa3fh{7Lu1ZFuX;fkC33flD0Va<(YL`Oh29hHoeAzR`(y?V-isMU7n)O{J)f zCJuHOvnk%gRNvHU>#xvaS>(}P!&oKCm3lRSekCJ;wp~DPo&ITwg_`{<^=n>ON~Q&< zZx4f5GHZP5xGCRVXElFBe21`(bX6UG5^*oVGDkC`h-i2S0FDxX(6`Ae^0eM7fI)rD ztViGKscvbQa?HwvUSg%_X*&jk;MzJxQl=S`i)1!wRQfd5L0+|z(J}ryHe}tt6`F@R z9gW&a^^(3alC2c%VzDXD?jkLj(Zw|5sF#^?fyrE8QXvQmEjWL%srxfH zqt-`I++eH=U)M8MvhP|qjOVReui(^hhcOgD?*RHXW5HTYpq4FIu&4y%{Tw`a&W3yV z>#O@I>~E8c$4BB2@0MaLu%P%;T{xPBM6<>pjd;z>Q%cyg_pfNo&lwycquw5ZNvqa4 zsD{5(j9O-wlP!OQL(ys_980p9XpqWwvR6@QXxUw!(~ShpT$oopvxFf&V^Lt~+q5A- zIxA7N62>>jLk~TxOTCohg2y|VcoFMkd;=mN1ky)jGNeYI8gw?NNQ+V;I=VbOX~j|w z%AkC;M?XXjEIEy25+P*p0*xgIC$|=HSw?eGD5GeXg)b3g^7FMEkF{(j{$x}Ss&IgX zleb1}1GoQrlO{(i0Z)@sM<;*llVG$v1$#7TvG@Rx?_#}CuQimkXa2x*?rDr{K~?rh z#TvZu$Jsy*;K!cgLvY$BYJ_Vn-9?HTv8`o_|8RYe6%Ti%8Le6^>h-v~q zpg;9t=PX(X--s8As&ofPbzoFUcwryoQc--tE4;A814hfcrq)oiJyY#r;^;#s5Luxi8xr3VwuLOMWIap9lFDvPa>5!#pMf0Zxk@XsGm zcL_i+c;;YL5s<|xc=CT}f?;J7@El%?6u7D)B3CXJ6X|f3<-|)ys-%aEPR$Ybj)_Fc zGEtRY8B3_6SSp$5KR6C!Jenunh z)OYEp{rIibE^P8tqma7_2Cn*NL$GOY%md*Exb$U+x@QQq}OdZM8 zbr9MZ%PmMj4hHfuZIby23!e8LEqt?w*Dj)rKO5Br;q9c90Wx`y zxzrM?))H$v6viboDUwh8oG5E=F#zd;rd9+A>@pu&NCg>Vlx=>B4wu`ai^Lvj?&gov z=p(tN)hd7CTPb^@pd$-i!X{Si9Qhx#9-m51&hRhQwld0iId?OOx6#w}L|2kq&GgG; z!_j9mHkpboV^nAEW>dL6RctL|i8?d&_OtW~@sM>nK52T%D)ZZ*Fm`t%BqBZZ(yCxh z=K(1nW}o=Tqv}lkF>Fc0usV60whJhJ%*m*VS+qI@>QXCNV@g;PFrZRc<9@s1!b+>A zg>_4$D&g{i;uI58O4T}?OUg^r##YJ|g~~B;nlDf6WHItbCX*{m8zril;wOFmxqF{; zGm)y()i?4D*F9>v(9I7Y0M%HcQVeMUBK|j%YfBsm=JVdMNA}N`laEVb3AdJ2>(;Vr z-FlPxOCBa(kLJXA=0<{t0-k3$goN9tvGQECSqVvKzsf|lv7a(g?E;BvYm+@p9)HK$ zTUQ2Jb$YI1Sq^ItkbySy8)XJsnHpsV+A;&J>Zi;=`%E*?*4CAQwzk>~w6!HN(5C7Z zSW=#523ngR*YMgI+lW}Z`v>yVWNuok%uKtI%(SPlU4$JOo@tN!AQ69s?QB4kdBeji zag4SHI0r$P=rCZn2Dd49Z9WT%M1RkZC8upFoAL1gW?U8)-6Xf_v0urLLlvDIex~@> zl;WS-OXKq3!Ux=SB-Jf?nxscTX5#^shrtTbm*TJk7QH7ly|Jf;?*QcupC?#=!y(PV zO8VXiqoYOY)VM)uIxtSB#tj*asaIy`k32Z5iP+Npfqi|={h zp?%N4=)!zMQS|lpW&wOH2-qhoG(a{|0$xYQ$v|X$!Gk)%up3}`95c7;t>?2m9l?R} z9FkZw(Kcja1XhHpzLp3g(o9IJh(VQzvQ;udmcxms*{xJXDEaY|7}<_S@lnxH_tUMw=S3S9YXm-=(L~EQ!zPs0hnlqCer#t~f(4#b%EB~%U0 zz=!?`aL$n-$Z!P`1jZWtI@oDq4ev)EjB5TVi$1_aQK^?lN&?KeXMdo`d=lZD;}LdJ zv2%Fr8<86Y6RD{0x=TC?*3F18r)Ml_=Nq=_NdbV+I*R7-#QSvmNwsN$vhCXmf&Y#i z%D-n9)?c%Wo`IdnryB6=qSjCs3<#{L&T#f`0|1g~-dwk!Zk46ymCvLk@$o}psiIli?$Kn4$pvb_mU zM|u*ob*0x#_M_19v=y$z{R!K|ALE9C?sLcqG>$LsRbQudLt|XlM`PY^D572fHuOMrDB0oNPiYT(AwetfXW1IC9AYzQnTnH(FPe#>X@?i z_=a)=REw+A0tDmvu+~Jg(=#=>6wH}?R62FIQzty@;r2hrf-}P^Jw7UzX7XTa z74jZv4WXb{VSm{pm2^UiO+*ow!@@^e-fZcLkf~9+A~xxY$WznupOQ}ht}tQ?Q}H>s zTt8p)`r=9|X?D-lQLD8h33P0L&Fn{pZG8KJt_*-S*KaH&VVD4mj zOx|$mFsO7OxQiO(Z|nfVf`O^;5MezWPcZ@vxwT<2 zbLl#VGK2TF?#DJ9Rebm+X6WscQ9$&K?{7vE_&C^rW0D>A{TTZW)+Pk$GNazI=68%Z zMn5IIfq%xoQUo-$d9ycfZZYH%7)j#=;{n^)JM_yBeA_jS{?ovqO|09Pj58J8jb*VM z{im^a31)(!hgf5%bK>wn_E{C|-)I0t$EQeNzLjKuJ9ap6@p(;jPOOovU*}|M(ys_| z!VabHU0?1bg2DmPIUsI`cSaHb_Xgw&)zV({e1AVtFV;4i zSl{O~hGTh)GaU6i!iEPy^e6&6z{|r@%;?V| z3x%oTX~3@2vx)(z<=J40AwFi{$%+PE$sS^ouFOV8k@hUX2>VKuYhd>;V8KY-Efzh2 zcYpLIaYgEV@<-X`CH%~3mcHI+NjTZV{e5-EKb`$@J_9-VwrKC^H+FY3n*ZhE1OTTX z6-UdAqsqSl&NJ%QV)`gtu0SD)nF?f8Aqs}dVs6bii)U$#g_Xuy3wA5sok453-(o6-*Naq& zyd4qUXOU&&+9$mj+LP-mTmj`pv10tVui#jjPg(!ZxP$vGxTptc!5Gh`m!o*^l96HK zABq;*${JV8(6`OJ?a4)_lAL3G7q@ky<>AgKCi}PF6W5y!OAq&B_HfT#xeK|uD}PH2 zj0rn@ddblwPB(jEd$GR>hy4jV55Bpz=^=ZS9{Xmi_GG>CO#Kz`E5Dr$C`u>Wv0Pah zR)GGwDvZGDx)tj60)30>JVOwJSX)c@LNUJq>^p2!wL11fYAl>7c>p_yx9`IAXB4+FO=|wt%on@ zDygO53(I(776340jVZb=SRBAmw9OT0=xqTo)N=p~^%B6adH@3k)1RP?jpli_T^GY& z`o;yZhtxvo4ToSpf>{86AeailV-Og9Z$O?mz9Gq~yrRsZTZ?a~XRZXv;eT)61;z+< z;3eP=;1nl9lx8SOP&$+*o5>S+((%860qYrysT|zE$pZ>fk>Vf-tVqu;cq{E5e8hNt z5kr|7doQi(KCOq~3iga9{vHDO(-mQJf*VY`I;JLKdV>~T*GLG35SsMPWHq}j!;%2KzGjpSe6pLSGj)ZKf2uc z!<+wc@rUSR^5sGCt;9t_$zdY3$$Tci-uR-HaG~J1*#$oKg}?j2hkq!=M;_RhC*U~_ zz5goOE=J#68h>PR5ih?arHfKKP4N=~9Jc_?qk3wp?_*j*nYm(|A%FR0H1jK%u#ces zCoTmEVBqbYbCmQmXm5&vu);y9W{vryMRcoAlL1ABN%PIsLZ8;ut#0~??MC>1At~uA*^y+lov&rqwm*49xISrY4Ai&qpo)O~(#kH5P*0#F zV|}{Z`3u068B#LcfQ%H^Xaz8xi9X3gp4+K7ZRB1lnwZlqWjmSu;>6eKSvXIMzQvo# z?_IJjsefyb5`WdiW<8fsni*3!e?l@y604X&tu;hC%8E%O0YTsScj_`_oFnr~hs#fBU2@yJHIVr)RdL)$B*2l(x85@Gf#DVj+CM63N zq9NaFNyzF3}I>fcQHWC zdhp+xfF|B-iT{?VQR2T#{P))5zjc+=8t~uCK*<(Bg=dX4Y@%Kq6<)N>73l44L4`MR zP~nXd6}~=HIBxFg0h6N?PDj*;_q@U1Nsi}mtN+D;DjlP<_ zeSc&$mU_#Wf%S^Pjgk|QL18`Eum%Z5XF|?Qbw;9SCi$|-H4mF2bx8~x6KJK-ilQ47 zX!gT^z@{$7L`TLC6WrPz#HV|d3vVrixw(oMU?C(3qTb(WTj9htG*RbCZW+En=^m@()XA= z`WkEMQ*rBWI{sY=aatMqN)}v-h9$)5xkH>btqaRopo=+Mw=))K(uoERq=&|WHI~GJ zDTc5#7Oa?mZ9P~pP5&luw#0(T)F`oFB^GS!v0%DNYAvxqm+@#XfCkGNYuH4iIDZD2@#;(0^D zl5EK<%G|iMkg#UvYLFcMR_8mlM^T{a52FDF=?EpnKncN6oeoWY2mDDvV10jbXHQ&% zZW@CFa0(;L436*vHzN%y7VP=o5`XQ$IUA@xrEiV?#2*^N*^?isGy&G9nJ`ujHy{BiP9K8h^ozQr|k@ z=%VxsmhDtT%Sr?a!Le{hvSSBC4g#4@>X;%-Jbqs#v$B$^$-&YQNNrs1d>VZn`FCM} zC7I$JP4lu; z@4a}@ho2Ywf8P7^*`H3&U>6O`OYm~<^3wg|<>f*8Kl}gu{O^~SU%vctAO8LG-e>d0 z7p!^)6Zn$8-~Th1egvUEU+#pBGKyir%N;}=i0&Z>A<^@OoRddg9|2aAXI+60 z=YvTB4-TM=*-HlE^@9GB_gz4LCho~9vmHOKq`;MJ&D*>pbm(hl3qm86a%8ZT?t23` z64D|o#gAG_hdO;%tyP~awzN!?Tqa6hJClX$egQO@sIeX_+38ssDQjcssH8s$d?^o& zj%qH6j#3O^X>?RESJQgXQJStk-fW4EifI`1P^Hi-^eH;!()9bD6|Ne8jznr!$K49o zk8r}7!g(ZPQzD$3QBH!_{shAb&DlGJ{Rb!6IjYMM8Jx4;{ACy_1aLiP)CW((SJ`Mle_@MucunQh45*x%EGyt4;9Mr?C^heH?5XJmrmB>RmU#gUURYONg#U8Iq*n@Q+lp{=qOz!wFY!lQ4j3`c&Mz=g-tYzigvIw+jFCp$~(k$%O;MhTkVN z9+t;4EdV5G2n`OsfY8VG6zo=C(GB5D2nv9Qf>8zhT?`WDGbPkVX^|>uxT3uZ|F@8yXV2_>K-2ewrV7G#N`>2Y3tCb``ugcArKNP zb6~t81OJXDVKxFAc!N+E!#%Htz6RD|j0FY{J?zj&(g$z!$RRHbA(wY|cL!jJ1xp|m z#mQlCAJ{H<6kvIO7^3_IhwZQT3NHHM~cz@Tsiv_cF?a5cQY0^cUOH=t$U zF!u^~e22?|xVY{zsP0+~Xbb)Qf8+B5z8uN*cS8naV4Sba^Jk;fv0tN%)9mj)xV71D zL(xO_r=Sb3HnxZCH`g}+ZDTl4_-pJ5u2>`ZtKDDPXJG9sZc(CBDKQYqp&S$XECvsFG_9e;X$C9pz zKrpAkRsm}*Rp$SmjlLRhQ2H_outqrINkj?b{@0LFnOH0EilHA@l%#9nk8})FgTCf@ zCxMbK_E7bI*x3EP`{TT}Uctwc4W*vtw!%OCVWMg-`=!(_&w!^I0+15K7+fDhR>Jgo zK=O2(bBoXEi@IJ4Ar|?sV?d8EA{m?b0~DTwb5;~Vsd|z0?k4Jgj@5^MhgZQA4(5PG z`~3OK?%cM&@V58UtxGVFaA176Fd(nr-;=<2s>uL<^nvPeC0RE`UZ|LQR+%#$iAZ%Q z@FxUb50ZqB<0qqJtYG&`Q7M77#4`JzO&LOv+1e%iXf#NRCE8TOaAdDJPs|APz&S>j z@TaMRprxcI9g4gexl#f9TcQ9>?kL6Iu_AZ?kVq5n+8aUT(e*jlOUNVz zP?e^Wn_<0Hq>li!PP71k8O2KcAEN`3bmjQJM~#}RYz?q+4bdUhPUsUbR*nKtU3Rc) z2w=6_$%X*7J0%2grEwY`Y52%8KH6e*ODw-75U>oBmUgUyQ}LmJfUT3JVljVO#esiC z+gyQe-WK3rI|umJE`fh*0RHi?N+LfGcu1akF3cnw@`^I|Z7uMxovGiG!+(~!Fe#=F z4DV4evMGv(LJN<8sY-RvQf=M@2F67BqB{O z4FEvsJ`bX{G)4~W_UGV8Ktg|kBgGrehQ?@yi8ex7VK6t^2Mi4dR5c=uoMDIXGxSD4 z16Qod6*U2YKcfEAy50XpGDv0u0k91BwMQi*|48VsnD38LI-@EEZ>=*Jc|DD~Vn zOk{>XQfMz4^GIkkCZk%8%6YEJ9A~BQRI(obq~(iLdLzRLj?ZP}ik$0K+=N&0ov&D* z`CUY`)&f0GX8i8p+(;!+`8WBC2e8TYHJLEk@~Qd$XNsSnT!4pZXHJ!i8~DnNKfvaz z%8pR4ELqM+GRQ;UbxSW{G>N5`@Udl4QV2rc zz3NKwW9u_d4wSSiz=`^yyZGZvjVG)&RpM+Ql7VMcZ6~y51H?SSQC3)+rrft9O5du|KXb-ppH;!~}1y zKWk4|k`H-Bnfzn+gR+5h#8oXoIdRfQ!yCHEwpBbZ!qSDk9X19?gM(&;sLZ@8uqon zCv_*0reNMBTpA_)(})Ke!5fFR`}Y|pjRDT;!}R-i=$EBAs(Lm~HZTiV`DSn^rm;<7 z^6?(2XiAlB1CwoF3W)cN$5@Ds#5G@$c|&@X7{z?gT;h|rWf6bF={U?hP&8eKcGotU zy+h95aSJbSVTIPOW+U2uvI7-^LCynksrSL1G(Fm#z-kDZ@rtc2yUBDQl1SoA%Q+8# zi^yazkt9UAeaSv`<@L!oFPH}DiGw+T5$Y7HXnr8c3Rz!Jl+*o026shYlds8M?gUWi z1->rcQq&>#ATE+OLzFCVQ~jE8>qBe zh0Cgf0r{wKj{~ck-``{X*?;0_iDE1F{HRe+YyFPLiF()t`f-2c&nj2oas@6|U}Zwb zas@6|;HM08)88(w3JRy*m`5S;QX8=dF-JFq^49O6L3HghG)IY}lYYw397%~OQ*)K6 zxnzDQ<8o*r?lzs8ODw--K#mfcn0E7mi}RtOiJc{(iHadC4NWZO0bUO@QPTs@n=PS< zGBrwQVhK&$dT4*5u98|OG;tvW!~!VAtg(hobc&-Ci?+D}&Alxs#cmEtv0I`PSC3Nk z8A@^NgGupzY7fyJ_uOHMNk-%qW&Yb*m|{0m|0jpPtuRHe4+eFxYztWkvuMErM1b!R z@`va&W8hzd&G_OBmZd(yw51jL+c6>zZ;&bBEi`(D$(esD=%GFtj14Ae2vs}=f3%CD zV*~nbXx}56kS5DA!W*LWlee}@q*x;8>Av+n@MqJmu=Y&m;&xfs+E}`+Aj-Gp`c9C@ zq&h}`QgA~CgTo;#Py=#ExSRbDI%h+D*PPzqeQKCdpZDQ#LWce=F>M$fO+AG<%KnVg zeI#m|<7I#Gko=D`IzHn<%*HA}j}*axXwp3BA$m~=FY;mh4m=Baa782SJCVbdXT^h% zfB_#VZ5avxd>J^f6r>=k7)HXs+zEM2N}fSeDJVd$eX%5~{n ze)Dzf*@C*Y$iS4URXr|69>V9QS~saK1s*5{`k^o&zH1JZBis8hkdGJiXTSY+e>9!I z$wJ;dRV2Z_9OX=r{75xJ(F1sU;ZN;BYL0)P{k`}@F<-iKl{Y!Lz@C4Cb_4?#elRvh zJQkKIdCK@%s-H3?&ofNP(`?nsU|Z32m%+9kTd=JX`jem*ppeR_WSfdgmUNwf+u)(0 zKiwsvKZ+qN4gD$RRap=8N7Jjtn=PR~F@20!gcLM`K1KginttE20^7o|Ma}BCS>b={ z37li5aKz2nlL$Xv6y^Q3KY?~LV?xON2Y-u*34hLd^Ou-ID5E}lw`4!d8JzJ>n=V8eE94DgJc-$2PT-vh%owZD(Z$;7)QfWV>NN|xEgCm@j##1pw}(I4R@I&K@+@TC!pLI$uQ)?Gv_ z0Wt`%MA#lplw*$=RtO93LS;c%ky!}AM=V+z%opA)rZ^*jK^fq>x~5??_zX}N?a&?o zB$uFnk+lmC5-E6=#Qyw3?u>s(O&PbIE#AL{F$ql;xeC@B32iF!M1bp}#$%u{T7MYB zqg}aAyF3_LIExtJ4p;-D5rK3;LzwRAz<`-OWJn(t%?@T^fcyd+b??uB&2ajr9OnX* zfCe!FjtKX&3(w$Gz6)%G|3OB={{k!Fe}I{Gsj~=cQ}5%HMcV0z5N?0qvEq+tRJXN- zc{!qSUijBCow(p47W9l4Ij71K=^GL>f=Y3+Bptr8>lwU(HpqZOq8KL8YxLsod>VZn z`FEq}DR|mwJeW7508I>1Yc%y1YbAM8JvQnJClLCp;&E&$QgfATN7vuTy~^W-PmZrC ztnl2M!h${-R5*n`5?Fr=Ko>}lkZ34qqN{%g6=k44J{pkz6p?#!G#J&CW>0I6Oz#LN zo;{r0kiYhggM-*~htXfO=6u0mH z5j_>82tyOGfJ9{A-%)Vq2ox%)HGC7Q8M$^CL@4&@m#V@T6o`MvkW!3OPVy9!7Zt%m zX-U152^E&&5xHc!fxQIt=S=x}iVH{jQ&GSx)-xKVC{9ZykH=G1iIIR*z*~Ix7AOM? zQxt-anJy!_L7U`fvlay|<882pqbA<^lOgEus38#xa6+!hw~$44|MJgE_&GrBdj-39 zWveG%zmGYIVjX{kXJNM})MED#WCV7%_TX@r(kDHve>uwNCq~wr0mbNor$Ai9#h9}? zt~+sDg~am9MR5yNRuKD`q{+e$37r`)8EMj}M@epo*O({bf~Dd$63i|N@lb#}z31P~tR@zc0dYbs1ZtP`?~4 z)=kEPsaEGL9EGVMuQ8bul4RP&Y5n*%jVM4X&>nE04Atv`qzdcruVJUDA=hi(cqRq^ zsR(~@1@M2M;`%5z;;U2^<#xW@&X?PH&Fy@0BVS|-Klk+cFq`?+EW}&0jTd|#a=?1nI}hrXI&#bARA+|5vqV(Hr%MWJx(xu2m8N8}BcH#B0(ro5q1 z-q3&8_8S`difRpaG?oEnE^v7xbF5(-$sy}p-zeVdO7!>ET;Z_tu5ei86^_+k;rIv} zB=#WWisycJ!^#jgng6!;?uM1U4kQV%t#>!LfcT+6L`Zv>3>1sOy)nT*(W~RwBZI3< z_B4{484G&QE2E(=@s)6B?~AMr@jxh#z%iZj-mMVh{Ye(ORXv%T}OgGi1)pNS zg3oXt(Yyt!(pYuJWAES>GJWk&$lUsO^}8`G;DP`S`d)BD6T0%-H#T#p?aFb?*!`j+ za}=9`{hY{np_g>^*{d@XRVR~UE**nXq89!daDSziH zwvIf~3Gy3^SbQ7rEcFMnuVT$4Lo*TTyiF5TfWHA;7Q=?>q1ceu8qT7x@$ z88iPP?rExWj9C?(kaa4qv@HJi2Icb>iQR5O@+?_3puabb9v8 z-Qu+jp_BP=d)?x-?DZf?fNgb)+an*t@lnq1aWNoM41YlfVJV`x zb{L!qU9r#vILfC6b7%$_Qh-JxU;z^jT`p`Q%pZQGKkdf-(Bv6wWFJX4A@i##4o7Nv_w~>$ie2D^Yi$buI=H z!BQb>SQ$JzN=a{R{3}`m>7N`w3%_qD=+LTxOpSab(|b5c&XnnoN-)zxn4e=be^Jdq zPP_?yala(|XMdZ)OdAg$^X40vdH{yHdgM~QjQb)@SBXxdd{Ls4%D6Av8TX~cZ#@Kl zE9vM$7te#^w`$Acw^XB89=}!44YnrymaZ$3H(cVkV!EabXHteU*?RnzwxU`CerrkJ z?jjJbS}xeCwg7~yaH}g(;adaYs^>wt>LrBhAt79$eSh@E1j8q3^>Xd%-?f@&n%iR{^}C zQe%TNBV6BRY<*+iR_fknz$!#-ML?uIfv^JqRCAv@vxK)qepze&U;8VAUBz)uxG=Lp z1#BGiMt`w-B-WDzVkNB1rh%?KLtID4TKIs_zZZvD8IK)jl}QfnP-31~gXK10bP;bp z9fx#Dk}B=ke*5V-!z0aocFMdC@d1QwygW*KAwh@$z6ox~l!H1oG&&;T$(7vA@Z_Bg zs>>f$F_6e=pdp#VVlGZTUoqqvd$Wb8Ggc(RAAixtlKihDos;MSxM}q(k9?70-+!N9Qoo?(`&+%@6i7S81*g>$b2KEn!FVbbj9C z>MQ}$ET^abQ7r>`qs>_r3J!FWD?{E$br*^fAow7#RNiW&mXA_k(uI~nc_j=HXlq&v zGk;b=Y5mJu`PR1Pfsmx3Wl7MYkav;c3@Inr9~R0Gt|%eO5<$4K;fmotE4{hQ1TCs| zYI&%^9H^jztaA{9S%Z;ufl4cC4oDXWxzZsO&eNBHJ+~ADOuOmw#P#&^n$IFCV2yTL6q=0uyRZ2t!%U$A(H$ z8=uyBN&HeUP6bymOlPDN6DZE8F^1_Z;gy&I4bvR%%n2`dA@*Eg3#uwT)>C^rL%ZJ2 z@vZHZ+4;hs5?-15DdCkWKo?U{1>jt7XM@4o;g!)+QlMuK)T?lfDuRIv>#PR}$A3Zo zk24EenN&}cP$jss433xOdq%J8gM%yU%YrLaqgWnXSA*LD%_WQ={9zkb(*)<@48((i@y0X`!NKL|Y(Nl2g1$|bs*YJvz(+{!9W-=> zJ(<||0Qd~B7&tG-nBxpn!vsFMLGWA5Lki!)@P3$w)gH_U{ql%auNZeIr+_asaZY;>V2#;$o&7l+L_k4JmuM*a0h;~6+Fq|N}huoOVhINveY=zaosFQ#|9LAuZZf@{fv z?_aZqka)fWlClaQ>NvV1a(}^jz&NHX5P1kz4mGV-t3N$l8ZrTl5-IccWEd+0qJ9{W zlZkg5CEH6w+@i`^NY?ZFkrO>fV{ZJNK)S}?MEKXN6m|+ILFD)sla}qYNBIs086NwJ zVZmfnGk`2RB)~aWPfx$z1a) zs}gxD!#C8;necK#8N76hc>xK2AV849TQs>|A+f_oP_QC&NAxlLSu!9@qDKpchgns^ zOIqlhF2_j7IMXM%JO&_qGIEkH1xZAvS{4$~iAsrhd=gO%`?2n1c}WHN)3Uko(i%4> zHD07bD{ir%Ue(vCNBC>3Eh(0})?qm07p4muMAc%Je) zP;5Gxsq8OM^m^jY(2%9oFtttkUwh!xmSoU$rwsXUHX06YhN@NxoA&ckcXuTINW9?^og-7DMCX*~ob5;FXe+99p>qnlwHCqOG;)zL zjRo*Gg=iM|qY zekE`SDlAXJovsJ%N!0=>UCF&iswG2_D4g693~4SPNK8%ExRSu2^}>Qy2Mk&b2x23k zAZ614$|S`nxy8&b3|pr{h(BRzaksGyQ)xD0_{ zb=HAMN`DAIG?4jVr4p*72-Lz>5PYG2jp-LrGDZO%*P$lkX;9#STWob>l2^rlRAA!)%JQ`3dL&jvb+g=n>D_iX+39zjwBwI)XJi0f~??a>X z1fYMQfMc-9Gr;pd_3^eic#oJ*7oPO&0MjzkkUa)(#s(1qj;4OJU<&`*6FH6IfY=l8 zSAQ8UOzP+w!AtyB5k83`l|Z{-JnY*)CNDuRI&2VPjDOtw0RPft(AmZ z`X$9);EJvDOq%avJb_>@kz?}}n@Y^FdBYz8!Q?iY2i53>Xoyickg|xvP8K)16e4zH z{6eOv&zJ>+zmnl1h*iP7FbGKjB7b=Z>yY0|Ig=z>osLc11t1Y;07= zx7R$)82dCdlvx%S1ImJeA-C$%(S$0yujnBopsJ0R3QpnELl^W^?-rUL>wkt$$H>3i zOHYRSJBsXX8AF8bs+(XRit;55NPp@B?sj5?3==C)Qzp%&BZqK=gp@>YXn(u%`+IXa z;EyWF|8XuSRAM3?gK^EH+skwxKo156rsj?4k>+9 z%L=NDO`s%B*?yGuB_m2e41YU z)s<-Mt#K%}^Bjup(xJExhvFG#4ge7YHl6ygw}0k-#de0M$=tWSe#LgS-cJ%>Tm6a- z*r~1~FWQ)k1v;|axQ9`8Dq{W(@Z$lqLU(C`45$keg$EAstwH19m*7DWgewufkOT18 zf!AlA=P>NS&!e+AV;L??7|Pn4}Weauw3UksWO}os@{Sl zBI?S1z9$R&lX6QQPa^{=*$5oi(eZ zo-|_#?@eKPh5b_yD||PHQqlMpCQ}B9G`vLd3e-*X0~R|-_x#BC0qp%Z(*qR;pg)vV z6#bMcgpZ<9iGMLjg%fWQlQJ6&VvZ=O=My#0{mW6B!f}UDa;S^)3xR1M1}UZz@FwI8Z;QhK3EFVsrCP_Q>3qkz1*wdszsbVGsHM;7bS8I>3G zJ)s9ne^dc$51bWj^jzy4^XM6G?lJGtTyskv=! zYjWWYm;NZ38l^v~^ha&KKT2Cst;Qc!+_toc8>*e_FlsO0hAQ0ZN)+|hxS=|EZm3S_ zhFYN;io1AE&zK+T9Bkmv+yT|e5HgwXw$}mG$yW490&J@T%9gIK1t1U9X+v|eV{BQ> zSjD_eXn$o@9zNdkJ6);^Y2fko9M7KxQPX~(w+EJH>FQam6J-k3N1QLM9iaX8X7vAVSr+N3xOr{R7kIbcHvKwSEcNOOQqK${dVSS?`Bd+ph zSrvW*mU3Aa%-GC!90tofYa_Z(WwP5;K!5GQz2WtZp%0XXq2hR<;poO&?#Hca zwYZxrQjq6j!rqJF!V0=dHx~}z3j2RW>3js#5?5V@-sp;s?@Erc4FiJrYTt?4bMjK$ zIEo5Hx2JZG2Lu0(xV!i=@{G^{(!moc3U1P$l6n6HZ9>W`OYz}KJ&JwsrE2V0Hhob< zu76iaL?m6<9B-XyS>rQ`m3KlI9m+c)3s~d5!0};wb-&uMnT=L?DdZVl3PEjGn&C?` zeDYX>8~O(~!*`Z7!>dNIycxdWp=V8Ic-@01Z@4tW%hV{%@TD1k`_1s$ifT1x_~K{Z zMa=M>T!VRM0W*BzR#&2^pQai92Jz9OYk!&(h>sD5C_hbE;Y%a@N{sNwBY)@*z#K?( zoX|}Zko*JK+9voUcn=V_p8xIYuhCqfiIV@xvN&y(K|Y@qg|s~ubG%A^1N)Y^=YTZ@ zDg}CY9;*s8oMX3V`|B&VzrJFuBG}@J66VUl0f#+-kxZ~j6T0_{AkofH5_)_+WQms z{O~Xe>`IOAkpVoU5GNsVSxYSUXMe1%=1)2;@tSgb%Vm<&ip3=8wSRCBQ6^qHN)UJS zpT^}5YROYjfB_Q=5&tVH|B(c+Z#ky{Y*>}^85AXMy662CsvBzHGkBST$qzK1;aKKrGe{c~(6ePw{1fkat5`U#dMzA=o zrRy1Q8K;Fb9p0Mc8_0=^o+%gze-B&*N-Q8(xU!@waiG57S}BuTtdWB=dwP?sB;~2} zy#5~h^Xl}BN0nhh8qlToa_2K<5`>BqFyZb2(ctIv-sgYE|9<)M<37H%MDnw!jeW%< z(Tm9463sxUd|33Zxc>wii+@UTy@TbFewJ7{aD<7Z+H!J2{)lHqePeWGO%v{kZ9AFC z#I|jl6I&BboSfLUZ9AFRwr$(S&3o^+*4_V}UERIc>RnacRb5s6tD>mPZZ+cdlk->c zZ}u0u>R4vcgZgo)j7aY+x2oUr?iuQ;b~$;Ee<&c{fpkfa_@w-p+aU>UJUY9jr6Auk@`jg+@SxHiqc4)^QQ@u;fzz=Ntvj!o}ubS|D=X< z?fzu6dwI7RNu{CCt7JJafvWuOQ_z7^=ZQ|le_P&AxsGj?|2<2*YsfHP+1i7pxw7#h zRcH0u2;i%#_25dYVV9W?t%|eEv!TRN&oqd0WUSBhYCR_)CdGU`i{mEr4Ef6j>5$X$+Y2` zn_m)zI;P z*N7UQkS&-91@sN|{IjP|_Bg!gwHMr5ty}%CR{0{a&`atWFYTa9?cd_RYP~e6EH{?n zSQn$K^OUa}FHBJCXTe=I=qf7P*uQ*$cCnc=k%((jS2t`-<#T1XHJU%em69L6Q!V4w zhZ@yF+16Wu_L6W|w6(0u16qjAwQ7b~>V7&-A2>2Ss$2fR?rp%Ayx$SLip(uRHAOw1 zo?RBVLha+TZl!-K$mIPvkKYD6%7mP8v%IlcS`!`Cuknf5ZY%flb$5vCY?FOH~1k8N5N39 zc4)5)+`!LGmvSf+pVN_mL2c)kWKu#rSs8zyGlRU>aBwpB2zZ7}Oo=+H6WN{kU?hQn zGE|NUV$Kid2!p>R_>02&Mc3Sf3S1Xfi6TOliRcN7R5V3G<#sIUS_6F}1qHj0o9rYW zgp!27rKvCP>jQD8X2R($Z-GB0YC^rE2sLm-9FmgMwfoQr*_6C_Z%{X4=69pp1J(%; zKEwmdmhyfi`W7^fprEYRHn3CzcX@dd;7Sq#O!vM^WOq@OZo3lWTQwAk)Yla z*P#r=kM#r2exAl36G@CKE+f5Pa(Ck9A<>;Dk+zNy!VY=|&Xm507kaDjZX^bgbY|}W zId*OLs(#)$Wi?Z1qP&YnuP53MPBOEIAZy>F&>&IAG57T&SjRKit_gHt#;ywaqFu^f z;^*2ABBbZ~Gv4tG-v9H}(F*Aqn(d3^;6&ZYWj{DBSyV-#8GVn7ULR2$V^NtWTpdwd zONlokL`iaX7`J%O&A?AH)BjFu+>a>*Dspj3kq<3$b2|N<&y$NfIA@a|D`X5#iaXhI zcc6<59D4X_eySX^`6=1@CExD`)j%#Mv6@S&D!)1ES(f3=#_tGbAGnUIweGsfp#OXS(>rQ8=T8D`n&YgfFbs zR>mz5AcqV=2z(wNxWZS6SuDIv0+Y7@Vm+gQG9(kE&re#AtcEhsInNs zP2fI9bay}y&xGFQ$KEM@g(c{m$c4e_0~bn$dLv?t@D9h*kT9_l+%j6Bl1~cq3P^T8 ze>_nHFQ~s`ylw;oaBj+lrG|JLv8o&q{JI}@B(3zIjxr-gLZL7TYZMODp zt2gIs#)Ajx%7XA8EV^e`UW}I#oST@=%dwI!5HT{T1!w>{6^IwNeUe&E+9 zC(P%YSsbDS5W8v5k!lb1rv*6QUtf%0gB*V}e+vtPc%6HLhY;`d_x|R_(UeWL$0d)* z4YUcu+|35=Xc)Dxw3dgcRgm1`V%wZi0)kk}K+<0sIbdk8$o^8`&aM(N-nen`v)@m7 z*a|ys;d?|jO96krAQS`{*2PUBYNc;3{%LxFGqU%b2P%I+jJPoU8b{1bGqb$yKc^=z z&I3`sn^c{vRawp~P3>o*FBD>Cl8qc{8Yk6n3UIKk*vC))$z;2jpzdC=dE=;Wa5~5H zmRQBf)}e7eqAY_s#^exN$}2DZ!DaU2m~SaTEIkl-W_fv=RE;<3<|45=Gw!xmgNYmLaS=g}m2% z;X2_UP#(6KOlK(D^NrPwI+kn%MgGmewts&+esv&f^eGp~Cj%y4`ozRUa*3BZrj^}l z_OI=q0;_Mnh_CwQi!i5&(9s)1t69}#G1=BdV8PjJe3jc#$*oZ@hG<;5=#c5KWoKL_ zFgKQLuIG7sxkf3I7J6V&oSj)2sP?)Q>BqJn${nh?11jnOqyqzsJ-!j>K3j+=oS4ak zDY`>ls>;(dN+_T2P#zpYa8#|4CTi~}a0|kIK>|xmbvNwR3aP2V*1u;?wOd65J`agO zxVt~HnLW-P96_`$O2QdHe?}#c*=#Jej}q)RT`wWJYSq@U`AToKw4~>)3w*gn{OnkN zcKbLASHG=UVn172%IwnBvn`~@`|3xV>Gb|MgM5EFdZ16I?=oD3J8ovb_uMlBE>~FW z;F#pfP^2Imu~-%tgIL-+)XiR7ExZQhBet?;#Pp?&ngcwQ#c;bnAS5yG)=Vo8BypCGQ{I_*Hf#r_DwlQbZE{=i|_RbmDiXVswsFR^7hG1 z{)J>zoI;ajj8Lu=V2*%BzV@>K#ZLN-&u!Mt^FYPjGbv{=FdvYo*({cc9`@tpDfuJbFcvY`!Pl#p!11l$1X{Y{2GvflS1c>&tao0z;N z+XXyCG=~M;M}6J6SKjM?J%|zG&eqreXnRDKt2q{H27e!nA+_6z+I`zZ6JS?Ukx-MU zLI#8!`PZ5^-JF5~y4Dk5XR{@4+i6g`?t~my_^NzJJd}1iw43b0Rf&gQ#ebG&Z#$uk zT(|two@j%g4z>)8k$Vm0D;xG~l&)OGbT*!q>QCP<1q)wvK=|##9SP?VrU{mM?#4J7 z6zK-SW3;wDW=w6tIBcGPwupge(u4i;hWduX(%7i-?Rhi)0y@Ttygp_;E&8mjeB7<% z!Fn@fxq2bc5Oo!NNg^oRODeoe%jGyfB$^eVhL5{a^t3_ff5`NK9h4@(S{p-CDq%hk zwK|h2w5w!YMlMoI>MI(LU6re{iR%4kc*T(yG17FmHY~hhdDtD+i$9*$#+icW z68|fpcU@L&r+)Vj(7}8A&d};oELm(~V}5;N){*^N8JKPVA%iL`6WuZnX_~#Cn7`1{ zdOfs*_j1&jV=tU#50K~(zH8k|sU;Ls>;Munz9yfNLnui?v#Qyh0><%%aG=A4Ur{C4cM)xFaU)@N;B>A-s3#G@&5~33Fr{ zuKdiFl2^<1U7X49B z8X%RN&#gA+KXfv+Bsj(`CAg4M5k86ct|*Y?+)|V z<`aw-v42gqR25Rc4_erB1+l86pB>~GD+p{-X^_}EqOMogzm5lfQN?m+SZ^>hMm8#r`7YQVUAGLBj(K{ybJ#NIM$Wx@(^)>A_wEm!tojI{CXj!fmZBt> zT*W-F`_n|BDMVo%9;f(RVXf#;huXdjT*VYk7PARgTFay9pq1L>JjJn5EHa!eGf9dg zIgm;(l-Z~%WR>Q`HA-?&NiR$=OY&2*?t<)7W#g7S#hWTA$I-J>+c@7Z88s!(IameJ zK+VGDo3iidgF1c)2Iwa)P0FqMYw&i0F#8~)ipb~uj5-2d1^GsEO$zWi&0CxS14sJY zp5E|69da4r_fHXY9)cilZ~W<|ClT4*I8jy1cDz978m>-v}K>o?2^!z z`F{i-x#R)Z;Wvt%r|zzTkyJvMz_xL&7m7*sSuRd|bQKf#CZZBw#jap^6RA!o&P4d} z1eN0ew$?u%5kVs8V7PP<=>MbxnczfssLVO3IPUt#BO_^JH%xhJ9gOx>dBtXpj5|eU z_Om*aCoGj`crhMsy{_H;C7xgTIN1+*;qX|}xalwIGq$6WV%@SwR}^Zsj6X4w}MTE;8z(?mVq>w2p3rQ5BhL9uZaImW1zDI_EJaQ=$!g^!gf zQw*sVDIiCK0BXT}&@6dC5vL~d_0ju$g0OP=cnGNlW&i!CQ)&c|8-PszP-E)}XORr-l4#WP)?_Qk435;Vr^^WzlB4A1t~f2r%H zS6*<+Lz-!>m(Bq{xv&PXd~Ogh-h-)ck0aXg(HZfr_ZhM9yF)VmDJw zz(9&57l0We7LW6A19gIvW#q>Gp&-lOIZ~0C7|YB&9Fm+bm?%fy%+07Uc8q1l zm`)Op#xevg0>`i@G~&E}kJH6@j|eg+2~^n8=%1m+ZsyKmXCQH6_dXULZFpSeX=Cwm z9gV=VAw{3obS>h-i2m?OPQmXjKe>jZpY#;W zVP^j55jeRYU%4o}DRkp(ma1~Il?89P)&%3Yez~SH(7#Z@-v_7vqEG#`eK2A3CWGQ4@iYjF!3bpF81XjA2L|HTuAw zf8O=b>niZGI0D?s+3i#Bt1$>WWltYdU?T#@H6+jYRu|c`%~uwsK%IWgNz20=LLPhP zN*|s8=o7H59T(9;Nj9m0pD6h7!wk>yRKg1pe-TslW)P3h(4}Im%+{u~)e+#pgsl!m z!%fiSm@&I1dMK|d5cbP2G)5S;6e_BEv zcoFNf21S{JTf>}R$a;$}nX%eu^;+$@T-{bv?R4iQ)=l1dLJf2SJ(_{a#YwkdHJdm} z>1;6-IW`{4Whji-e6NtmTqpW!-%eYcDO8-}Vy&#dZ;<u$YZ1GQS9YV(riI8eqxqvOPcPN+&t%VHFn{yc!S)meHwdnF0tT7I*ksON}!=9F( z0>M3XQ{d&#B-*=-P{1 z7dT~KOP3unZ4}d3+qB0TEz`zdn}`kgU(EnrAEKUWkIju~h{Smmv)DMfd(@s;bXcky zxr>1tCgD{a*N;ndIrey?JGX~lSzOfxXiOAmPW+YWDjj&E>H#F9=S4A3{C^Cy&S)8r%qYTvgxw28<7&QbHRKz+0&t6^k5$CJJ z!xe+WE?&17HQsnP1cGTRG+DwRH?-d+FjV~>>=p4jF-can@2*4gIxZHn2r%|RwI1o8 z7RUejEWWq+$Z(<`f!2j(<6y-+rN?0Xb_8i~!Bjx$gmD#}Nc{N*XSyuv*&Z!h5IF$l@1jJhb7bffKW&>mHed)LbP7DP)bR?2XaMl(w$P;wDy$o&}A^1I>OR+pSxi&XUzYY>-F_IbaDZ20Z62U;Lq7d>R?q8|h= zqFrUmsH^TWs7rqt{nE(s0{UE@a$c;=rVbA;b)q4l-#=AQm_f7Nga%Kbke+{coWY)$ z=O;500;6GS|G9lRwy0mI{7YW6VtEX8k4HAtuH0_N`|md(-00Nng7f6mJP&LG!lv&6 zhazfpB)(#JzlJY?bp3<}4pWFqd;mduL3TJe9(6Qoy8RRqX5JChKX>mMXmJDsyuc-? z-#^Lu>_RXGM9q`bev-l7fe6ooVAx6j^MoceXeN1B!-@U#C%hW{h}+XsSUE?hrG0qX zC*6SkRcveuh$+^sjO6B?Q_$(F`>;W7Tr1YejmrlRxh2XNzWvX36UL{h2|NRDj)CAZ zrYl(B)=YF$QfZq=%P1q}Y&3#OayFHdyBLqo7)=nicc3bNPK{M|>w(p^la)J}Eg30I z%h2+6pnBp_?aY@V38*v_QB6uIzbInz8cSM|HE{vrD>iDQsZPnM$nm5uF+o>>PEX0E~F~qQ~Ulvc1WdDf6?EzhaiXbK(&z#IVjC~ zAS=W?SjWQ=;zo>TZnQn?WG2}2xgz+YaQg1o8-&jBsB!N1kL5!5)bcZ`ZVAqIlO zoN{_7hImhQU@GZHp!qg6Oh>{6yTKv|U@~wWJJr?UN^FhC-U6otbrH|;&$;xV{MYf6 zdAtVIj4=Dex+3+(28v->ZhatDjMegEe%5j@=KXOuy@ zJdv*3@At(Cg{%m(azX>XtAk%YaSVZgENAF7f@x$nEiaZ0r_@O)= zCR;(I6}<1d6k|6+a&tH64D?`_Zzhi7(@rpCPZjy2&$Q6KK?_o#czuNDysNn`S0B^y ztogJc#qmb@BtWQpGe$@aZzi$YWD5iNgYW{Tfp{_&*)hAt(Bl3qWTd|k#%KfNNMPLF z;)-OaKQQEzX!xxRVFq+kkr&kP;g>=J|3(fue6&3!2-^C`7$YcoZPYwA$QCNKvJ3Zm z@Eq8bZ`3nvH|#KJI))OcAu?AwAfn6{*)>{sprvoB+yb9xgYN#3B=g40#AWTE{WAN* zAhoQO@=NPb*YL-S9POT2?43wmmj15^b12%})K-=m%T?X=g9I{vcV5}*;-bU^gt>ip zs!O@XvLeE09o;=)vZmp|Dg8{R(ghkZJhB75Pm?D@u`#-4`bYu-t7hKtY@~DpuOu5F zTL(m%Ga2yQ?NnxYpStdRdY(>wYcR=LsoS22k>i3}|815kBB==c?4z)xbAj`aG+1ma>>lDtC$ zp%hF3E<#fEkeuKx>)SmyGdu`Xkx)gsm0I+K)xb{+IyK9j-0nY4a_^Jc`oDT}*qe`u zDi6I0KJxu$_#e+%Za2qe7akAI%91F9cZ)2)`F~u6mL6pUu1a>n$zs09vaxjaHofd1 zt9Uf}QxVrgml3UzCRTk-#O5`LwmNk6lLM{sV^yRwLxR|shzB%f{d3#dgS`g{fZO^h z1zgL$&~5^@4&EG?A6!g7QriS$KBpJF0hD7d{c|xXx&o-mOf8F6q)>E+gQ?SkZ+aq| z8N>Qo>C-x6Su$sfeQ`7uYTH4}qq1enl+7fM9HmN@)aAz&wOfduZ4P(%5>sI?d|u{; z8G#R+qbS$IlzK4~zkXp=LVO=yeE6ZB0%^U1?$ns4G-Op;au*crAK(x!`H_kVi>DS8 zmEt3WlGr&Rv!hL-=R^X72z@6U)fVrrHy_%*1iLhrWQ#kosE1{LX_nymybPc;N*<21 zN*q7M%OnUk7w6?OaWPCPKu`va-roKeQI$g&71b>CA5~9o1l0tS+%JAqqVuoH1#&ti zF2W3}0z|BabE>G4RM#$+^?qc%bHeLSSFeHfI!g)Hg&H}xyY z($MnPCU|7ILmFCua#R?uD<-Lw1HIO7?rF6*_o9#n?Zu&3T~uIQ3ObK_7N2GixQXp^ zBdBFb2sGH-TX$~)%?>CF{Hc^B-k}gd#3MmmiRX2WWd=$L7@cM_EiF01M0w<9C4W<7 z6E6tWNsd;>i3>airQ>hy#XO>COhQ6}6ZFnwa9T-G)4lb9481S1N%Za#0VPz*q1^c@ zeG{h+Q;`}4Ms}#8FqGNZN-WO~<}au;`l!%p&f}L(f*4)|Eg-*sQlV{_-C<=>?Omb_ zxSsC7^plo3F9mx7EZd!1H`>OltVz?BR+yaO8R6)TPb-`MjM!laY8C^K(@GY zkDSAcEZuDrBys%mH+Sj_ce|*#gY@0Dpw1#w)=#?5`|>ynlWeHcqe^<#yFEq61BP}aRqV7&2}{8cY-7-)U1UMFz&&Uw%` z@-lu@%EgmNn-;>;iPSZY*kzc%5Tx5}IdICFiwJAa$DWNt zwKdhfpB!QFG~n{K0$A)#8XPk!ZB%j*l>62o_hlo_yFAB~^KM6jds?Y+1t=R2@PnANqG^Y@BG1!uu`rSrx>{<$}W z&yAGWncn9P!e}F`trOa?3BOM2=ed@iwwNs}h-Mq$;byZ*2QcnxFhY`S%c#_lY)!tB zoK1ytrtnc9=Uw|NtisscE!yOpAeyS3&#iq7F8 z%CNC%p^3GrDG0aFF=~sT)=&wLhz4m2jp@qxR2JFV@6=0r-l?p;n_%!Wr+2lhFwnO&z04IVuDvg?0mp3bl0CAhwhnD^ z-vYx{fS)Fk&8zl5i)>eJ2O~M~&E8xz);<#r-`Km&8)m>fahm*VE}%YTv3YvcbqK_J zi^2?#imizCLe(~*uWLrde6Tps>FgPz5Uhpa&a4sp=asK2$> zfGJfd*b{tv5cerv!ql{9ChBoC^w+&)wh3t%Xu&3=MLkaAVC5Dvn)SL(ZsW#|*?i2U zBWI~(WL_D1UC-yhzHVa$qlDX)%*PfqeY|Y>sS4_A7sa1)XrH`ltN1dH zN2z2rAm6$nZ${IwHK~WjgKQi$o4D^xp?+vr-Lc3uW%LHo*D`TFB;zluYzpm37|-Gs z8B2-LS(HOLmk@+2R~NdOXZCy&xV2uTYo%6UUj4DiBbTcKb%c`F-+8s|Zy@`az|v`m zM=0bK0cCcTh@^jkCKi`OMjA^vR6V){2%WtY(UF{($@OvE`f!mOQWH?;>`%y9HRmXKLXlUV=c z!TjSh)Z54nsF+##LrqX{FkA=RnZt;p7oeV+B2-PyUO*J-cXVKRe)Cv5=#F=E?ztzB zhZzKe^8lp2pnzV5m~x(bj{akAM!RiF`JDlSaI!GQmbs`a{@nkLSRx7V^G8ys8w*wp zokl(<8=P%?_Jd0OxRca=6rih8XMjI-(jsgXe#CZ8@uT6iiHQ=AVpIlJ>FMt(^EJB> zTmqn<_>lSuqEMm@vP zeqy4E56(+GrXHLJ-P8ls()46yl|8)}9BUIZ5@qIw0-c*29vciWQ&qyL!l)g!D7@a& zM0j^vSf4=J(y@!qO)mvUIckLEByKQ_KVt62gFQe z810*9M9nU)vBh;D*1t`lwu0UUq`#Tk{}=~aAXdqe_YzUh*sv(3v&#20{CIJ>cE8?)K|h^NH$t&(X<#uxDU9^(2P!HVHQ^Y{&?D^s)9wAH!Os+vCU;OzI8|m+se6JWT&y)c= z1W_A>CFE*=ngTDDQ{r>&5dIb#<(Go2orSMsn&T5hcLYoZp8x$eZ^uU8d^?IE2#DXw z!IxL0@O5M*s$5ko=us5k7dnFP*)P5Do*t)7bs5-_zCtUL0{6UL{GT#Epi$=gkGj@8gUQP{lW5%rhdVI;zROi?Fg{??fEFpMYB}A(GvK zGLGwh=Bk^RrmJySSN%ZQ&#c{-`Qcg!WA=*?!UQNUm&8e|yMWJ(hVZyDE*@Hjk(x*x zt@dG(khN>r>`mwhbY{sQwa+k(~gd>XYsA9O{<58etWK zW%!$psI!^F(;(dYVyp+#BDf9=@{q|JLwMA16)K18*_#j!va`>~cF#b6Ll^0M-om%# zQ4|>2A_e85U_R~Q;Zww@hGs@=-Q7)KIKT7~lV)~~4$h{6xgYUlM~t;eO=;A zRzbYsW-U$CaWr8^gjn2T*!W@l5mCm5X$LtM4wk@940nyqWa;RlWOY^M9SnLusC?$ zrAPhn+zE6g!!&YraH*2$mlG9s?&fQl)#cG4%0I5sW(}agSZHyDvH*39w~OqRl=66| zx_Pd))RlBHhE(mTeQM4($G+d{;Q_LVh>5AvE$tgWdP;@UB;%z~ex5kW2x3bpaY&7n z7WP;XfH2pIqVSoqouve(DCHeF9i%7y%&>E(v^hUIn5&2vOd8W&TyB23S`q6!>}HR* zpZe8)!q+Olil==r1^2CIRv_(hio76@y$Pm83Ut~)T<)7o2ZQJWY{>>d07 zaYRW`?>(x)>fMwFV9xxTBExOBhl$>vN<@52ot3CXna7CzPpeHfmW@x|pzMT@2$m4a zX`>9rw+7>(iWqi&8oDOP&y7&EJ9Eh^1YTaeCO0-85!p+&Jc}g91E;>a$A+e^Zf+mn zg~Rn+p8qE6Jw5-;)TKeQbGJ3 zz0~;!IwDFIdGA`zUVSG^6WWpe)}I7y3S;pV(LfYGDHPf^2z~$l2RMAUd5Uqm;S`!e zX^7|Hd;g8a(;{b=4De2UgT!w+<(-{NC4z#6!R$#0QBgmPjT9sm#QNIAF_@FBAmdd9 zr3=Ixe!H29A^-+SOrHDxvV&+9#{H{bxVWi?eYHjcTbdUFb{E#JTLU6C33=hivzHCt zAc0KoA6t(|=j0R9kNZ`nsUT)}aoxUujvld;uDbXVhglr196*K9i|P?xhp^0UG8b;e zbCXpR)mzcJ_&v!38(PY_xq7)g1#k6g&$z9SBMIKcy3xdy7~y{x*ZVTluI;}g#w^X- zWo}z4yFBDaZ6zRHlwmEgg(DlNSSrHwmH!2pPL8{od$I^QPE^Q=p|#=s8rm;@N&yku zu%djthv!1^ssNHJ%~{f&`QRvAum0{gojZ||hgw=F(xaOywVZJB=xe=%-nH#B#8s?j zcz{)2gzfuFmE{oEC|WxYk(^+G74O@bVy?z4-R=jEX%2x>8xTsl6otup+3~lN$B0(4 z=4gTIA+E$Sl78y>QklpT)!A>Gj)_W5i_p?Y_b5pa5{z#IqV0T>CN< z+jW3OFYxGuCI_29Bq9Chx9L~62V?SoH}K(uq1*6}k8H94nTmgEq6WUzZ1u@hL)z;0 zKzVO(b-h5FZ;q+2y(c@)-2Hy0f$QLY#uV;yX0YjmV*p3_gKo>?qaTY4`twE?>1x|C zw@P7rd!i93@aqcrg(O3|EME&gNxkIelc%RA?fgclaW{hyyFxBuRsZ!zch`(E#q2wn zZfXrO4A0$3TY_iRbQbsuC+l*E73@eLbkjeuji) z@z$!*u1j0gVkBXJsW}wZk#QIK+bf|Igehbq1T3cyrgIKBvIR!v+0-$`$R-1=rAVxM zQye^cKJ>UiR=-P%Dn~28XahVIBvZ zo}?rpGN1`u=G@^Oo$`Z&2CG>mI zHbG@gv8k>B^&N#9{qY~WqWFvucft0Eet1l|u}@%kqQD;TDr2l|ESXyxJI!No%UGYu zsGym#f{152p?J=kT5Gm8!Rn0k?KZPS+};Lu!E4%CvgXX7pM=@nR@s09d%j40goW9L zD3!c`9zR_rtM}&u5Yixoh|njF`4l<91##g@_5mmHz5Q&t&L4#uTs@VguADk$n)Ft1 zsf}3!Pe8|_N-3tDG`Bt$RW%8LaJ6ROmB>ydS<RBy>gyN+xh5wWJiLewJ^l>7z0q0hy%JHP$EKN+W0TUqEj;S6?&)b4oW5Z` zmoQ3(=k-SpCS;;!UY=f#FN=&800I$cF)@J#Cw!clqJrR4;HA%VD`RUCLs0LV4k3xQ z0u%*rX(=N8#T5Q}gz64xz|RW_EX565I}3n|tqEv8!~v zjxOX#z8bdI9EE(O@kl<65HTVxJTHxs8DQ|C7!jRFeso17AJzQvPsjXd%)FVQMKK~Q z%lq1YGeh6sQ=9ALw!mD=VxfJDKQv_FG16AE(=%O5p&gv8Fxg6L47->pF;?!wGICk0 zvz^i!cr;U~E8PjN6}DPwHm@}FV4+%>zaCgFY&>6UP^UF?!*vW zEqU$GN-DH+ZG!b`5(`$|22OgdUmN3^vo*=15xgQ}bK7!MgcMt&2g#!`yuyF5>VMD# zUj9Eg`9Ek1FZUn(u1om;TARVk{)Z92=i4R8$Rv<+~PHLY2Xk2EgQ_K>Yd+vMW1!GNpF&>W$RIgUi2`Z%n3K=B8JibpqY z&^fKNptZ6WJ8xeDz#8wRLd0ChE&}IjFZSo7uUMo0-Z_L{)nCO}>N19}7O z(bV?dVQ~;kznBLbVMSBt>*=fe>yuwW8Uz#_fDQlvpaJ&Q*_yxoaG$Yo007_Ec#jTt l;{RSjtoj77761T?UXTEk?}q>Xk->?d?f3~<)A8S{{{tmra3uf$ delta 46976 zcmY(pV|bWNv^5;Fv2EK<+Ss;j+jndyO=F|6ZCec++qU!eIp=&ozW;m8?6qdDJu_?1 z_&eC!8yL2t3^)Wj2nYxah^C^h7TPPzkTy052ya3nHWA?Cur{3f1q6N|f^T)zq8}S| zOcnN(gk}^;1+d=?+uupxL!k2{naeqQ@)Th-=@<%4_&0u#zwudwF-f^6=|}znD5av zUG`YG$7RI4qPKXIs=O&JD?@!cIvPQkclB-=_C%z7v0~j=Cvy><>(()IsTx1}!t&SW z(-#oICEGnLcXJur=r^x;=vS&)q__Q0F|JG#U7X!EJ$bG5dqn^FDY=mCq>$$m`=y)R z{8)VF2b9umF%4|S{EMvdX<|z+?O?}*=8Q>x%-EUB4P&4f8@v6v@nx9K+OS^YDEnQ2 zfVKdNB#zQ#1yz#Tt5}68-fZROUk;cKFeBiohZSpWw7E{MJ+1kAu;aT#nz+>Vsgx{9 zEVL4=4{24*TN@6m%g+hAuj60v7jJ|mze|CJYz?kq2YHknj;@cPWSI21bgZkn{mWmZWN5i1Zy zB8_FBDZMJFjDq5(XOIu39Hgz`3G0P#{gvck;AJ!ou3rW+H5`3-&%A&0Jq1;SKek~3 zjVXt@{%ZY&0?`zg@pw_gZn{_~nj@m5mX_Iio6>7j(}Nfd2fFc`B4^w>{wZx-Tw=%> zgyJnP#_u#|o34);1WWPTZV>mRbsivLZuMgwfff%&%z7IVR7MH}p-^fd`3D~Yw$Ei) zjhs2*?H>gV{ZNaLpQ41m+LtBEn+3UH!ez11LD`|23$RO*xG*7m|d_Ay&D7LreDg6>+gVL+xYi4 zJ-Ul*N6wd4#%vpBJg&LGX%&MUZS0%w>*`J61&{1y$l|G)15Pe_iRyUojbMG4-gzI6 z0Uk?xR3vA^S%_Sj4~{yd#&<2Q?t(mcJI%7G6;C{hz_lcWj@+ZR{)(rBhw!?_VtoTq&UybB$i3S zVWN1!;wJ;Dy>eG7>Qb;0ZY=5pwle3U(H%|IfQwiKw;?RM5=j{&`6)nq9gw9@NnSM; zWf>{3_UAh@N=TpJsYnv%YnW=wpAc_=%S?>+B7`-^yg@!VBKtBxedU6{ZHud&SP7A) z5s{otu6(|)q4Y@3R2X!^oS$?UnxEJ0aPT|rF~L&njtkB)G?S8F>8k)Q4=>Ltk-#w# z0g-Y4*{1zfNelPaBo^?jDS_giPE{tK^S#)z5mDgWd%;%#Hwjt8oOcknY!0V~=oobQ zTUSUB2pLq-?Igyd+$wn;S}2F)0#Wr)kdbQry<>;bKd)FhjdkN0cmaXPn+>&_$?72Q*U6s=! z4|5~=SfegKSpd-LbP`AL%>D7^_D-M5g#6sG_`l=L?hJT2g%9yXxYhgxTFsTjtL_pe z=)O(m)hX=~`B!V%QAb?J2SM-z==l7weeT~wuDhP$PBCL3D^yM5;AlDAvvW3{Vw`D7 zyO44RnQUCp5@`WSkV^bjU0Ss4pva?HGy<{)DT?EIETG=M8+kI*INzmNxf7ych$vK8 z@AM(HIA$YwnLd>g{LMIqXlZH3{#H{CeL?I!0OFC&je@`QRLFm}CTfLvV-bw<}C{vrS3W z-}Rw;yxfrxE_kl&xVW9^y+~l+^U*{YA*?f}Bmu`t<{ez(DqYX7qeQp*AEsSNIBs;) zDh{lHOm7|= z;z~_|*BYyO571KOBjC9424o)gK8~ywi>q4nyJ$KQGL;;b5FZuFxy~$}i%;cv8Xgz% z8i0Zc_H2!z1yQ&wa9u5wN_6MWs5uC}FSoeeoJGBeL(rmhiFSp;(m!Bzgvr*p5bp?< zNEl*0-WQ-9NP|{eEKXZ9awUaCn>k3NU%_yM+4b@(Od79&YC}j5*kgxHu|e;d3!FLG zv7!e2JBv{xOL$YC6U$!ak~7sj;DausBf!)J=7F<&hfZ%zk}z6;5Chr88oHp@86?%2 z{+l9bh&zN6;#~lkl_Kvc;ttN71+l(q1ZF6#i-}n@^Rm3K18+nz&com0cot1HJ{yK-i!ZZv{!NC77Gw$*ihOB2 z)Thz$Pn?$S)V2YROd~8l4zguh;$2A5Pc-qO7!dY-+(!@vCbBL{lZi99RRSE>$It{# zTqabctO_1VXf0ZkdES(6J4k8H*O&^&?w~*BhsBIRaJR=PlA%waP6)8_CBX48=;MWb zsM^EoBI+i{uixtsL z*$eJIZW0mt(b_LK8s*I(0?qZHQob<<3rgU?Nkez`iPR z{QOx_gT>dSRgyCoQb`51M7U0P28es(LX1&GXtL! zo&VZS=iF=)Cr_W(#VZM>WHaLhr^JTAcIChSKpjUC+qp}hIRbYCP0@OMDiUd6)<-V$ zjL3Z-4}W698cXB~QSF~Wf^83?&hdAIt9(Ib5L8uaMMB;nIt0=NYW4KJW)W-9jr(Zz zFcB+Nb{GPvrReq;r;UtgRtw(5hMF&xEi}sF+9YVZIB=aU_CnHFc z6Y3x!w9p6j*kGv_iQwL(Jmu$}ADVmoW}Aech8xFd01cKSJMZY41D6JIbZJLuh9gRm3g94PUFcj6L2)CH!s^M^H{jk*#eKtt#O@nRfffPsV(BQ{AOUy8^H`#lMz#9y#Lc+iJHPpLcS|RtiFj z5f@4~u0mGXSaCW#p&BrGLLU*_BExeM^*ieyx!bWX6tEonSUEI7q?r~;dtHfp^#$M^ z1(u$44ZvLxB1kP6(jYm{?#|c5PEAmOueg1sN^A-kUUS4jGWv^t@1@K*Yg4;Kn5v2f zo3SN7+`Fu|@oT0u^0&C{Py!L0!?`i=Kz>NL>wvcL(@@7ii&O+9mLW-}6PJd0w>fji zd^gpk2GV9-aRelr^u5rWz49R1nKYS-;OaE5dB9trcLXzmDsU>A?ZCDtg}Y7#Y4t{m zPWLWM@4M$jsaPfA)dLTH^at0tE~Z^YQ23O~)R>@Std0c^OV!H=GwgQwXcA_lu)0P1 z`H4?t6O~@oEIATRZYakZr|l}N@S-S$)G{0~y+>OJY$tfeN01)U`}?jd{OI54Yt?kq zP~ew>aVW*I<}|-zfUy*E4Gx~g=w!b;f`?$E0VlSfr7A-C(0Jl64<{ ziO?xcK;_l&%Gs%rBI3D-L)hR*$qWh1AHJ1D2^Mhp9cOKUrDPs;P&-)5rq592g}=Tm zHV#mpKjSF!ge6-gy%-cN`O76LmO`B5FM;ORM+Y5ozQC?Xw*n-)oUEO6)!rF~>naph zvn+=!(C!T;r~rTYRD&!D6Z#B%wAC4}(4VV6BCin_(LKnSb>Q586E9+4fZK`nS9*~B zARvT2$AII5WX=a)ccZ9=48r45xcux|8$1HoZ9bj@6)hMtxh2Bc121=*2PR=&CqJETZW11f(^`ZJJrMDC!u5o40w*_P-?S&H#Y+IbwhB;U5M-Z5z{ zv0netc-ylX@;q|bWdBELn0-|1`5{oxYL%9t`dz0LUdAC;Q+bi9DNt&FG8cY^_V;1M zE_o?xvo)(3eFTE#$Wj|eL1H@#S$pe#{Up^<^F>6&i2Zc4*Zro(bm7xy&-L$MxO#68 z3C}l5U23UIkw2=R-@vgXjNXTO3|PK4x73x7Eb&#wRR&Rz z1K+zWAAqT`D+sPt6tk`{NUBI-IHrP;d@qD7&n-$dJ-3o#)t>)ZtBf#UzLfP{h9pGV zWG`4@6tKRF?eZqi+qTA2`^_&({b(i&0go&B?-U|I{ZeyGoLlS z&1m~rmG8jR-y){R#ju4w!8A~CZNvLJaa7ww8e>6`E@>&S+&S!*-avcHhtj7Q1&%wO`tysh2t*CnY2 z+CNsZ{(k;MX@7y`>Qewxk%Sl8kZ1lRhmf}q1~_s!=u}ha7F;ZAD;}q|gId4O&l$t z`4@w>xt#h4BXR(LT&B+1faY1D?~g3iZjAHG*5MoT$)$2!JMFHAP>gzvbhS%aW2_m{ zyd~p${KO%>Ur9*Bn{W_YAFtMba3|KF!=Xl`xwKL^H*I-V?RsCjYU*oC>-q)M=qs_~ zGE$6Umk8Y)5n?OF&1HrggvmNE6uZ8fu;4i`JGj7J=@ybDa&dfBYBRj2Ot%w_MV@+5Cw5>;&tHVGd11{{fvL{mwanYYTHAnyM9HBbj_dR^d zEi~~Q1?M>qc5!!^g&iP~b!azrtC9lpirnIpAa2w<@?)E?@>YzTj!K6p_&H@tmz`<3 zoi%pUDLnvFF*-!6TF<5zPPv)ki|?0|g?6fnJOz8y)M5b*jOqL-Pp;yYeiKJJU1Es0 zbla&+0uuElP?5(BcF+}kf{Dp4c(4V&(}K<_e!RX36G>w&qop3`w5D#JB?7Rvh|(;X zXjw<5TTWrzdg+VD;v7k09-$&_*A0m|wn7kQZ0tZDy20Pzm~0FEA&nvgg%_~W!orHh zyy{+=0?FguxAD5ysr;_-ONgKe<3gd(^O>MGoS)}IF&AAD{&a46 zKI#DWGI{T%dlb4LTo7SmzIqLmqVl^bBD;!nV}Z!KR_TwZ4NY?w(&(y%@J&7Z2iZ|` zX=4M=z-(a&+-xb-Lr?V*Sj~uX-)hxz6CGO(QHS+fIyJW@QHwPWHf#%nd8I$9YWvf` zXY@}PsS5~tsn0I4aSEwFT#_L&Qe70yq^Q<5`+*c}_!+=q@f%G-v#xLr#MplKK>|0cm2lk*uZ7Fv2x4m>wk#&H|P%{R_1% zK4M2zJTsIJyKn>}y3=I^vl{E?;!{jrj1kNhufd;S0dB1mr{AMRBF$`>&J_R&L}pos zScA7mof>O`wSF*1>CiKUTPv&2i6v<1;4k?y9k4a`{_>E;RTiO?`9743)N#DHCyriT zt$Z1T)WNyUKN6yh#xhjLYljo3cyJR7eHlW~wrU{u`-ch63$Zm9x`X&4 z4MS)n{n-y-s>@_OsYOG}o)OEf&4lqxenR2iZ}-ry_K+ftDpg*=R9Citr^cjb|8j0* zQSrsmEPEQcFi!Wpr{|84p2b1b0-YXAk02z8`@tB z^t2Q!i*uZV%;_Cfb0&#<8YlnbTE6YzU*7*~V9lSMwK8R-$(I-;9UNXFsm>0~!Cm4u zf(V}N{Bs72<_VC$w{PUULz8lrcm^>(M(s?T5W3$8eS=qF-2HJ9|D!I<{>cyWD0p~0 ziYQw=x!%CO!MyQ_LOzT|?gr`e3;6#xDe5u1B?^l`K(>BCfuMjSlXRm2=UpG}Yuxor zuU}eco!~8{SM?iYe+#-71*T)rs5ZKjT{}%IUb8SPd{oFyT}TsgmFo8{$M^@ej=s7s z{leZ1k5KF}1SJz7#1x5A8RmW5M<_v&sZ}uo%8APTzplQfnBBYK&+%C6-Tj%}?MvpJ zt_OBVe4Lr<`Oh+9BDe&ATK`PB(ZGxN=Z@`KeKwy(?FMZ&Bm!2#*C)-(pqOD18)?K( z!sksQciMaK<}10Kjjd5~M?a(<6T*e-uje5m;-I3l)^PLbi>Tx=l#;iH>_eL4~$m?h3G z6QU1s>2sKuwV4vr73!77&Fpv$lM_QAD182nrSA%2KJrX2nsHlG_ln`Bx|HjBDTa{G z)Nm?nzDH{Sr|QW{7!2U78&g07I5*dXkPTkwTYeV6JJ8iqU8X%*9bp01lVH25F`u^9 zo*~?WEG6A6%|SqKEoI@U>nr3avTW>^?}U)DK+lbZNGY6J1(Vc+h0X4Ypz7NU_`vf| z>}o98$OFTQ;rlS`FRvqoZU~bJO0~JEFZN4&-M3*!@BtFECrm+}v}ZEy_lr6d^}L0l zT!(WkaZ7B`b}4~ZN?5Hl-P{1YonW61qEQYrO8|HjS9aOE|IR_n`LM`Z89pI~gjuZsGz}2SbeFowaNUSXd6cp>q&2=w}ZV zLk7W7a|HxFTpuXJpWxGt*@lM(alh%VaX)}Py+SoE1jk7#JGU$iHoc0Fo^dN4UnU@0 zREKrJP58m-{9P+X@(A1-Fcwa#b`l9i%Si6q(cAM zHkZ;TBfy=`tEs}{TG>4RQSOIUQU%oWH`P%&wcB2>z)qek<#KyCMnPgIbiZo(%eFydwH( zTS2dPHk&uXbfu8?bmftYd6F#V)|_t|!Wi)Oxn&e=K8$Ji;#a~dVLb-PGt`RAb+MUe z{vg@(*Ogc8xx(PW1FGpX&#p;o>IAVJT*g|;-m<$u!D;a(LAFFwftkMkt$O;YI8wpY zh-@N&L+ZBskh-XBDlMfLy^=#KEq0)a?J=~efQ$06PjB4OHXxG0A|v$7iyohL+Z$kn zpD(D2TO@K_i!HaxoLy_)sCL)+@NSy3cD4S9(+VF+r`I*e33cnPndyH(sH@$ihO2e- zyQ8n|NWC*DQx0c-WlVC@>~MVk-n8uLE$5&OnW!2D6awTU18 z%-0|{R0q%4s7ndmaA)aIOVdUczSfa1K6EW8ROdfxs3U|cZpsy$lTfaWbBz@n+ND|- z=^XR+9M;Tr7sE~M`5znE&MT}mUzw705vq>2yaGiF+!HZ#&* zIQ^U5yy3Q;rxkoqAOW0P*C5%5Z{Z;SaeqZP{zuCr)xs$I>a4-hLWI7OD+-K${VzYf zO{~-^d<%zGYvxG5o*!n3ShjzMc*ckO;wh(2t?ojH+QhlALuS!d3q3Sq!C#-9OSm`} z+^uDcoy(Fq7w!MD*^qF|n#Y;{H{68DPLAQudn^RQsjD_nq;vIH9%uD52eAUd5k;rV*)*YMCO=xar1MZ@D zm6?5-chp!RS8A_TwVG$p#EZ$YRz+x);NR>~*vyZ2=9(AaQ`k%*xP&K;@+EF}7gNdc z8`8B7NWUs7ydaTgB(Xx)*O7~NT<2O4b-bKQV z(E&pLS%*NEIyMQinqHmK`9QFkP8yHwP39 z5Y}F-W4VHpZ(IG`<6L{ueo3lu4sWH(o-Z>|W4mGgcKRs-;XdG0jFqH{6%wxxNom3P~gigjTRoL`9d(OmxxnYz(2qj`-R1 zD&Mhe#kY8wXQH0Dk*am!X19XO(`4TP=(FLOGp+efW@!F_ESUQrWw>(wQ|6yAd;f$1 z{hpA1Hd;vGS~t{4Z*{*GKrD7|IZ)22199!)_uW5DzEG&Py~up|2>(%id*c6eVN>`& zUGDzr0@A%Q>2~x_+Zfr2{;`I$#wzuuAKu_AGi$X7rwF`N<$r6Qd}g;0J15PP9Z0bN zhW^nud4d03O#2N&%?tmURb1C?*VU`XAIGO4qc&VnZVg*?ym9GMqjcA2|FAi|Q3DmWx?ATFaCUej@veI6;(NcwYN<$H~7iIi_;v$x8H^dWC}hN5q>99PZ1T z=N*#d0T3N;o#f6~ghUMsn2de9!^B^B>}bnP^E>Zpe$?2!WW~!i<)tr8dMRSK-g*9rsokKHdr>c!A-jsNa8RvQT zMwwMoOB2cM>9-%rofrJK%@1QT(ao7%`c+n7B_-xTOux8$AxuGjZ&2EjXHtUR{bYP< z<{Ik46#-_+9jM|v3H)wZ9qayDr(;@yg`hWTG&txGt1@s0^Kz7KaAf-v)Eay5U)V-; z@{0V6=Zf#t`zVgZyhs$B^zYK5fSHH1)vSU8(bEjIxp1Gb1#K^xUm$nzP#OPW@{jVx zL1IhkOjo02#Ueo(!$=vYY~#m+9GW`JvGqVBU}M){zGx$=@$|^~AKPO>I_tKhs0_hC zt-qgn^ORNEEvpqCP6q@5Zi~%R))Ups=V2n1yd>>Z(W_ySm26OYs7FK_vVItSJE~l%L6_1V{-EbgaYG9 z%j>^679!>UH~tUHRuN_7zk)eqjkwBC!3#2j8IaOm3*aJwaBABuK_i}UWQA3AS*Mv&M4oy+mHTnyKvFnl>jf3cjF}H$FIS*QoesxVz7~ZrRY>| z?Zhw*R8){lwln%q+0uo7uI7h7+P9kj2%r2*Um7*sf2qjB19Z!tS$Cy{E@-GUSh-|; zypK9LFxrb*nr6WnTM~cxE;1J2A^7pSu@2KnauYmoGuY!s@VrDqr2&JU(Dh}a5ml&L z6IdEKd|VSpwZBB+p{ztWuZ<(dUQDuw4NhbJHcdrQ6JoTnhe5zfnS<8(L>e`Flsl?{ zjpEK1wb)S#B|lmECyTplJ2ZFTH3*X7E!s_PZOj;grvB~7(v+ERwyq4I8(CBzI#Y)V zMcm86^SHdHl-72fDESjHG*D6%N571gjQ+I^Zt4mnG#E+gv|ifg6hfhHC>l+n`-}l@`U<0i9mcs<7Bi{v#pMzaH{lR;bSt4ML71GmhN0(0~adE4; zuBpgUzZ;#3wEer$1x{@AUUY~gh*N{kSb(NurwX_^=%r8%+~S*@lXdA?h77xo)X!(a z)|K@AppM<8nx=CpW+M&41IgTqj(8~JiB7_&K7!W{kQaGc---ZS`YpTe-VPA4wkNWQ z7+I8{`^*tR;a%HQ+SZ+ZOoMwqz`~Kn_t#MJ9|}VPeJ&}y+HXhzvnwhEwvUDE+?9d8 z_o6k%C;V4OE6H3Xwe_7=oLs`Fk3r_!~uH`K|hy15NZ|F1Qos4jcOX=WN{t%ZgLp(7`RlDj1y>4TbHpuKP&?2 z>%{{K^+q*A612e*7Z)=zF_BH(*iFRn*WP<k>dN2@qJm#KGgPH*?(E%C21?ymk#Jqqx3VAV6uy^gTE~p49ZYs&&RfoPNHO zOSmLWa&B`-DNrgMtT>D0=;n!`o`U${Sojy0JwqO=dDV~+QkFXlmp~YV7o_=9e&!Nv z+#S@uGXT`Dw)2b}e%FP}yYFvxdLPwEnc<7GBL+~Mt`uT9G`hGwC@pwp#?RG(!_<3_ zs8slO(sSN+fo)SXInBCCW#;rp*W!eAjh>D9BI}vq-n4a{l{qJlf7K%bBq(`*j}HfY z$*1J5p`UtjP%$-`pZMXRJrR1I)ni2!RM>jevdv-+xMDPvW>RLAe-(nMb^w}Ce-Q5I zq&hHT*o-n-Bd)ue>!ME$S>Gof6At z!AjqjWAE^Mg=Z)H1WA^RW#%)MJK}UP6du4=c`gB^Ci_x;=doCD#~>4{JYE;C`^=5P zVaf_UDuPjJ`6i&}&6>iN{I$1}5cd=H!)J9S6y1hFX@6>vDD=E&)};QnYD%Nqi!O+q zXv|1?2fpM9n|Y@O>?HDzRPLtHx7o5)s{)lZN@eE8go{E^4oQAK3&a^ z+BtX|XStG_{7|Mc_F0cBBjVOY(~q2oV(S|XqoX>1-;G9)2*n!E*+R85aQsT}GxIIb zPEWA(un%pHae#hpCs}!_shCmGU z60|5D*!p=j>_V7Fu)2kri08**n93>#%cjq@aN%3c*T~yCO5>W{JUgtcuuFg^as_OF z-iktI$zpv6r)HJ*$Isa9Ak9MJo~_2T_M=>reu-j`{pw`oj#vIVv~Zz}D;6N7%jTVK z0Stnj_A;R!F+4V_K|!_>p3&a+ZTc7WGTWnn>Dg6_pXNl&#+8T3%GU~=P6vEK+!0Xvj#~7< z4(UI!rdbk z_AVMY=x0*(dyE`=wWl=#2o|PVWrm>YMA4ROAzY4nxjOnzb7&~%Yh7hPB=@J9)VUR^ZbIY)-7IBBq-&a ze$+hmg0x@AQb4e0T@&SVNQ&tpkPD}qx4Szh;q3R(QG=4}wd^vQ9?3HC&K1mcPPS!A z*SIz2Pug!Yxr1Z7FNpc^TR^MnF}Zf*jhK3{E}OySdM_O5=rkbI5O$5x-IO7>ExNnA z`HqL5lc(m*|F-B>!qxbl&gnJ36Ea$sp?j47gn}4#N8vdu5!?R-AItnTi2-c*B%PXA zJrvFd0OOSKoXP%?mo|L`j@>~$r62AvG%yvMiD{x6l!bcuSO_*D*K5_1&(T%mPz+027DIE z-bb$|Bqp#7C4^8Y00=eV)%@m#Y1WfGjTez*q)f#!B(>9$}|}%^S=%cA)MVx zR3d`GiyDSzy>)<<4F9fRD8-%8zD)S31~>MKmFCfXB=5&>3*bun22UsVQPQ?Ljm(&Z zTG{KX`jdDp!tVxB5uLw$Zpd(R`Fp`rrr*_FA*F55((t?tO^BIy-46VYg{JVo=ODE+ z#}7Bmw8P3>+C$EDvH2cXsxs02Wu_4{b_uC8xC2=#hL`kRe4;NDRTWic(71T95ezC!+$ zOmE??muj}hxob(eG8Ec+>gm1-@3pcpWpy@MjtKW48FP8cb}d%RJz#GxN-URbs&kmE zlV$!b41y%SgoTP6_&tv@+A_`hW(+;c@*1j89~l}p4oJtJ8V(?molpXGT@)Ysou?|R zL57hZ%jlFq>z5>qneNfzDw&En_J>4^ms}=%-^E3;@PfCbz zo}n<6|4vxkAQ=%}G;>_o@I=B{zn=T^t-%>kznmeo1cnW~+1T4ViE5Yc3FVp4q%a>2 z=S;>30aLR{R?+*MLrxZtG1kLstw;fiu5|}~)GVEHHftLXKc6{!#T)NkUMDYt2%r4> z99@!1g^M3gc{pnd=b^0)39Zgv;M3~k;B&`>%B0Each@kfN5m%Tj?Dl114%rO30hsn zBP++Spa-LbsrviS!L%d?6z@ax555A|pvrF{fQ?|H3k6K>O&>z{dJiUx@2uPY`ap!P zPkgn&enn$J92nPYAyO2>`v9R-62g7#CyebF9j80=AEH2<52v+Xc~n6B2cz3IW5Ow4 zH-q2N8FRuXZhYwxt0E_Fm4X5w+a0~7zXF16d?}i}O_@+!!@jMmYI3aPT#&}blR<{po!FIm zEG?Ly^5eU>p2DA9N8p@a9k=uASry#r0lAC>TZT3-nn)fjixOpn+w?m>{Ui z=fwy7FT~AEu3MY#;@;_?GW!UGM*qP8_&GEH8592d3wQNYOs^8V>@5aDT74ddApdY< z^v&*QZS_aj^U9JfXKpEn30_TUauXY-LT1^scz?sJ59#B`0}t#(nwZ&S!H@}NUF)oo zsjd+TM%~XCz@#Fpvzh^SU-Hu-aFjwpHQvFbw=nT6+XdR!ZqX4_w?vwK;+=yvis}95D*y2dbdojsq$LU<5eUNEL#n1qJqs+5{1*NYRuNI|X2Iea z&=^;zoM+To`Fx9dw-1?)B~4kb9C@cMwwogDd`kC+T^;+ca0zCl!?)+_L{OP&jJ4p) zp`ilwkORnk)M~K$aRf3-At|ef;l^5B@=Q&6;eyadP&3FDi|b^8P+u`6OYk}1obM7C zHRf|#59$xznEl=fuXC=K;~wYk^vnLeIPnkRyfWz{ADuir<>v1jtCZ@ISzD@@&oyY#rG#gwN5P4|#5rEEFzO;$6pB*`Pc5x&r|@YA+=304 z=mb>TK8VWur%r}L=?=!@p4?q2%dwbgq9Fp!yZqG*of45UA6#3;>fvgH9f{^kuVJ&s zx~mcIenBRzum`*a%~HNX01Z(~2OO_tsQG1RofV0LP_X+ltI&C^y2}d=$AEkx?4z&bsks zYU<{>_r443`?vm_2+R_EiqNtrXord-7t%Dw=Wf97MN327XOAx$-dZjIhK-24wVN?V z^ROlJBSekQJgPLc!>bKVRN~ul@8UAa56@!TRmb|S@3krT0V+A8M z0RJ)H#MrSEk!Vvvq{rb#l_?}QY-O97=nxVo78D56;juR75kgdg6Zho|A5~dtx&rg$ ztG9f~JaNT;cl3m5ZOqjA0ts`)UgG5^jNjo`kkY`=QmT+NVyA%!_d8zM84Yp+oJTW? z=EInf(qgyqe$zXY-fn&2iExVx2@ATL{cECsr%w@sz^R=q)gflbr3vcVNZ=rqzPJR` zIYIrXmOu9iGhwa?LnOlZ#+uN@Um~@{A(of*%{%7{M@q+rR@s^km!!Bsr$=qJcNF z#_BxC32+(KEJk~gP*95Pmv1d_>aE`My$5pySor(rr$cqc8xGg z$(l0-J+~y{7fNR;u`TtHKJTe`%y3*g_G4N{b_uVLl+b$J zGhgBezb*=krF(G!J5@Bp+%y>cP+-cRFTv|OMc1Txg*pfcmN|@|PV~H6jp%_!fv7p& zvGUNV@q(AP?4lUsT>6$FoGb&GGS>7C`7bd_DWu=(Q8Bby;}5jkxyI5QdR%3MRyIqv z-g^qH;UuqE(|+QmhLBF-WrTC3ki2M^nXuw zzvH_L@rTRd4E2q?a@t}U83|?fbO^IIF5WM`k)ABmZ-}A<>Xget%DJkL=yX-uS@A%y z)9e5uj}w(D$!0|lPI5jPpcPCztYDSr{jT++qEjH`y;RkpgylEa8@%Ol&vc@blK3h% zb?DC?1xp+yyhXrV%{N_%NrP|H?HN6L-Y;)q3yPkx?qh?sU2Eav41ck6ueH{p?s7nh z%0o=Eud=|`qS2r8COciACU`8U%)eb`fuXi2LOW{#!@T8K(R1`|yrDmsU zBX^+Av06YYPMRS|gobBPL0AZ}*=97Z&Jo$zp{7KxpGZ@+-G!yW!I%3R6t06H8~<^z z4c&iZu^9C{p6#ClbpAKHVHwk9W*>fS43*K!SxACxVpW~0Wxn?FUASb0iMt;Os+zzq z>ZDuUc54uGR#Jurpf}4&%PTs>qLTEgGFCtoH%iS1hksz#YgqZ;k18=Lh(>W?p8~09 zMEQ6_LW3A>38Ot$k)l~ZD<#@|h)D#K6Q7Yxlt&Ol(7ki93vmn!f&jw|UpGw{dU@}C zUMgzbLOnKd#NZrHe7{j6yh^l4LlAjY+_lcrQrp zg>b5n(Bu*h9ltjROg6LMaZujqz8z}e5zJFBu;c>;J5W+lDr;nrh29QLb6>Ke?s7rx zOnyZ;;>FdmAt=_gmq%E|n51=>=+n@#Dj-!rTC1-#(SL={gcpA*;y=sMhc?^S2n>00 zN3%~(aZ6&JRh9xOz!CY5M1F4J*Y~ed@cQF}GL zwn(H~dp=|?;6Q`yi#NBKwdCEf{SE<1)Q6xg0}!!s>6Yc+bx2Rl)syr|cQ}SB<5e`clbz^E z1G}678A-+qgjCQ2kYo!=JBO+aVH3-G+jr(kqd5`b;)Y= z&sW*8f_12*a)IR9JmL|?qf0|w8PsX2t=4Aeq7D6{ts#l~g3qBfyjzTafOR!`*bd7l>F$za=%5~mez=s~GBG+ZmLeQXKI9ApU=MV^!*x>4bu#aKs}9T{2(SV!S7&9t{`ocgw~o#9-`*`I>^6YtBb!`5GNe zD~>k?__!E?+3OF)cXQMR>m>Ekztt_a6V{cL%S1w*kb1ko&g_(D=}z&xy?pMPUdN*S z0Bp}qe=hGikgaZTk+|0@nI4!Rze*@8g)9u-YRFo5iqBiYC^ zs8^1uKzL!a**+e(xdUlW^NFQLywMwM6gxcsb{~3a=>&>2#CxBa{OmzQFfgoqH$mYz2wTKfSTQkN zsg!u6iu);1PNJEhl;UIo@UD}{W?A8P0@w{b0B48`0`pO)NardngCXiv4Oc6+S9pro ze02gSDRU$jhqFrhSQCR7=~=zZw3#+!dd-hshsPZ{E=yn>j^I_`{Tbc|u1H{iwBA8U z>z>Na{P5{^7c*sNS*MBJwHsZ#3x~;ev)b%|1E%ZPPStAnoJP0TYV~^kMT{^X-pZ#$ zQ+dL0gLA;1*f%fzuf@$xi9NQ}2fxlb_ShR@uh@>hrz<#rFp?*ACC{!VV+tRZiM|?O<=NJljU@eSw6WI#5WdLE8)az#%LugHWYIIv=H;+O}VC3%jhq0~KtPu7c ztFxvsf;tQXfuEq)lb3d7Q^&*|UD04RG`uPeW6#2{uDmutXK4p0E}*ahP%j7l zn6xVsP^S2Y@TO#a+#L+|_*7n~+%$MyHjGjh0omS#lR!ine;+*;I5e687yyP8x(diN zqREf6CoC-vy+lqgkk4pUX~N~5p3LZ(mp)BlDs1-XvCH$Jci6Ij+4i>7c@528wwO)MS(x*Ubq8qeK{~lv@>vs z4P4F^WjO!2quJ=qgxxnfaj#vp82nIY7e!MkYNLsRe;vkbiuW+pH?=zYE3{Y^d9>Fs zR*7<@UQM81$w;7W7tmX$e_UdrX8)D?H7_hB(*o4Dhe0fvH9mFRl<%&y8X~?!SVy|5 z4nK*wmtdKrnNdVEJOlto2|(!E*7A#m)g7JP19z18Ge?9#5<^2@)x5>rh1F?yFOEDH$Q2ePb z9L++aS>umJyk_PpCG6R|mo(<*433adZx6wwRc{{D!e1&zJ+sTn7Q&%uwGxgc*-SJ@ zWjoocs5G?fF3;&kf@TiPE1p@x5TCIqu=H)(5FnkEs9Fi*o8zH}p4FvZN^!yColLxl zQS~vt0TB=a=_4{3Qln1|I-66ZMJW*-T^^paVkrk@P`=uuAEE}9oJKN<5Hfgy#u9{+ zTZ_0Xqd6&*QMAj#7c%+zT8_tBHWPm`Y6mqqz`~OyM{EN(|9+E{M=JqelfXwOf8&$D z+ns_v8njq^0LXW--l*3aO4>7j=-T%*Mz)|Td!%9wUiiaoCA(yV8tUf-I5TiWe-m|SJT*i$fgjMH`ml2rErf5x3q@7B1Ee}IswBLy zk8!CezTg#JSmFVr$9J@1^YWL7qYkW^lw)`Ik z{sBD+0yhP%i!}lLbM0PRfAo(`HyggBpGIqU*p*Z#)&4X3nLS#ZPKDA9$If-Y74ir7 zV>7d_njQ9yQ&1)o5BwDzg#6Hxl%SU!O*Oi;rbVq-Al5nbN_|I{R4~F@l=+ZSQ0To_ zh0jHo5b6sm8t}cSr47WFu(cY&YS3U97DDY1EuEo{%vP!ktjWule-8Q{b$K|yv2^6G zzXH3!Uo5R$kelB;m9kvbfI3OJXab?xV8Zt&3G|cLmE8ckP$Yr}8v2v0hCJVa4I~tJ z9864+%vvXBZg#wgqT6df+NMHh)Z(%j7-r_l#;O{-PHf45ThL_tRux`a)v*g5h) zXgxlaoSflbs%>SI@pA5F5^tlY>xr%;x0>mf$%doPW^6JQTgIr)+|8zPd#c!4#u9aA z>g{Lg72+Z5a(vSCl2zunL1FCfMo2_@=%rP`n$81KKFmJxkw?{;`eWFVhGBK`Hfnc^pX{keOeb2E{u)73Zg4cC2YxzNoI9{|-@qEZZL z0V4ialiEuh2-fr7u}AjL7nA-=VF@>vRqN)mYTbO3XiOd^ZlC7FdFDofhXS5wID~}T zr@8W6wOI*CXurxtwXvTvQSAbWYU`7%OdfyF+FMr!T6KD^Vp$IB50HU2^BZLbTA3PU z2HG+Mt?H-DK>JKH(AL+LfwsQd47BwnGSH^#7FbfAW(Hb|AJ_2O8QX}MyZZ<7(`0U1 zv&>AplFYQHuw8^58J=m62OtqY!*({H$-Lp=l{iLQL!5&kOmrBqTZ7w_yEdN%MWTP_ z$CA@FmCg8g2s17Vi*Axz_1LfE$DxW&4nI@;>q_xY?WJ*faNq;ZI+E%ZJx$W1AhYp+ z%EMrV=u5HL0gK)fn%-Db!?%I*hR+i$z~PYQU?l_B!{}&{IyG)knhuQ9sc}PwW9pR| z`JM}BH4$5SFto0(*&p}D%$uQkiUxniK>1@|8(H`Kiw?{;6h&Wee-^;kf`EOZLIY$Y zCE#^*oD4+97d)sF47&lA$1!ue-nu@^(-9mf&moC56Kz9PjKGR8)mIWhM4Aa{6)~t1 zQMO7vWI3F8n%zoOgpwaWiIMGSByTh`GIT!hH2$%-`}^;J2n81`{Be5z{@Z`I-Tfa~ zk`y@qDvQ7NoOEGns#whME2JjW?fytnCHM%ZH#MckUe`E&x1VkWJ}=rZStIb_j3(N~ z88)G`CP$WF84zsrp)4WZUPP9I12N=%2~>j<@P2RtjB{iNDqMj8fvpBV4rZEIyZh1i zqMCooA`kFTRO-c%a{P0y87O}epF}X{cz~T$=o}vUMx;i;JSys|?h=cFaWf*!=^4w} z`I;?yQv4q@j-oX@@jjh>Qf--_T>EB1;9t+C?0a@${+wO(49rA6Re)y~^`^RDKwwFQ zZeXdOLB*>Jfwdpe=P=R}p8a9&*QN5W^Mw)Y{nyuI!pQ4Ss3xGX;3t04hI)DD_||d(7(67(_9i?V=}FAgm0mL0k3z}QR=5uLCu|RYjQa_? z%^@eyIKH@7eVx_~ZE;y2rKMhbfLeyN?41;N|9A$@0SteTN@&i0KC2!l%*wQ!lF+zJ z*qNQ$IfaD=Rsp71c65Im1#bwwN}b*Ag<0!#)x?5#W}~6|Ew=M~XN|#yd0lu$S#6vb zI-yK@Gv^Q%@}ZOWsX3pcjf8swDhPCGtjsCSys=^hRp^%tu28Z-HoH_7r`qY+LlTVV zz$!qqxVl~qxfINqd{jDixML?g@8J<3+q;v0c7k)mD!o1`w`PCxaB3FvAZQJtpl4y( zW0iDDicLfjx5L86THb8wj*zKQx+6B}j>uEf@}H7U|E4fx3v=-~w_ZPA6Z_&yDrtJp z)KROoCFI)V^+yyoVdmNDmv3_g`gvPy`}G{#e!aBquiCbM4iGouoU?O(@VxE%N%j-& zv*%#fuV?D^BFu}_M6WPdg1z4}V1V|QfCb?KW7suRJv}pc zFbE1DgSJ3;hU^e6J_CR%fL#?gxd3&`5NhLfJlL8D3LaYQG0|i)Y7Jh|;N`ffo~EPxnpuBJ7;a-}E29V;;Z=>uQmisO zv(cc5nD!Y%!D4{5u%}jFgRcNX{NQ9SIMK2Ux42#L@;PgVvfx()Vzn+|g7ZSh3IAsn)#L{na zszkFQo+zlDV*lt-YPeEq(ZQ6IrK|H7F}@IGQtp%RwlANX?H*_CY`ff74V>$;gZKHn)99t}O4(ptp=&@<;$tgU+aqo-r zU_@`v%sDIWR+jeNB+tiiHhgH`O?^qkN>lpdUwcyQjMJ(U=MBm|)& zUzvaD@ybF};n2SZ(WEBb=k3l(@*=M&v*6aca~hfIJ~{lYa_5{zJ{&N~vTXFPxpWv* zI`E1@EbtIvoSe~kigEnOtp#udhpu)g zGZ=mEer&;d=fgKAc;|zlabMe;BS6ANOtOE&z6-oChFW3XniY6**r&vuF5};692@G) zVQ*gFV&V)iz{U$Q+o~{nvv+vAa_C!N-T#+?sW(`+FL$^hRt|qdlMcAvzl^<00DgkM zhvtagIkEX4)N4RP8@~63Ky-YH^yOe6_P1??6BnP?MCZgB$@+Cprd9eCK~BJ!4BUU~ z%NA17<|X{h zX_mg;|72pz?BV{ty5k?uemS3koP1rh_w*aPyBW>@a&hA05}nn$-Z*Of8_caa_tJu_ zDn!9hSRSWBr?o z=84ut#f)O|HN|(tac86QqT+w^xTsiJVqi?z;nPcwCULsi6WfdZO22bl6s#vzm z3#d;9#E`TKgGKbAK@5#0K@5r^EDd5PW-wk4h(Xg}&zmhl3^FxJ5JP_nV%T~RgRYWV z3dFFCCuRWvL)MtWCK|;73`N^qfrj1|07Ekez|brK466q)U`pf(+Su^8hL@)>iJ5O) z5Nkv&gzjhr<|CK|@CSma5IhEfF>r_EdE*um>MT&zUup&LXU~IvA@DXDWN=!&& z?7c8+`?MZ{E7&tAJs~3>^KJ3u2f+>Am>g3RF^z)>R`3IZc7KG-0MHBUEyr2lmAC;| z?Srvv(>rz|&gGKu33mK~r#P~J4U~=tb%H-ZOh=4fOM@!Vdx3x7;@4h9q&p1ySYtkg zwP7woxudh2^r0pkqVLG4PbOgRz?@YHhmiD6_QXk!P*x&9ch3RXiW0t8xqj$By4?B0 z>;G}_hv;K+3`p^S%zZ!V2LFu8w-mtT_7MX8;p_z3}yTY%V*lvXH7m|{`k{wA#+xc2%ZTpi)gzJ;W#z1`w52^^*FRkq22=xR? zGS;WdoxcEFnIR?94ai7wjaC5Dndp-|DN#*q)^iD^nK5N^dy!0m|&pl72?q$Lgy@48wZCz9R#viydM(-X6!Z|9S6?a z{FE$MgoJz>_z0OWy?1@AY?!f?F7e+_2LGKz%>ZKLq4D3%CGp>iAuNsmE(WMs5B^&d z(8Pb6E%DznHA?(S_A%j87SETsPL?jhD|h!qr!`}xdOetEvWET4l2A= zqQcjQ3dgNCJ^pc&!l_4%c+VUBo#aSfQD(%g1%J0Pmx1K)w;B9B7+Qb^LlCxavqU8@ zS%{;KL%=O|RK=2r_r@eC2}C%@a(hV(w-0|VUQF4(bPPNBatDKk;3v5>0|wkUr)Y6> zyA6ipeCLh zXLMU7U&lxeUW`2!PSdkrWS1r{5`w7009jB>*}Cl8RO6$dY7~Sf@?VO3?U&v+@Q!~c z$Qe#^nxMIu7Jby324&|*i4xdpO~S`xed#s5{}^U#S@euDI#+t)Lm^5D)?NY;su)fo z5GDf0#6agjF=Nr1!k)_Fp54QxDpNO!MRecQh3s1 zgmgV-I9CZ~B9n_7OHBtL;`KGY=O9zqCD)WjbsBe&+RSb(cZgeVWqSw@bHRTCb^;)r zGNj$}12X~WFK`1;1vXhJl*w$AP$nHPj#x4tlQVz*y87rm`WmZti7(NjWC?L9Ax@72 zWmiI+9y!FRj0LJmD8;5K`6yAQOlVpd3zl@EfdlEGv0$wwv0#cJER6*#=3iS67EIH> z$(t>)U@|pIELe#J+j=aRu9AORODxc3JlYGO!Lr60Hqk1M1}oa;3N-h&puyTXXs~vP z23tKE>>Ze+ufXC=bDdn>y4Ka}ukWv>6Uz$#e>uIHz(hQ6NLZ3Bc}1BUw-yrC&Rh+W z!{6$Brulc5@bg_fxS1JnQv_`Puv4l?uP zv9jE#e(Vi>Q7~NR(VS$55!{JqJN$**Rm0)o=vd}MOlg>S9EP+2Y!leyhWEzFJxGsh zCsOMh|!uKE^&jqEQG%qaD(1CB0AzhK!;MYOC$pb#7j zcO=_ZK;$5h>7ptbINbZo?&amDKkxnU!vKDM*#Gn1pU?hu zdd73_yx6A<^?Ulc!rG0cMlTTY(SngGm7o4xo(LO9tX~gTa$rTtI(b zF*NjXB?Yc*Yu@G+p+jFWTM!zllp}+!^uQg$k&qTyDSp&c23Mi)YV}$fCNCmLnJBqT zl>A_clEW=U87b?@M9NC~lfakq(CDc4lISSK5SB(q6>~MM2OXv9>f_Cp=qQ;QB|54^ zM{PYiN>@p(0UcG;L%RSTDreZ=`4a40M)Kq!MlFFtV~6bqNdlhGMAbPE6dLhfNGP6&UK!hl>D zCM)m_i?%UzNAA?H`YxQV?(qR&t30VA4$qiOTZc~F@7{tBfsk041LGwb`gb%5vk_Rp z8-%(T?s+xzHLwn2EHHTJVuwDE0eGW5oBUu1xxBl(I{-^8SOTdiP7Z_nz;eK&0L#M& zY4-O3+}iB7k?0}&Q_zK18(Smx zo8udRwlQod{3Z4T*w|waZrr~k*E#I3H(<~mqTg}pY|!%}l|@JeBUU3c?FFawXC82h z9@_gr0)XwE(=ZUM*adj7;H^I~((le^aBP!LUl@ORUyRo%eHjHhXN-4uDDV(M9C&U7Rq)uF(j5O_UI54t5Q5CsF5yR` zL0T-)rW%GLd(C-bMxY1IF}j35PHhA&B|R(YP~^4eNCm8~i2^jaqZEIS0|FA>av1WLjY^NZZ-t4(=8!@5kX1_UbgY6?@u7i$os*|w zF@HM6fqzBYT!C)h7T{ku2l&@5fq!cN{_(I%B0mpo2%mW_%p@D~iZb_YE%2|Kso#^s zf0ns0DW(q$?@=(aDT<9qacLQjbuYktXlP@YI~W1R`I48j@Fp`x_Y9{N4lQsd_Q-JA zsAi&fRH!);k*1dh03dXq2T@xZBL{Z-bANCoAfdpK;*Mq`!<%6mjF46s%#HQ|L&E`8 zjR+%WSRwojy%EsB6{~VZE$-ltX#BWt_kWQLl9@mNEW>^6QOU?Z68bCV`=gZ3sEWZG zW)sOHzZw$ndU~@be`?=&k(v=v^?@B(%YWe- zi|1f{T=N{Ip4*0r%{aKpe|N z7}>sTbEhNNLQYreC2V#x$V1=tN`Eh5M3B-;_}ILJ3PDIdDw6{(>-9=n72rhu&|a_Z zl3p*x5SI3O6*D-j$LpnO@ZrstUN4y%rPr(UdTqVeOIJy)!|PStl(&E*ENg&a6W!vD zu%d0QKwWQ(BdnL>2ip#J zw>kw-=;+!T`FJxCP~e8|k$o0;VpnAE!GIa?TAd3Benl5ifCgsx9C)~BhYyTccA!4X z3&f*pRFT{h4E*ZIb&6*TN(ReVS>_<|0krQ1>>8xO6$k6oIga-v>ieqPZ7g<2#0<qYo)pMjsk-{u*>f-p>AJbWJo^Aq>Fb>K5 z{2Ur-Iacnz1_p3Fdy0$UD-Pdq*sWaV|AaE^7umTjT%+|?jrTg{`=&`E_)EI_h?ePF2m(G}1*ucbTu!Z5i5nhjK1t-@th!GL^JxW|E2%^&Qs{_H<-v_!F$e|vt^ zsHe4l$Kymj>;nBb@@JJRaJd4PE3h)5W4QvCEAUf>x#@40Rt1GqZ_J~Rc&Uw8gqWin zLV4@=&>*@_8JYto4GmOEa+RSujOQMjqfE^ObAWRup|djQm!4zZ!8rgF@QUIlyqOJ$ z)K;yJA!FJ#8#z{4zE=f%Bq{Z0e}cFxgvX6D+3DHSh|5tz6Q4{#j-;CxT$~RLP3$cR zO;ikFX=q|G5Ab@RiJBgG-fRg?l&Mid6H92~)4(0PiF44>4-S(7y)D@x>V|P6Gn&<}Vfc+cDw}Z;&zJ zEi`(DDVi$ir#=~u4JK>|SUd)=w1eVf0S0em-6N)urpz+Jd!qD{x0XYsh$86kzV%)3 zYSXT;_NvU$?Xcjrv7}o;f0T90@$KMX6fzPD))-+*!3`M>4@a;}4ap(lM!-YpoCWor z>huP0Rl|(>ybp&HGV*Up)q>H{1XP%*?9VveN1}Fhyeuk`|8YjgXIzNcSOxTv;usK9 zng>8cUkc$x-jCmce<2UFXrw(Ta`5u3s1Oo7-~**C!vcUu0|%A@e-=a)!+7|YJ0Y)0 zDKuz81!d_tr)pPu3v3=}l?Gb>ccftKty+ymq?c!g(!CIv^aH3hKwyAs zHI9xXfXOkYpi9Q?z&$A~>U#ge3F3w5{Mh`D%=w{p;w+Q}B75%vsDo!tkm$B(){5*V zR-CvZnYscn9{|dWe~*#F$P#eKMTRD4bI2K)qW6j>5I&d!t0=&13#WmQvI!(nXHhTG z84i%;(%A=~vdk~cvzg3AkbnefB6T+eGo#MoNFyhaWGLutpBgIQgxjjrxDTdr*+g)C zI}h_GE7*T6s$jMCtIQvZX;-a$esh)U(i#2c>(;Xcb!(AOoJbA-7~+ zECE0z04QH+e^F*B0YG#7Yp_wVP*HCe04U`?LC3*ELx9YfBWeK*ka84DqkxJ!SJs0A z(spq1hD#)nOpOu=R3d@49totcsMdf5((wB&0QkuqQrJdvWIB+a;;pVkO>YhC$IOHM zm?i9IZQ;p20)7Ud1^UTh|ir-@urJCX0Lr>kW{GfT-ZcA7TWW zIuDJ;X#IW+k9Org?eZ9D;Vfd{J75hAQUuZke+^+4r~?CL_K-n;SdcrIg(30_aMZm& z12)6yn{wa_Py!mnz&Iib&@McKWBM+z5&naWg#Q97;XlAkyVQGxwW&LD$^!6oMPxT{ zVev;a*xTBozZ}uJ*wcRqSwJpay%o`UO*hKYIY1!!@QTB8}cSS!g3?6FZ-IDycC6%TJyk(#Syd%pfk z?o}=@d~$qEafava6c+T!u)-MHsP&#VH~~|Bj+PJy58i*6>ZJX5`voY@yhvU#JRWtRNm*N-<73 z_ft$>R0Ip9CG}D!R9K1!>XPLK_7VZ;GdgOzp5nrh{!|nPi}j2KFN)Jr$>Z@%e^z27 zAQkWy-@O6Kz`_(o=3}yTG4z!S1e!1Xof1%0>Vjq(jo+G9Z zJh_Of}HPR%*KPm&wt$i4uMjpgq4EbV?eI(d^$gB>i+&gg5kIVe`Oy^oCfmu zMHs~{V@nk3m!rkH$#^i;>b!-cFcsuACUZiPOuIO(AK#`C1!x7@0}hm-dR>rIVg3Cz z>@+pxdd(Zpq~Jdl;V-TL9#mW(sw`&n2;J~EK8(M8y)v#A-7`ecZ zuO#Z_BRoDzk|rPMb0GJt2i14Wywqhp%}0%>k6eKpil_++({qkJ=M~Fv#%)M-3E^vjTaH}iP-&=Eqqn>w#qh4O&Sp5}_ z53oUE4??bZ?sqrpe;L9i^WXN~-Kb};14#mG>)j15Abuzi5z-ze1I1!^Z%pt{^y=7_ zXK3l(@7bKLZa`Ke)jcQ8p6fRa{|KarFeKoyD=@`fB+5$Zg4~Myz<*O7IUZV%7M+; z{h}gs6q|zmD4bAvp_g>^Nv$*US0{63E*+Foq89!p^XI(suk&|4z)jcJWWvbhQx8TN!|?gVFx&*l0>p#e zYqK*PW^!WFRU#{Dy>2G5!Ze#DvLYf#iL5A*6%UTAz!kW3hd&*6c+!4|ma_+Uhu4>N zhpR@hygR(0b#YDZa9s;8Z@6@a%hV{{;eVw&eEZ$u+KOro?(k*I{EN85>$#5W`U39o z!mX}Ee{YRDypiV)Z9ff-9_>??mD z{PSVADh5aio_gSmQ*^~oh>hVZL^Qz)U1tYF3mk9gF6I7y^3^7U#yhky6{j%7q2`ivB@1kL8WV1g%PKs`CJdH3+D=`g{PSy=$F z)JtBOPfC%{gFIA7B2vh~fg(pmbF@L%gF)f5M zNb(OwSA63cU@o{k(uos7nK^N+FdZU)zQFXom=nb5 zam>>y(%HdCpz%2~9$ojIJ69rn8e0ZcfhWU}EGD2DiIZh{4YlbKalDok;G;ztBZDub zupg_5tF+$uTo0jc#w%7gV}C7mqrrx0?XwDI)Ky0%*F8DqIfmDv+MJ^>1vrH%N3Q5t z$dJ@_6*jl_j2DIuWXcu`7P&CD*j{qzc|;7)^Tfla8+Df{T4(>}4&tG?Z$g zodd(j>?sww)`vxD?N5)Bn(#!B3zbMe*puhD8fut*<1qX^g53<^jDM9n$wbG6OHW1X zxF|=TPes^O#BBlAl-aa0pYc@TS(58@_WG@0%u3W8=g&%*B;3OclEAX76R$@C6RlCx0>W_l%%JDFedHoekJpe;pJ%4hkQO13d2vVYxN_0}}r;PiuU2$I&x-G)Bed*a!o zqYGU;502kzEQ{Y#jbeHHRzWw|n($k?u1MZ+iQkf`QR25s{MPp4x3m@28t_|7`gRwA za5ZwlR*eN9T!mX*i3;Bu2v;)?!qqGxTn`E13hkTE9Ld$pkbgay9k&h<}x^GFJ_B?HS@aI@ZDmg#Nua%*uG|IIB!@aEB7}#2PHO0i%m}^YJ*O zOOjM+$M&0##~B`J?z2MQGAA7h7p!<@6gfJFk#?sinQVTrpSenNg;=+RwP*=Dny2&gCRb+( zkY+hO^^a;9$Qy0Ws!(vCn_L<4Myk6|lmNj8fu-_RBei^#0+TMZ6v``Mh(KG@T9~m4 zO6yNfQh@VMo%zVb-M{RrgVyn!cz^jQMcM*j6cd=x>Vz;n31;cbkN-=@rj2dH@&JtdUDbO&@;m(}!au;IH1-77?(qlcfrZcqb?Hu1) zZke4g{3+p;sh<*Fxjd-r&1^U>(k8Wm3HoTv>uE)xKx+x;{9#vbij{QZY@X9!zH*_ zEWwrA53bZ!RBHuSt_s1i2;Q=pi;Qe8fVV8%>Pocw*5EB$d3eiKiML!m-ZDUe98`X0&FYjGQ8X^-w&WM@Pxzw zED}Wqz>zk51K3=`2*MwhVYaH^T%3V;P%z$@#vwSk^v;F^Q6%WwWU1b1a*R37Ff~lzqZd04ICjLShC-bHxK`;zK3n9@N`*=i1*ILG%M86Fss zS9l0r;t*E$Vd(w{+&?bul@s;X^~N)BUPzq*Zeb~apmDxqu+aSk?p{pqc7t@G0|eKS z4d1_J4I%M-8zf~FK-6(`N92O@fPZmJSs?NdtQ=}utJQvdxHMz}7$s8X?a44!21I@D zk&}sg8ztLIL)@auSxDCNd(V!ZqdhnNP9R<5ZzB9_Rth@>lpu2ai%H9N+M|32!wipo z#V}zqYH`{3<54{!z=WjcA01*Mx$2aVi5!B7)qCTF!rj3`qDu-geYAO5TTCjYAAA-}{m}^l zv(_-fc7`fc-c4a|;}4Xh+zAhySRveiDMqK7)g9NfDLr5L-oU+%GJguIJ7`Z3;CagH zK(Xm$rn0|4(d&sn!)exPm~KtLwCKGW`T=pI4`f+*XdPjjdPk-=Yzuf!Fh#7&_{pmb zeg8`zJc;q-$t`8_zy( ziPqzX*5Gg2dH9=liNAS3{LKL53?{h5;ml=HA&4?>ZZ8g}oxL_B3Gke8 zI2;ZVhQeT?#IDjW2GTJ~j82Ksc~lsk#SuCi!yU}em!}FA@_*@aCoGFW?pQ04ri;fq2Al|;j3 z2n4IM4n$Hy0Dq!^%m*u#P$fm67N$yl>Sz6ly8g=8F3DYNnL6)Drp_y&N-{x8s8R`4 zdVbMeN~lr^RYI;Pp-L%HE1^n{JWFHJkAohJ2Zt)PmxU^+MzK6psi2oXcBWl|YrwfBgv~ z%lAEu(LOXzh<9&%075_WXh59|8I##=dr?T8Y_*>xz_y~0EFlr_=-xoT4~^0jfc}93 zw!tRP0MGx_$J^rIJz_pxc+$55Ov^|^_87bw3q%Asn)=a#Dg4)($Y~UZ#F~J=%5Y#( zy=w$7@qb%M@Jt|-E-(;|ZFx~>oUxCy;zIL8vO`y(001rUqx4i%!3>eF>J{#O#$Z8H zuxo#Tr4-yKFjg1=`3iF6BFcpr0eTv5XG3&%^<6mW-Q!qB7T#pSl$2~-{^Z*7+}~LD z`!kvVvQMz{eVCLlnA++dJXjNQXAOtO1a*jZNPnIx=pnF@PZfHJ&I0$+L%&aAlwV0O zo?m98_k;7P6NEbqaMU$;p2fE~PcTS!ryrp}A_L<~&~rQk;|+iG4j##q5z^J;}SS(=p59 zDSy3X6onUwah^}?(=igC(*8*9ocx_RIn5Fj`=enx`^LcmO}7WXssRctos{U5(*Mut zymNBc>dj9dJfdzQ6&7z7=I#kSKS2rP?SPvNCs0MpqLXQp%Rnp7_w&`-Cm^o7{?f746`z?Rf!A3-osCk z$R$7P1um(pZ=h~d;1csWWO`ApC#W_y;XFTO+Z5K9jLYLO2fMlmfPLV&;2e7n5PyC; z@rSyOc;;-&yY0Un87qW#*|<;h!7bXf19N=<+#=#-M@5&1g zQ=jL9pYKl!J1}ws=mUC?ghz^fns>OkOGik&@rn-_M<=hes2YNmcydzCntzUP)_j6`PPa(}@PQPj zSJ*!VvBGzAC>4!wVKQZqNPolE60bm=E#G0WgLKc2jPJl=eltB#aR53KSw+!LsY3WD zDwP<6R5ADI9mZB!{Y)5;Z^1nUt7o>h$atjjc)pbl$`C zM%A!v;$^C(ReN%}C#4@}3;Z~%yVbcOXU+*35HBFFZ!NkpE4?}E^nd2WbxP^enMbRn zk}cgjcvN~Cmxz+*VmuK(xLc>YtXoGlisjup1y9Xua_i_?E_lPGTSulw>DDRTI@|Bo z(NE`-fx(j%73b(ovMZGoNoL-(cr&oG&R_M*)p3>7Z=FT|>Tk4|gE?{|VEu#l|M<%0vfLh4*m-`A1RsENxHBiFm4xxqp3dlXP!cleB6S%bTPN9st&4lGZ(h@rFy2v`mfCBwd=Mx8EeKt*BOG zk}iG#Uc@Bb%QYVN7BEQ{ZgnM!`e~Y^ZxC|pUDNC%e2g$e`Dw}`T^giUVvs)e{El0bHEZ%?#QjXu9`d~ei6 zH5_)_iCXK z_PFMKe+Pa1c=pRaLbAm>mPaS-Q-oEgU~mh#&)8!x@kd1l4N`<-KRDp5!aukOAqo;> zDS}WuexkIwu(CZqvfYA<&_Va_tBH~|yx9uN(FKJ9(_5B&G@ z=kNFNttrwhMQ!XW9*JH=K9^_)LgmAPLdBgZ&{$NG>m4kYbhgCG1!OAH_sVI|_#>YG ztd^?6Y2yw2b4pIRZt`7TBWH@rXPK2a8-M*Ya~-*!^f<4o;6O$7h&g!^VGCjQt^|`r zU*I~GWo|t(Vp$C(D$8ljs6x-IAPp&@?4)`xlB)t}?O0DMe~jFicUMH5%1 zs}@bNhgEe`$YR;W(#SsQtpcBgw2BGoC#_Pd{IUB7$>nt2yATb6KZ#Ar+DQNKdmjBB zi;YEnV{|4>*L7^$w(SWfb~3STPV6hTZQHhO+t$Q(zTEHgCT!yE|sSe4p`=@xg7Bn1OCM{l<}Q_2xv9XPX1# zv(uBqt7O8E7z5|udUc70dCG|AIT(s6k~&9{E#rC;w$6@^>BnBaP#~q7s7W9fr0&!g z*SeWPwencH{k85Flzioq0Z%?0*#ev!VpSnqjw}!!zDlzqKy>-Qirgp=;EZ0LE1H!( zVi^dOP(*Ja_F2~#3YKW>lOcErbI%*SAew-FOlQJToo|MnU*@D8qYLw9`sI0G*+~9K zN$o@S0}caF!WUN*A#&0%=^7tcG7;#KG#NHZS}%j)vZ;(OGvEcB;P@5u2s1 zu?J-P6M|y+z?!kSq=n%C?%L?NqZ!rKU*}r$sOVhE?bqx0%8Ej&${cKamLRG4206jk*=SBJ=~L#r-%!Hd9(n;$hB`d#2a zF$bMYwYvkT<+>i1NZrj8>toUf4#7Zwq@LeVGmtN1lL}xvEwzMz3{I{5cVo-M({7Zl z7L(KNA!lWjjg+GN<)|(Nqt6!_9&o)4T?}Sgdi#~j{`Gdxd&Cz+hI-caIRmY;U)y4) z&YCI&99G7P=k){^%LaEit;;lX!CIUQ7JK>R%@7^xGkpxp(ii(uwGq(*0o1KHtv7^B zT)p23yWF7Y30@-r+VP8F%*+!61p?HmxD>X#v zkNsCyf^ZDou5QS;_9p_jh2U*Wr}RF?FZTDL5|%L^v%ToGYa*m8UofR7OeFN00lh0P z1cOMu%RM;0O0`K}l=pCUf^TvtC5?M2Zn?wJG^>C*m;fQb{+5INks+_yDuU@C!t0F# zW!iKcG|FRn@U-#QXlosa`8iPIB(Sn^FmokB(trolB%03%s8oq}RlI~mRlNVaX3&tb zIePT5RD~N?TB7pi_B)U94C&ax+nE3YKOp968T4(#brilyN@6!Av+1P$YcdH37#o=_8h=nLA47vWqJ?ptMK z)@J=KUA&g+?3ia7d}hTH|FGF~Cd;0_#~`Qm?>UX@V3}TZ4-TF%h~W1>G7zmdQtdJ3u@-oaF<(H9W(Y#g&}@1du%8 z&t`KGTZF_*Y#lXkRW)zUh1bysk=w}!F7*L?MI`o9!CHYVG&)%E-|0@~rW349m(c~$ zp-_+{V-=imQ4~~4$H&`u-&q>?L^PC$*tUikw;MmcOnCip;8v%Mz%iu>I`J!cLu!YZ z@ z$;(!V6a0&sd3Ehh4ReD-K9t9XeWZ$pp}tab>F|+C`8faK?-aH4ieLh*PJ8N{5_`twE_Z zY$ekGK6`hV>)j%XOzM5sAHoiD1iofeSVVq!tl|{F48m!vA#v!j`Xt!NVt44_sy0^LEctBp^$|7!-Cpe zSnAUm4%p8D!2C*b19| z8SdXZ`PiQ3JZ}e|c5^@B*d=|5-Qh~W4;ho^;5Tw~Rc%?{V-D}X07^^VVB@cirBd;E z*k=|G!`AfVrY|H27X%<_SA<$KfouR&vVG zm|6+d?QE9wO%ysQ*-lfu;z@+4)l~7?^gJBG(>OM5O58jyfO8k})77k^Jfr84*}8Xj zd@UIKh`pr^eX?zMq0>t{otDq5cXv;$cAr3kzRRDpnSrL&EX)~;;@OI7!rf$5Jj@+> zCWaUxps6f%d%L~%zTi)rZ72hMlGziw;c6H1ZMhy3vq!@KUAQYX6X4E3 z`AOTQc2?!M1C9_NfUYv@shlzEJFx90jaIM?bdr)cnHwGF(8fomJHnG_3V!m$(m=Zw z)6@=iiOnN^fig4tQBV>qS`$GEqmD3B2-*gyH|i@dTZ<7>W=J~65XPONy3w`I+MiET8-8@OL#b*`B{)HMt-qcrv zEV@eR3eL9s0Lx&f=PRH~ga$`7j1;?kU=zHQl~cv> zsnXoB2P_J;1fx2rD`CU?+Ko$qw)PN>8Tx4bUcyZyFlq~h9*|^L%9d4HHdvN~0Weea z7iHc{%t!FvFC}c!QMN?{WgR9GOd45wLL8$9K}sfm6w+bFC8*%{1+sFJXDpIv3_6eLM?m|f(rq`Bh={TI*w5Kw z5x{3Z1Pbt+g8CI)ivc>b_g4#md5cCxE&0T4?G$dEou-nu!IHUN=9J*s*p`f6-Xtx@t6ljOG_T}2GJ;@~v9 z$_)FHWiZq{{UR{S8{_ecYHtM8!i}IiO%Vt#_V4gS@UQynENC>wq!Q19M=2C_w6(i; z%Ou%3Ow351VbnSGWZg}5lp9Ytu1rDi*NVs>T*;9?V$)>P=RrErCmh<@LDlpnuYd!H zAvT7|3RW_V2!Zh#oFrmkx}tVt1(yqD4jMA<0S^1oI)3ql_x^+xzIUs{ryN;b*v8GcpNZI#<&> z=86;@IoVws9yVpSxzDj%Gsc9<0G4x{*!fj#-mK0Y$;sW^c)~k)%MY?;5Aei)u4g;1 z)J!Ww6qOl;W=nLzvIO7i#vA4S5W0)$z`xQoo;ObK{h8%~%PRuj8%6eOgo%b0$3;70 z<$D;>Iqh5O@$SDLLQ0F57ev?sf=(EihNBMRl6i!PG1OWqPr%-pI>s@&1Hgg&DAADW zH2Hk`Py9NAqWC(F5o%8P+!ORbNZb?P$^wP|*kRZRgUBP!l&`yplP{vIm=*kYs<;!g z?LX#Je>qA3GP|h+ zAwV8%m6mWY0gxG4tIRbr>O2nExBX?2Ehttw9G7(nn=3<*pFaHgyttsG0J=LH((2VI zx=A?ij72+48U|A=D1#SQf|ZH?@sO)2{$_M+)lV?LNiVg0%E5k=3Sbu-W39G2gX#IJ znHg;WzjW-;Mum+Q`;$;sVlxxW^ z^Q0^8E-h3mr>=R~?s=WcUMWu489m}@Zd}{Zs5GYaS{s)kF*65B{Y!LhN*tq|{%5O& zH;{@;Q}9pUqO_5A7JweCmtBCUlP+p^XDnXK6#F~a0h7l~Ce&k7fpOPSYG+`G{_yP* zEGKdo?A*WRf|ImOS1cxx({~?C4xT2$zxfST0{c=M`FNVtMFSc?<@6K=`Hu@?qsRi2 zlSD5ir|OTXwUK{1UuvUhsg+pNB09z^{;Pm~TvGF&$Je9Qzutx2lV@>_211H?ot}j4cUr0ce zck64Co=6oVoca*6LjI@FPJ_1}c3Vt0iX+&gA<;ZGT}FX6)R9Su%5RRh}c3l!YR56_x6Q)ncYM6tWsJ2cBkA!12P*q^vy7b;Wbk4X?*U% z(#?J|b%O$0wSRJfKdb!Y=IScSn$0pQEvK07k`dW2fY`A#n(WmY?@}cP`j(O+;|^pE zXJ}x}b%LYOc0;XDLEHU2{{-}vIdD%BAR)k%zRLnTX4{36%S6wlV(TFDdSplt#Jev1W!#0$ig zH%z*Fv&jb|#tdifhI~G7P=~UZNJ~Pi0&9C~!o zh1$?j)EZB7m`=k^k~at{Yx$^Wgl^cn2}%XX|FUnsr4VrY#AWaZ9we3l4d}fF0$>Qj zNPQ7VN=~Yi9l(9qewJN4*WK={EQ!@7kz>wY)zT2*}i!KW`~V2`Ymmp$JGiz z(w}kkc0WZ(joG_6YmH~uzk=y?xaToyRG0wD7>x)-=cJZT9wq-IcZ}6+NV7afNAtkR zI?(NUeYC=BlZ)aOY1w{Q^bF2@yOh* zLqFopW~X%HoypQt5(YFe^FxGw!}lN9EVdU6EO{rqDjP zJk|9E%X1g{Dl?S|?qFvQ`KKhk7lvpnlP~tE*cJB&t1@Um9NinlI-R8kbz;C(B&t7t+VkM*)8O(Ci`fyiGF!?VB=P~GHXp&5qz zkwc2u%8U-p%q7u_C%pzXis%5l&OK6>k@m{B<>Yc+NFvIBzs|k&3kJL+)LlBpU&^A5 zTvf#)_yqPcOGFKz^G@lK`|-i-b#~;?T$0-+5pB72K%$pi-Or2+$p&S65PL>G$#r$x7 zmHLFqzOgNb>N7tl5pk|ABTFVP`YPKPYfI;QE*)fwvq+7>sL{%H>2JevUG9_pE7mpU zE@f7+XCSOj#av;@TuZ$<_P?@>1%VSh+e_XEu$doqg?wR$igH>afNu4U1t|ySW!2Oq zorxPP`_)j z1hW-DxNi&D-JtVi@bAv7@`+U!WF%;2#b9FdWCgn9^$f z^#xQ>ao>T*}Pnke~Y?!jI4!Oek<2< zdrqv}964%w`(^i1Jj4O@a?cCxl1m+VUZPm}leRGKfIE`fA^&Ft@k4ZdW1x0dSG?Yl z2I=71VzKG# zj8*xVZ1wHj3GCcWhn@X#=YZKUYd^FFuiPy)8FEF43JgyH$>y~9pw&O00tbw?l^Nb! zk5a*RQQr3)s5LSqmQDT^G=VppU*tNc{AEK#(lG$Yh3-c*?eXQU;SR5NdfySq1?Lmx z@f+mvTMYBjnxd5OU)xJcE&mq-8nZLHJg9VbyjovenO~V5ydZJtPGW|6?(|Zj4<${!+C8oy z@upPH=7puC!wmo9rB$)wsR1v&PaS_T^iFm5ia7oB~0)?;kc zxegxXn*i>4*5*jc9D10RLoNC#5jljmIRS`bKVW4~1X>k^z$P;9yFv{@4%Qel8KE=n1xi&WlmBV52Zq|pPnqQaMF7dqpVb?<`}%(L+LWz9bhE^c#8um4<&z2d>o&`W z%HU&V_`J1^td0(rWrK|c&hUrQ^MLVtl@9dd zih7I%1Q{bHTox7ino6g5Br57&Z0QjLZ?1Q@r@i|S4n@3_(ImFlgozouo$ij#$Xl&i zDDoG2S&q}+p3)Nd!|Z$WPI)jfzPEELm&Z)2i87E1v>5TUmnKRC6XcY?P@yI)-8s*r zD9h7D{>V;RLF=KF{|1RXssV5^tDU9WP;TSf*|(Rfoqe$}>6TO5p`AN2`Mg02bT zzF+-#3?qKUgh#b}urNV)7Ha?nwuwib^fQ6t7!F^ZVuHDrP$>b4tp9X1Wv(yn2UUQ4sI@9N`_g$1y`T zW#sl7NVpS7IABx~cCr3EjDVYo*8E<@*w6IC^=YF0Ni7OG8z8RF9s-=&wYk+d8It$5 zYosPq2URh<=6U0M)&Ou6e&rlkZUP+hBI=`o2DzIbfxCCv11Xn7_W1k@_LJwM;s&v- zaW0^09ZGR};a_vzBu2{ABL=5U4^>Uw5Mm8LHU$#J6(wy^Qz{=Lj1D;y0Fc>{&y!*A zS_lWP)O|ZBgmt(;Ik_Guo?m@XEy-}Bl_)oa=U^A5W6B?ZuK*Iu8KTnvR8cP-l_)#T zC>1G{9|iQH7icty=-H$@za`T%PPKDJn{HKDEdMcAWlFL6Mo2)z+6KA14yvUdgoZG| z%X+tl=*LaDfuc-HGSz;j;}y}tehqKBi~Oe>gssLxa#GNbJm4SenAuG-$Z@p?QOYp` zF1Dd>G94l@goqx71Cfg1F`%c1S!8WF_vyRHYm9xHppwrBvU8gdod3%}zz}6rs58`5 zejp$1*L^VPvY~EHvOJN#5L!G#c3!WjMS=+R*-D~hIF`E$$BGhMmmAJ)@9UmCwX_vZ zVOC%`s53In*+@3oJ!R0#0BCN>3L}4O%k*oJ4@DgHQ-NE!Kmu6-A8<{AK>;BOJCtAW zk`xH;0Kvtt^*q;W@0Eo30(#((gx&&T0PtG_7ATzncERdIV{OTu=%2KGN!0XW6Rv-Q zN`~^GA?+abVfzUoe)v6kRH)8z;gr(JIqY?T`_(d`mb3`LR)aqa@J4N4Q=a3wEkY9Y z5M|xA>YnSxf2g-Ii1&VF-!(5?X<*r}+ox5w4IVWvLz`bXKupcSvj%Dt?4IG=p7lE<9>3o+%}B5lW54-#+x<q=soGk5<^^b9hfAuZY+HGQ-w=Z1Pp*$YOgD z34mp60rnkT8N0kd@H&7Zz~$@{{f2O1)`6_b<#928a0a_^Q*ssxt> zQC`cs5+`!4%n`DR0B{?R*&!v^yhO7;oFog6^n8YPr^IPf(E=2zVc4w!{98WGp;m?z zSGS{g%5RyYWPd0B8WDqxw*Zm1TC%&I*WRg+B|ly6&U{UV6@9)UOQ$(d$-Q_||pGsL~VibVu1G*?#KjKnN9Bu8HJJmV~Z+fS-5t+Oe|K0x~%&yV}ibPs1JNEO#6Y#u7v@IeLr+=CzkP1Nbma& z9T$0C`v@u-Z}k*m&h~HvVGb+bdL$>1NL5P9tW+z8HaV4{%-f z(M5I4UBQMZ0cO~iW8npzd*pKqA(tB?!r8hp)aCuxDMaM99$qqrmW(z$j`3Vwpw~2A zPYw=U+lVW&P4>>XRZ3X6K7mtwJ{|3`n`KJn?_L-YF2NBcTiTK*p0Le?{sjh?z-n-Yp-c4ay`m8x90R%fA{rUJ}>S#@$NO zk$!C0EfjWr-LI!G0xC@~-XIy#JViF;Id@5*LNuD1mzvp|n}czR9E)ima1V3lfp+;W z`pr19Vj}+ba^YsuY{~rEPk^v;{_X0%tRxT*5SBP9VqSFlA%iqa02_*k94vLe|MIbA zst&AKht0(mPogj*fr%DZG~ zg+SfNplY)>^T40j!)a>V$mCNqaJeeskb4dD#b$fMaQH0RXS0#h_H3h3bJ)QQ zFp3|0RxeK-ds6xr2CpLJRQ3yr>U$YLM4Prv;Jt<%b3UaQ#3_zYHBr&c+m6-4+st5TV^spk8IuWD`|Yl_z$VdEhEunYuU(IWce_ILVvlfeMz9>ye`r?TqWu z?|8s*!T|R+xhcD^bI6smiUN$A%o5lD=+%0&X~53p7F~y7sOyQ=>c@VXJ)f)&+Ag=k z-F{$j4W~j9kQ$vgeKW&oWowJDlc=z_pOb{N0$Kkpj?@Qt*2<~>>m)X7(A026E)Mq% z*!o%@`ePY9=?Ydi1;IBwm_VZH-;UxW#yJHZ$a5=(tHIF4WBYS9VgWE3RtN$k07P*B zvIe)Gas0+*B2N$_P?Z-^5auZqtMG_wKLY}W$q#+VG1-={lA?yW+;pYq5||2(GjEye z-3r#l=3Z^%<1a>QJqG~NW&TV5_@}&Yc>T{zXY~AMrtecyV2;68H~>FpI-_U(*zVQl z>pwHS@gZx}qrkk;Lw5#H<+UArpx4@NMGiTz{zkCc==o#)4S^NK;o-|T;DXfr+1mph zApTNbaUij(ta$O^1b;|7H;xNTpt=Ti0}|3tjsOlOGK(4?6C@f%%Us8;AMNN?%3p4u zAa1Yw-ebsi>xL^Be02;>8b=Z&2LS}fl+~c_i5127;!b7eTT=&s_seSz#?&8Ly*M#{4Z_BCIC`~RhcdK=Rc=<_g3n{3pjpQFB*E?{CG`(!+jZKE zW*IGuy&&e&qErV&+Q?P6mQqj5=q_B8C?jVgx}S{C!(gnB5d%w-q5P@&*Z( zL7+oO!22Rj{S=w{$m53bYZueHK8$lX4M>%Q9W&KGR^1R#a!OwZF3)WBvU*BQ?eFFf zMD^CrQPyr&<7Dx8GC;pPU=cAX_Or=rhb&Cr5e-WRCi#UnLJlnFZuRpv2A;(dNvZxR zto|so*EM{iFu0Ho-{8tAWc4Q6^#mmfz=~5}OHT*RSj4*s+PvxJ^Q`N$nQP@(#7>zbGkeodnBq2x^0lS}mhCtJ`EkdX*rG)H=qp zzZtEcqu*!`!i`S51GE<>>#})XNHdxamtSWO@B-3!_i>?^^r~?wD8ff69?;X{tb@SE zZH6hcbDOBoS6d4in?^`{6K$S6FkO<#>&Q!N7cn-JHXEzkWxZf==^Q9OY3G{`M#S|3 zMBd?rl>`OfXKP5O6T#>fyC#s+Xo7gS?*TrLD_3%q$7>v85JEi~zW{OOc8JA#^af4= z;6HNASlL7HwZFa>+}y*u#VQsJpR^BmkqoTmyI01jVA2NKSN`x@v=XWDn^dqXIjf7U zXOOltxiMrttt3hOGo6h=7l30v$Qoz?uAgg1fQ}Tlo+F=YNgafA$(E&Rhj;BH;~}QC z{|owX%Y)O9_^+`{lyQ#6v@Mo^RnhAbV3BQT1(Fq0YfNK|&0E{tjMhvZ*ECMDsWiWp zr6g#6q(*WPHCoG&u(l)2VBGeYppdSOU*z#T8b2MAJH&L~_eM*u<*$I2SMe0ji&^Go zB4@+uXe2eo6-WDNB|gDHX@xKDkHJk*PJPO&cBJJj#%dAV7@QA_{&2dod8OwBP(IlJ zBM6#bEsGN>$La9a4;YBEnyo}1k5rrda5EjrKite}Q>Q*GW2@=P5AlAXIaN(B(2?w! zO_QVJNf20T*r}ELQ8CpayHkI3v=u#aYdgYztqODPa@6(-WtJpCghe~mj<3bx-`;*3 zWO1a?azN8yTX=_8tY3!{!i55W0y!`fW!ya{i->u)0C9D6-bRExc zc`F&LwA)IweES=UQ3fQT4+;$(N!RwTz?>oys^LUJ!2}%I?CjCUT}&6iww_;K!(E{E zxiJ?s@H-HQS1YWb0(uO+Cj60{B)q5fIreL~%kE&CV0{vHc=%4QZmHhBlkt1^SINy^ z;#9qCD3I^-ro2PvFM{5YGu13-(FY&NLY@jboR?75y^{IaNc5$t~T)t`rbrX}xF z?|4rRGlglWIxb`n<&)M6Fdrt zKzW@tiK@L7Nvr1pefVfN4_gGe7LiMX*ig7k_90l0&isYP*u3C=@JZm@2cKA3&{|XY zPSkvS;~r=! z$Z#9zO~n$X>N8&A_bzcIr10Xu&iCO?*x`np$rYj`XDP@!w;Q1}Kan2^H~labbY&^* zw#7@#Tq;q3%h{wpFIL25M1O-)R5)rHYQJjXKw-Vyab_Lkb|IgM?Ys%ZVEwl1#nGlP zrM$Q%clS$#h=86Oady}cR`zBVElQozTr7SqVpSui{K^Pb`#)89VkuE}hHasA!EG|_ z0{i%Rf*vWpuZnav6#O(H75j_NODY_QPgkZG__#QLV$uXVciOLX(Ky?>om&FyqNT)F1 z0e=PoTTL-KQ9ByB3iM89;L>2mYpc)^l}OF(LH?ok!dHk>Tui)X7jG{XKpM4dwe+V% zT97q305QMeGydqjOr`ubkz_BVW-_s`r=#^;9bo2#~RF8^bmGoyuq=Groqum zgv(F@sXSysHSo6ZYA+ZpF14lyi{NO%sUD^#YZ_HK&$HvpojhU##B=jFoptEeXPeNFb*$jDrU<2!uYHOucN~33REl z2*0Dx?n|TRzf8U2*NQ77A#0g0T6`KYG>p^+PvQ_NCQ;mY-$@{jm-@B=JlsEW-sPcs zzyc6ATIgu~fsh3y_#V&Ou9sk4fc-orfYvImjXGImQ8ozpUvMt{N`DFIP)p>G?q>J{ zgkpu3mM*c538w}hH=8oE0qkJXn!U}ou2D2TMg%fPc|1Nms-vfsLjvw0IsJr=EUG7# z%TStElC`nh!n@|=#IrLEN=2%k3N`*QyFtf70xON9aqH2%O&2!@3UfYPhG7$S0Glp_ z`{wdaC*=`mq5lUpID2HCm?k=os%UMQ_HS0RV?H*1oV+$uRmy^}t;l$zy9Lilpn|I= zG*1tRtWf@C)G`b96z5(zDmNPj!-g}bqLP4rmJ5t2C(2Ex?Og^su3)z<2Fy{VYN;MU z)K)=zJm~V=W9#|q=l;^;jS*vl06iJDiZpUvAqdz;|4{Y*!9*+Z2%P6_9=+_kWU|$J z%PbE`<)+~jGq2||#O_eQKklw8HF;ORB1f(N*qFMOqs+c2T{K_3)v@$irWe6frB+?P z5zFlA!HI!-kO|2DsF(eUR^T+DFDAhpu#~Gl!Y6#E+BDc#?n8cB6se;d(~pEV?uDrjMY2h??FQ6G z!VV_3-$k(9ck){&FSRejiV)`e`}_V|pQO(xoZMcwZ5kBq^G&mUlfTFJ6tN;(>WXBTk{M_z`yS+wzSS&Oo}=iUqJ2GYN>g}PMgnd@Xp`U zRsD#^-q#B9Nb zqS}f_+C}784mv)M_XX+~%pimT09o12w;K1Asm`ltD0^v2elFuWeEK+x#}|D!Oh`DS5e72jekgUSK%^tmW-N46Ct)fh0EWVzyaNc( zM>YeJ5+s+40eyO5j@2bI9(ql}mIjJDVcLNEFy02;?XFrzEaQm^rblYyuwlWqe+%9D z1g$`DvH-QLKrj1Gom>iw?v%V~I7S{v&~UXk)h$Li>I_ZUn{ClUNye2;?(6K3_D^^b z>SlU)%0f~4V|{b1#y<@&fPmS0IT>no8mEksNf210x%2z89NM;}A@tS=eX~E2^(bsT zBZU_}a5`gX^EIg}?VAhW6NIjXX8@Aw(H?Mv|K)X~5OB0(cXxTr+Kp}qCDl!L9P>Td zB~J4rk;F=@$J8uG6BBLNZ7)6$LL{Ri->FCAvR~9Duy4c|AqKh%Sb-bqnQ8`|-+?0( z{Eg3`(Izm0(IdjYif72Grwvq(sEQU=QmX)1l6}00pzdUGYPl}c;~+gxk;R}g$E9F? ziM=D>BqZG2Gv!=oE2fAjFE{ zThPKb9FR8vcaP3C{`ik|l<6@D2mh1)Ns7a}vvguc2Vk$wDLw5!09 zKxLcOuJ%!L+W5`pF|vM|^*d^tnbX6J7^ln1=D{{k>^dE{s{<)&yMe=_Mxo$&GHP2Z zRP0&{w@a^d?)_Nono*cVxe=cNMj1a>T@Q~Lw7XmwXN@`UQ1H=9{ zx_MdnR2!Z|W(5kzy_BznkvNPh?L(!l-_d$?>uq@yEX# zd5u_A?Kw?1qUi^HB84Q6T`)J|exApLaWFfQ`2S$i|6q3{@c%(T+W+u&\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Global%20Secure%20Access/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Global Secure Access](https://aka.ms/GlobalSecureAccess) is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution requires one of the product solutions below.\n\n**Prerequisite:**\n\nInstall one or more of the listed solutions to unlock the value provided by this solution.\n1. Microsoft Entra ID \n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of these dependencies may either be in Preview state or might result in additional ingestion or operational costs:\n1. Product solutions as described above\n\n\n**Workbooks:** 2, **Analytic Rules:** 19, **Hunting Queries:** 21\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Global%20Secure%20Access/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Global Secure Access](https://aka.ms/GlobalSecureAccess) is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution requires one of the product solutions below.\n\n**Prerequisite:**\n\nInstall one or more of the listed solutions to unlock the value provided by this solution.\n1. Microsoft Entra ID \n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of these dependencies may either be in Preview state or might result in additional ingestion or operational costs:\n1. Product solutions as described above\n\n\n**Workbooks:** 2, **Analytic Rules:** 18, **Hunting Queries:** 21\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -150,13 +150,13 @@ { "name": "analytic2", "type": "Microsoft.Common.Section", - "label": "GSA - Detect IP Address Changes and Overlapping Sessions", + "label": "GSA Enriched Office 365 - Exchange AuditLog Disabled", "elements": [ { "name": "analytic2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies network sessions based on DeviceId and UserPrincipalName, then checks for changed IP addresses and overlapping session times." + "text": "Identifies when the Exchange audit logging has been disabled, which may indicate an adversary attempt to evade detection or bypass other defenses." } } ] @@ -164,13 +164,13 @@ { "name": "analytic3", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Exchange AuditLog Disabled", + "label": "GSA Enriched Office 365 - Accessed files shared by temporary external user", "elements": [ { "name": "analytic3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when the Exchange audit logging has been disabled, which may indicate an adversary attempt to evade detection or bypass other defenses." + "text": "This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity." } } ] @@ -178,13 +178,13 @@ { "name": "analytic4", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Accessed files shared by temporary external user", + "label": "GSA Enriched Office 365 - External User Added and Removed in Short Timeframe", "elements": [ { "name": "analytic4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity." + "text": "This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour." } } ] @@ -192,13 +192,13 @@ { "name": "analytic5", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - External User Added and Removed in Short Timeframe", + "label": "GSA Enriched Office 365 - Mail Redirect via ExO Transport Rule", "elements": [ { "name": "analytic5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour." + "text": "Identifies when an Exchange Online transport rule is configured to forward emails.\nThis could indicate an adversary mailbox configured to collect mail from multiple user accounts." } } ] @@ -206,13 +206,13 @@ { "name": "analytic6", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Mail Redirect via ExO Transport Rule", + "label": "GSA Enriched Office 365 - Malicious Inbox Rule", "elements": [ { "name": "analytic6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when an Exchange Online transport rule is configured to forward emails.\nThis could indicate an adversary mailbox configured to collect mail from multiple user accounts." + "text": "Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\nThis is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/" } } ] @@ -220,13 +220,13 @@ { "name": "analytic7", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Malicious Inbox Rule", + "label": "GSA Enriched Office 365 - Multiple Teams deleted by a single user", "elements": [ { "name": "analytic7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\nThis is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/" + "text": "This detection flags the occurrences of deleting multiple teams within a day.\nThis data is a part of Office 365 Connector in Microsoft Sentinel." } } ] @@ -234,13 +234,13 @@ { "name": "analytic8", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Multiple Teams deleted by a single user", + "label": "GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destination", "elements": [ { "name": "analytic8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This detection flags the occurrences of deleting multiple teams within a day.\nThis data is a part of Office 365 Connector in Microsoft Sentinel." + "text": "Identifies when multiple (more than one) users' mailboxes are configured to forward to the same destination. \nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts." } } ] @@ -248,13 +248,13 @@ { "name": "analytic9", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destination", + "label": "GSA Enriched Office 365 - Office Policy Tampering", "elements": [ { "name": "analytic9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when multiple (more than one) users' mailboxes are configured to forward to the same destination. \nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts." + "text": "Identifies if any tampering is done to either audit log, ATP Safelink, SafeAttachment, AntiPhish, or Dlp policy. \nAn adversary may use this technique to evade detection or avoid other policy-based defenses.\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps." } } ] @@ -262,13 +262,13 @@ { "name": "analytic10", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Office Policy Tampering", + "label": "GSA Enriched Office 365 - New Executable via Office FileUploaded Operation", "elements": [ { "name": "analytic10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies if any tampering is done to either audit log, ATP Safelink, SafeAttachment, AntiPhish, or Dlp policy. \nAn adversary may use this technique to evade detection or avoid other policy-based defenses.\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps." + "text": "Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\nList currently includes exe, inf, gzip, cmd, bat file extensions.\nAdditionally, identifies when a given user is uploading these files to another user's workspace.\nThis may be an indication of a staging location for malware or other malicious activity." } } ] @@ -276,13 +276,13 @@ { "name": "analytic11", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - New Executable via Office FileUploaded Operation", + "label": "GSA Enriched Office 365 - Rare and Potentially High-Risk Office Operations", "elements": [ { "name": "analytic11-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\nList currently includes exe, inf, gzip, cmd, bat file extensions.\nAdditionally, identifies when a given user is uploading these files to another user's workspace.\nThis may be an indication of a staging location for malware or other malicious activity." + "text": "Identifies Office operations that are typically rare and can provide capabilities useful to attackers." } } ] @@ -290,13 +290,13 @@ { "name": "analytic12", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Rare and Potentially High-Risk Office Operations", + "label": "GSA Enriched Office 365 - SharePoint File Operation via Previously Unseen IPs", "elements": [ { "name": "analytic12-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies Office operations that are typically rare and can provide capabilities useful to attackers." + "text": "Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compares it to recent activity, and flags deviations exceeding a default threshold of 25." } } ] @@ -304,13 +304,13 @@ { "name": "analytic13", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - SharePoint File Operation via Previously Unseen IPs", + "label": "GSA Enriched Office 365 - SharePointFileOperation via devices with previously unseen user agents", "elements": [ { "name": "analytic13-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compares it to recent activity, and flags deviations exceeding a default threshold of 25." + "text": "Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25%)." } } ] @@ -318,13 +318,13 @@ { "name": "analytic14", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - SharePointFileOperation via devices with previously unseen user agents", + "label": "GSA Enriched Office 365 - Sharepoint File Transfer Above Threshold", "elements": [ { "name": "analytic14-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25%)." + "text": "Identifies Office365 SharePoint file transfers above a certain threshold in a 15-minute time period.\nPlease note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur." } } ] @@ -338,7 +338,7 @@ "name": "analytic15-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies Office365 SharePoint file transfers above a certain threshold in a 15-minute time period.\nPlease note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur." + "text": "Identifies Office365 SharePoint file transfers with a distinct folder count above a certain threshold in a 15-minute time period. Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur." } } ] @@ -346,13 +346,13 @@ { "name": "analytic16", "type": "Microsoft.Common.Section", - "label": "GSA Enriched Office 365 - Sharepoint File Transfer Above Threshold", + "label": "GSA - Detect Abnormal Deny Rate for Source to Destination IP", "elements": [ { "name": "analytic16-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies Office365 SharePoint file transfers with a distinct folder count above a certain threshold in a 15-minute time period. Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur." + "text": "Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.\n\nConfigurable Parameters:\n - minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3.\n - learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5.\n - binTime: Learning buckets time in hours. Default is set to 1 hour.\n - minimumThreshold: Minimum threshold for alert. Default is set to 5.\n - minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5." } } ] @@ -360,13 +360,13 @@ { "name": "analytic17", "type": "Microsoft.Common.Section", - "label": "GSA - Detect Abnormal Deny Rate for Source to Destination IP", + "label": "GSA - Detect Protocol Changes for Destination Ports", "elements": [ { "name": "analytic17-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules." + "text": "Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline.\nThis can indicate potential protocol misuse or configuration changes.\nConfigurable Parameters:\n- Learning period: The time range to establish the baseline. Default is set to 7 days.\n- Run time: The time range for current analysis. Default is set to 1 day." } } ] @@ -374,27 +374,13 @@ { "name": "analytic18", "type": "Microsoft.Common.Section", - "label": "GSA - Detect Protocol Changes for Destination Ports", - "elements": [ - { - "name": "analytic18-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes." - } - } - ] - }, - { - "name": "analytic19", - "type": "Microsoft.Common.Section", "label": "GSA - Detect Source IP Scanning Multiple Open Ports", "elements": [ { - "name": "analytic19-text", + "name": "analytic18-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access." + "text": "Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.\n Configurable Parameters:\n - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.\n - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100." } } ] diff --git a/Solutions/Global Secure Access/Package/mainTemplate.json b/Solutions/Global Secure Access/Package/mainTemplate.json index 4f1d323bb5b..f866ea7d3d5 100644 --- a/Solutions/Global Secure Access/Package/mainTemplate.json +++ b/Solutions/Global Secure Access/Package/mainTemplate.json @@ -66,137 +66,130 @@ "_workbookContentId2": "[variables('workbookContentId2')]", "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.1", + "analyticRuleVersion1": "1.0.2", "_analyticRulecontentId1": "4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa','-', '1.0.1')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa','-', '1.0.2')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.2", - "_analyticRulecontentId2": "57abf863-1c1e-46c6-85b2-35370b712c1e", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '57abf863-1c1e-46c6-85b2-35370b712c1e')]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('57abf863-1c1e-46c6-85b2-35370b712c1e')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','57abf863-1c1e-46c6-85b2-35370b712c1e','-', '1.0.2')))]" + "analyticRuleVersion2": "2.0.8", + "_analyticRulecontentId2": "dc451755-8ab3-4059-b805-e454c45d1d44", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dc451755-8ab3-4059-b805-e454c45d1d44')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dc451755-8ab3-4059-b805-e454c45d1d44')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc451755-8ab3-4059-b805-e454c45d1d44','-', '2.0.8')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "2.0.8", - "_analyticRulecontentId3": "dc451755-8ab3-4059-b805-e454c45d1d44", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dc451755-8ab3-4059-b805-e454c45d1d44')]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dc451755-8ab3-4059-b805-e454c45d1d44')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc451755-8ab3-4059-b805-e454c45d1d44','-', '2.0.8')))]" + "analyticRuleVersion3": "2.1.4", + "_analyticRulecontentId3": "4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac','-', '2.1.4')))]" }, "analyticRuleObject4": { "analyticRuleVersion4": "2.1.4", - "_analyticRulecontentId4": "4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac')]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac','-', '2.1.4')))]" + "_analyticRulecontentId4": "1a8f1297-23a4-4f09-a20b-90af8fc3641a", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1a8f1297-23a4-4f09-a20b-90af8fc3641a')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1a8f1297-23a4-4f09-a20b-90af8fc3641a')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1a8f1297-23a4-4f09-a20b-90af8fc3641a','-', '2.1.4')))]" }, "analyticRuleObject5": { - "analyticRuleVersion5": "2.1.4", - "_analyticRulecontentId5": "1a8f1297-23a4-4f09-a20b-90af8fc3641a", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1a8f1297-23a4-4f09-a20b-90af8fc3641a')]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1a8f1297-23a4-4f09-a20b-90af8fc3641a')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1a8f1297-23a4-4f09-a20b-90af8fc3641a','-', '2.1.4')))]" + "analyticRuleVersion5": "2.1.5", + "_analyticRulecontentId5": "edcfc2e0-3134-434c-8074-9101c530d419", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'edcfc2e0-3134-434c-8074-9101c530d419')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('edcfc2e0-3134-434c-8074-9101c530d419')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edcfc2e0-3134-434c-8074-9101c530d419','-', '2.1.5')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "2.1.5", - "_analyticRulecontentId6": "edcfc2e0-3134-434c-8074-9101c530d419", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'edcfc2e0-3134-434c-8074-9101c530d419')]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('edcfc2e0-3134-434c-8074-9101c530d419')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edcfc2e0-3134-434c-8074-9101c530d419','-', '2.1.5')))]" + "analyticRuleVersion6": "2.0.6", + "_analyticRulecontentId6": "a9c76c8d-f60d-49ec-9b1f-bdfee6db3807", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a9c76c8d-f60d-49ec-9b1f-bdfee6db3807')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a9c76c8d-f60d-49ec-9b1f-bdfee6db3807')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a9c76c8d-f60d-49ec-9b1f-bdfee6db3807','-', '2.0.6')))]" }, "analyticRuleObject7": { "analyticRuleVersion7": "2.0.6", - "_analyticRulecontentId7": "a9c76c8d-f60d-49ec-9b1f-bdfee6db3807", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a9c76c8d-f60d-49ec-9b1f-bdfee6db3807')]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a9c76c8d-f60d-49ec-9b1f-bdfee6db3807')))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a9c76c8d-f60d-49ec-9b1f-bdfee6db3807','-', '2.0.6')))]" + "_analyticRulecontentId7": "db60e4b6-a845-4f28-a18c-94ebbaad6c6c", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'db60e4b6-a845-4f28-a18c-94ebbaad6c6c')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('db60e4b6-a845-4f28-a18c-94ebbaad6c6c')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','db60e4b6-a845-4f28-a18c-94ebbaad6c6c','-', '2.0.6')))]" }, "analyticRuleObject8": { - "analyticRuleVersion8": "2.0.6", - "_analyticRulecontentId8": "db60e4b6-a845-4f28-a18c-94ebbaad6c6c", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'db60e4b6-a845-4f28-a18c-94ebbaad6c6c')]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('db60e4b6-a845-4f28-a18c-94ebbaad6c6c')))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','db60e4b6-a845-4f28-a18c-94ebbaad6c6c','-', '2.0.6')))]" + "analyticRuleVersion8": "2.0.5", + "_analyticRulecontentId8": "d75e8289-d1cb-44d4-bd59-2f44a9172478", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd75e8289-d1cb-44d4-bd59-2f44a9172478')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d75e8289-d1cb-44d4-bd59-2f44a9172478')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d75e8289-d1cb-44d4-bd59-2f44a9172478','-', '2.0.5')))]" }, "analyticRuleObject9": { - "analyticRuleVersion9": "2.0.5", - "_analyticRulecontentId9": "d75e8289-d1cb-44d4-bd59-2f44a9172478", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd75e8289-d1cb-44d4-bd59-2f44a9172478')]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d75e8289-d1cb-44d4-bd59-2f44a9172478')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d75e8289-d1cb-44d4-bd59-2f44a9172478','-', '2.0.5')))]" + "analyticRuleVersion9": "2.0.6", + "_analyticRulecontentId9": "0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb','-', '2.0.6')))]" }, "analyticRuleObject10": { - "analyticRuleVersion10": "2.0.6", - "_analyticRulecontentId10": "0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb')]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb','-', '2.0.6')))]" + "analyticRuleVersion10": "2.0.7", + "_analyticRulecontentId10": "178c62b4-d5e5-40f5-8eab-7fccd0051e7a", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '178c62b4-d5e5-40f5-8eab-7fccd0051e7a')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('178c62b4-d5e5-40f5-8eab-7fccd0051e7a')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','178c62b4-d5e5-40f5-8eab-7fccd0051e7a','-', '2.0.7')))]" }, "analyticRuleObject11": { "analyticRuleVersion11": "2.0.7", - "_analyticRulecontentId11": "178c62b4-d5e5-40f5-8eab-7fccd0051e7a", - "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '178c62b4-d5e5-40f5-8eab-7fccd0051e7a')]", - "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('178c62b4-d5e5-40f5-8eab-7fccd0051e7a')))]", - "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','178c62b4-d5e5-40f5-8eab-7fccd0051e7a','-', '2.0.7')))]" + "_analyticRulecontentId11": "433c254d-4b84-46f7-99ec-9dfefb5f6a7b", + "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '433c254d-4b84-46f7-99ec-9dfefb5f6a7b')]", + "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('433c254d-4b84-46f7-99ec-9dfefb5f6a7b')))]", + "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','433c254d-4b84-46f7-99ec-9dfefb5f6a7b','-', '2.0.7')))]" }, "analyticRuleObject12": { - "analyticRuleVersion12": "2.0.7", - "_analyticRulecontentId12": "433c254d-4b84-46f7-99ec-9dfefb5f6a7b", - "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '433c254d-4b84-46f7-99ec-9dfefb5f6a7b')]", - "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('433c254d-4b84-46f7-99ec-9dfefb5f6a7b')))]", - "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','433c254d-4b84-46f7-99ec-9dfefb5f6a7b','-', '2.0.7')))]" + "analyticRuleVersion12": "2.0.6", + "_analyticRulecontentId12": "7460e34e-4c99-47b2-b7c0-c42e339fc586", + "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7460e34e-4c99-47b2-b7c0-c42e339fc586')]", + "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7460e34e-4c99-47b2-b7c0-c42e339fc586')))]", + "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7460e34e-4c99-47b2-b7c0-c42e339fc586','-', '2.0.6')))]" }, "analyticRuleObject13": { - "analyticRuleVersion13": "2.0.6", - "_analyticRulecontentId13": "7460e34e-4c99-47b2-b7c0-c42e339fc586", - "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7460e34e-4c99-47b2-b7c0-c42e339fc586')]", - "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7460e34e-4c99-47b2-b7c0-c42e339fc586')))]", - "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7460e34e-4c99-47b2-b7c0-c42e339fc586','-', '2.0.6')))]" + "analyticRuleVersion13": "2.2.6", + "_analyticRulecontentId13": "efd17c5f-5167-40f8-a1e9-0818940785d9", + "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'efd17c5f-5167-40f8-a1e9-0818940785d9')]", + "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('efd17c5f-5167-40f8-a1e9-0818940785d9')))]", + "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','efd17c5f-5167-40f8-a1e9-0818940785d9','-', '2.2.6')))]" }, "analyticRuleObject14": { - "analyticRuleVersion14": "2.2.6", - "_analyticRulecontentId14": "efd17c5f-5167-40f8-a1e9-0818940785d9", - "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'efd17c5f-5167-40f8-a1e9-0818940785d9')]", - "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('efd17c5f-5167-40f8-a1e9-0818940785d9')))]", - "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','efd17c5f-5167-40f8-a1e9-0818940785d9','-', '2.2.6')))]" + "analyticRuleVersion14": "1.0.6", + "_analyticRulecontentId14": "30375d00-68cc-4f95-b89a-68064d566358", + "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '30375d00-68cc-4f95-b89a-68064d566358')]", + "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('30375d00-68cc-4f95-b89a-68064d566358')))]", + "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','30375d00-68cc-4f95-b89a-68064d566358','-', '1.0.6')))]" }, "analyticRuleObject15": { - "analyticRuleVersion15": "1.0.6", - "_analyticRulecontentId15": "30375d00-68cc-4f95-b89a-68064d566358", - "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '30375d00-68cc-4f95-b89a-68064d566358')]", - "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('30375d00-68cc-4f95-b89a-68064d566358')))]", - "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','30375d00-68cc-4f95-b89a-68064d566358','-', '1.0.6')))]" + "analyticRuleVersion15": "2.0.8", + "_analyticRulecontentId15": "abd6976d-8f71-4851-98c4-4d086201319c", + "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'abd6976d-8f71-4851-98c4-4d086201319c')]", + "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('abd6976d-8f71-4851-98c4-4d086201319c')))]", + "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','abd6976d-8f71-4851-98c4-4d086201319c','-', '2.0.8')))]" }, "analyticRuleObject16": { - "analyticRuleVersion16": "2.0.8", - "_analyticRulecontentId16": "abd6976d-8f71-4851-98c4-4d086201319c", - "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'abd6976d-8f71-4851-98c4-4d086201319c')]", - "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('abd6976d-8f71-4851-98c4-4d086201319c')))]", - "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','abd6976d-8f71-4851-98c4-4d086201319c','-', '2.0.8')))]" + "analyticRuleVersion16": "1.0.2", + "_analyticRulecontentId16": "e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b", + "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')]", + "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')))]", + "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b','-', '1.0.2')))]" }, "analyticRuleObject17": { - "analyticRuleVersion17": "1.0.1", - "_analyticRulecontentId17": "e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b", - "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')]", - "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')))]", - "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b','-', '1.0.1')))]" + "analyticRuleVersion17": "1.0.2", + "_analyticRulecontentId17": "f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a", + "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')]", + "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')))]", + "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a','-', '1.0.2')))]" }, "analyticRuleObject18": { - "analyticRuleVersion18": "1.0.1", - "_analyticRulecontentId18": "f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a", - "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')]", - "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')))]", - "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a','-', '1.0.1')))]" - }, - "analyticRuleObject19": { - "analyticRuleVersion19": "1.0.1", - "_analyticRulecontentId19": "82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1", - "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')]", - "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')))]", - "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1','-', '1.0.1')))]" + "analyticRuleVersion18": "1.0.2", + "_analyticRulecontentId18": "82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1", + "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')]", + "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')))]", + "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1','-', '1.0.2')))]" }, "huntingQueryObject1": { "huntingQueryVersion1": "2.0.3", @@ -500,7 +493,7 @@ "description": "This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.", "displayName": "GSA - Detect Connections Outside Operational Hours", "enabled": false, - "query": "let starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet operational_start_hour = 8; // Start of operational hours (8 AM)\nlet operational_end_hour = 18; // End of operational hours (6 PM)\nNetworkAccessTraffic\n| where TimeGenerated between(starttime .. endtime)\n| extend HourOfDay = datetime_part('hour', TimeGenerated)\n| where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour\n| project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId\n| extend IPCustomEntity = SourceIp, AccountCustomEntity = UserPrincipalName\n", + "query": "let starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet operational_start_hour = 8; // Start of operational hours (8 AM)\nlet operational_end_hour = 18; // End of operational hours (6 PM)\nNetworkAccessTraffic\n| where TimeGenerated between (starttime .. endtime)\n| extend HourOfDay = datetime_part('hour', TimeGenerated)\n| where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour\n| project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId\n| extend IPCustomEntity = SourceIp, AccountCustomEntity = UserPrincipalName\n", "queryFrequency": "PT1H", "queryPeriod": "PT24H", "severity": "High", @@ -513,7 +506,7 @@ { "connectorId": "AzureActiveDirectory", "dataTypes": [ - "EnrichedMicrosoft365AuditLogs" + "NetworkAccessTrafficLogs" ] } ], @@ -526,22 +519,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -597,7 +590,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Identity - SharedSessions_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "Office 365 - exchange_auditlogdisabled_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -610,120 +603,6 @@ "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query identifies network sessions based on DeviceId and UserPrincipalName, then checks for changed IP addresses and overlapping session times.", - "displayName": "GSA - Detect IP Address Changes and Overlapping Sessions", - "enabled": false, - "query": "// Identify sessions\nlet sessions = \n NetworkAccessTraffic\n | summarize \n StartTime = min(TimeGenerated), \n EndTime = max(TimeGenerated), \n SourceIps = make_set(SourceIp) \n by DeviceId, UserPrincipalName, SessionId\n | sort by StartTime asc;\n// Check for changed IP addresses and overlapping session times\nsessions\n | extend PreviousSourceIps = prev(SourceIps, 1)\n | extend PreviousEndTime = prev(EndTime, 1)\n | extend PreviousDeviceId = prev(DeviceId, 1)\n | extend PreviousUserPrincipalName = prev(UserPrincipalName, 1)\n | where DeviceId == PreviousDeviceId \n and UserPrincipalName == PreviousUserPrincipalName\n | where array_length(set_difference(SourceIps, PreviousSourceIps)) > 0 // Check if the current and previous IP sets differ\n | where PreviousEndTime > StartTime // Check for overlapping session times\n | project \n DeviceId, \n UserPrincipalName, \n SourceIps, \n PreviousSourceIps, \n StartTime, \n EndTime, \n PreviousEndTime\n | extend \n IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), \n PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), \n AccountCustomEntity = UserPrincipalName\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT24H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "EnrichedMicrosoft365AuditLogs" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078", - "T1133" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "AccountCustomEntity" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ] - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", - "properties": { - "description": "Global Secure Access Analytics Rule 2", - "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "source": { - "kind": "Solution", - "name": "Global Secure Access", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Partner", - "name": "Microsoft Corporation", - "email": "GSASentinelSupport@microsoft.com", - "link": "https://learn.microsoft.com/en-us/entra/global-secure-access/overview-what-is-global-secure-access" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "contentKind": "AnalyticsRule", - "displayName": "GSA - Detect IP Address Changes and Overlapping Sessions", - "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Office 365 - exchange_auditlogdisabled_AnalyticalRules Analytics Rule with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies when the Exchange audit logging has been disabled, which may indicate an adversary attempt to evade detection or bypass other defenses.", "displayName": "GSA Enriched Office 365 - Exchange AuditLog Disabled", @@ -759,30 +638,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -790,13 +669,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 3", - "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "description": "Global Secure Access Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -821,18 +700,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Exchange AuditLog Disabled", - "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -841,13 +720,13 @@ "description": "Office 365 - External User added to Team and immediately uploads file_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -886,55 +765,55 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "MemberAdded" + "columnName": "MemberAdded", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "MemberAddedAccountName" + "columnName": "MemberAddedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "MemberAddedAccountUPNSuffix" + "columnName": "MemberAddedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserWhoAdded" + "columnName": "UserWhoAdded", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "UserWhoAddedAccountName" + "columnName": "UserWhoAddedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UserWhoAddedAccountUPNSuffix" + "columnName": "UserWhoAddedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserWhoDeleted" + "columnName": "UserWhoDeleted", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "UserWhoDeletedAccountName" + "columnName": "UserWhoDeletedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UserWhoDeletedAccountUPNSuffix" + "columnName": "UserWhoDeletedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -942,13 +821,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 4", - "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "description": "Global Secure Access Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -973,18 +852,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Accessed files shared by temporary external user", - "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -993,13 +872,13 @@ "description": "Office 365 - ExternalUserAddedRemovedInTeams_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1038,64 +917,64 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "MemberAdded_Removed" + "columnName": "MemberAdded_Removed", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "MemberAdded_RemovedAccountName" + "columnName": "MemberAdded_RemovedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "MemberAdded_RemovedAccountUPNSuffix" + "columnName": "MemberAdded_RemovedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserWhoAdded" + "columnName": "UserWhoAdded", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "UserWhoAddedAccountName" + "columnName": "UserWhoAddedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UserWhoAddedAccountUPNSuffix" + "columnName": "UserWhoAddedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserWhoDeleted" + "columnName": "UserWhoDeleted", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "UserWhoDeletedAccountName" + "columnName": "UserWhoDeletedAccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UserWhoDeletedAccountUPNSuffix" + "columnName": "UserWhoDeletedAccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1103,13 +982,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 5", - "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "description": "Global Secure Access Analytics Rule 4", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -1134,18 +1013,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - External User Added and Removed in Short Timeframe", - "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1154,13 +1033,13 @@ "description": "Office 365 - Mail_redirect_via_ExO_transport_rule_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1201,30 +1080,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1232,13 +1111,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 6", - "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "description": "Global Secure Access Analytics Rule 5", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -1263,18 +1142,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Mail Redirect via ExO Transport Rule", - "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1283,13 +1162,13 @@ "description": "Office 365 - Malicious_Inbox_Rule_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1330,30 +1209,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIPAddress" + "columnName": "ClientIPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1361,13 +1240,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 7", - "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "description": "Global Secure Access Analytics Rule 6", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -1392,18 +1271,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Malicious Inbox Rule", - "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1412,13 +1291,13 @@ "description": "Office 365 - MultipleTeamsDeletes_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1458,21 +1337,21 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -1480,13 +1359,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 8", - "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "description": "Global Secure Access Analytics Rule 7", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -1511,18 +1390,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Multiple Teams deleted by a single user", - "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1531,13 +1410,13 @@ "description": "Office 365 - Office_MailForwarding_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1578,30 +1457,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1609,13 +1488,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 9", - "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "description": "Global Secure Access Analytics Rule 8", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -1640,18 +1519,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destination", - "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1660,13 +1539,13 @@ "description": "Office 365 - office_policytampering_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1707,30 +1586,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1738,13 +1617,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 10", - "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "description": "Global Secure Access Analytics Rule 9", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -1769,18 +1648,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Office Policy Tampering", - "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1789,13 +1668,13 @@ "description": "Office 365 - Office_Uploaded_Executables_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1836,48 +1715,48 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Site_Url" + "columnName": "Site_Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "File", "fieldMappings": [ { - "identifier": "Name", - "columnName": "FileNames" + "columnName": "FileNames", + "identifier": "Name" } - ] + ], + "entityType": "File" } ] } @@ -1885,13 +1764,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 11", - "parentId": "[variables('analyticRuleObject11').analyticRuleId11]", - "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "description": "Global Secure Access Analytics Rule 10", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject11').analyticRuleVersion11]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -1916,18 +1795,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - New Executable via Office FileUploaded Operation", - "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", - "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", - "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]", + "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1936,13 +1815,13 @@ "description": "Office 365 - RareOfficeOperations_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", + "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1983,30 +1862,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIPOnly" + "columnName": "ClientIPOnly", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -2014,13 +1893,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 12", - "parentId": "[variables('analyticRuleObject12').analyticRuleId12]", - "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "description": "Global Secure Access Analytics Rule 11", + "parentId": "[variables('analyticRuleObject11').analyticRuleId11]", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject12').analyticRuleVersion12]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2045,18 +1924,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Rare and Potentially High-Risk Office Operations", - "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", - "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", - "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" + "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]", + "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2065,13 +1944,13 @@ "description": "Office 365 - SharePoint_Downloads_byNewIP_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", + "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2110,39 +1989,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Site_Url" + "columnName": "Site_Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2150,13 +2029,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 13", - "parentId": "[variables('analyticRuleObject13').analyticRuleId13]", - "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "description": "Global Secure Access Analytics Rule 12", + "parentId": "[variables('analyticRuleObject12').analyticRuleId12]", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject13').analyticRuleVersion13]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2181,18 +2060,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - SharePoint File Operation via Previously Unseen IPs", - "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", - "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", - "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" + "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject14').analyticRuleTemplateSpecName14]", + "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2201,13 +2080,13 @@ "description": "Office 365 - SharePoint_Downloads_byNewUserAgent_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", + "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2246,39 +2125,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "UserIdName" + "columnName": "UserIdName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UserIdUPNSuffix" + "columnName": "UserIdUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Site_Url" + "columnName": "Site_Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2286,13 +2165,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject14').analyticRuleId14,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 14", - "parentId": "[variables('analyticRuleObject14').analyticRuleId14]", - "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "description": "Global Secure Access Analytics Rule 13", + "parentId": "[variables('analyticRuleObject13').analyticRuleId13]", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject14').analyticRuleVersion14]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2317,18 +2196,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - SharePointFileOperation via devices with previously unseen user agents", - "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", - "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", - "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" + "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject15').analyticRuleTemplateSpecName15]", + "name": "[variables('analyticRuleObject14').analyticRuleTemplateSpecName14]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2337,13 +2216,13 @@ "description": "Office 365 - sharepoint_file_transfer_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", + "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "name": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2382,39 +2261,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "File", "fieldMappings": [ { - "identifier": "Name", - "columnName": "FileSample" + "columnName": "FileSample", + "identifier": "Name" } - ] + ], + "entityType": "File" } ], "customDetails": { @@ -2424,9 +2303,9 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "lookbackDuration": "PT5H", "reopenClosedIncident": false, "matchingMethod": "Selected", - "lookbackDuration": "PT5H", "groupByEntities": [ "Account" ], @@ -2438,13 +2317,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject15').analyticRuleId15,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject14').analyticRuleId14,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 15", - "parentId": "[variables('analyticRuleObject15').analyticRuleId15]", - "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "description": "Global Secure Access Analytics Rule 14", + "parentId": "[variables('analyticRuleObject14').analyticRuleId14]", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject15').analyticRuleVersion15]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2469,18 +2348,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Sharepoint File Transfer Above Threshold", - "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", - "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", - "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" + "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject16').analyticRuleTemplateSpecName16]", + "name": "[variables('analyticRuleObject15').analyticRuleTemplateSpecName15]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2489,13 +2368,13 @@ "description": "Office 365 - sharepoint_file_transfer_folders_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", + "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "name": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2534,39 +2413,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "File", "fieldMappings": [ { - "identifier": "Name", - "columnName": "FileSample" + "columnName": "FileSample", + "identifier": "Name" } - ] + ], + "entityType": "File" } ], "customDetails": { @@ -2576,9 +2455,9 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "lookbackDuration": "PT5H", "reopenClosedIncident": false, "matchingMethod": "Selected", - "lookbackDuration": "PT5H", "groupByEntities": [ "Account" ], @@ -2590,13 +2469,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject16').analyticRuleId16,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject15').analyticRuleId15,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 16", - "parentId": "[variables('analyticRuleObject16').analyticRuleId16]", - "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "description": "Global Secure Access Analytics Rule 15", + "parentId": "[variables('analyticRuleObject15').analyticRuleId15]", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject16').analyticRuleVersion16]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2621,18 +2500,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "contentKind": "AnalyticsRule", "displayName": "GSA Enriched Office 365 - Sharepoint File Transfer Above Threshold", - "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", - "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", - "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" + "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject17').analyticRuleTemplateSpecName17]", + "name": "[variables('analyticRuleObject16').analyticRuleTemplateSpecName16]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2641,21 +2520,21 @@ "description": "SWG - Abnormal Deny Rate_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", + "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "name": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.", + "description": "Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.\n\nConfigurable Parameters:\n - minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3.\n - learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5.\n - binTime: Learning buckets time in hours. Default is set to 1 hour.\n - minimumThreshold: Minimum threshold for alert. Default is set to 5.\n - minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5.", "displayName": "GSA - Detect Abnormal Deny Rate for Source to Destination IP", "enabled": false, - "query": "let NumOfStdsThreshold = 3;\nlet LearningPeriod = 5d;\nlet BinTime = 1h;\nlet MinThreshold = 5.0;\nlet MinLearningBuckets = 5;\nlet TrafficLogs = NetworkAccessTraffic\n | where Action == 'Denied'\n | where isnotempty(DestinationIp) and isnotempty(SourceIp);\nlet LearningSrcIpDenyRate = TrafficLogs\n | where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d))\n | summarize count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp\n | summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp\n | where LearningTimeBuckets > MinLearningBuckets;\nlet AlertTimeSrcIpDenyRate = TrafficLogs\n | where TimeGenerated between (ago(1h) .. now())\n | summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, DestinationIp;\nAlertTimeSrcIpDenyRate\n | join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp\n | extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)\n | where AlertTimeSrcIpDenyRateCount > LearningThreshold\n | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold \n", + "query": "let NumOfStdsThreshold = 3;\nlet LearningPeriod = 5d;\nlet BinTime = 1h;\nlet MinThreshold = 5.0;\nlet MinLearningBuckets = 5;\nlet TrafficLogs = NetworkAccessTraffic\n | where Action == \"Denied\"\n | where isnotempty(DestinationIp) and isnotempty(SourceIp);\nlet LearningSrcIpDenyRate = TrafficLogs\n | where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d))\n | summarize count_ = count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp\n | summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp\n | where LearningTimeBuckets > MinLearningBuckets;\nlet AlertTimeSrcIpDenyRate = TrafficLogs\n | where TimeGenerated between (ago(1h) .. now())\n | summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, DestinationIp;\nAlertTimeSrcIpDenyRate\n | join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp\n | extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)\n | where AlertTimeSrcIpDenyRateCount > LearningThreshold\n | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold\n", "queryFrequency": "PT1H", "queryPeriod": "PT25H", "severity": "Medium", @@ -2679,22 +2558,22 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIp" + "columnName": "SourceIp", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "DestinationIp" + "columnName": "DestinationIp", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2702,13 +2581,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject17').analyticRuleId17,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject16').analyticRuleId16,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 17", - "parentId": "[variables('analyticRuleObject17').analyticRuleId17]", - "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "description": "Global Secure Access Analytics Rule 16", + "parentId": "[variables('analyticRuleObject16').analyticRuleId16]", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject17').analyticRuleVersion17]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2733,18 +2612,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "contentKind": "AnalyticsRule", "displayName": "GSA - Detect Abnormal Deny Rate for Source to Destination IP", - "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", - "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", - "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" + "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject18').analyticRuleTemplateSpecName18]", + "name": "[variables('analyticRuleObject17').analyticRuleTemplateSpecName17]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2753,18 +2632,18 @@ "description": "SWG - Abnormal Port to Protocol_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", + "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "name": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes.", + "description": "Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline.\nThis can indicate potential protocol misuse or configuration changes.\nConfigurable Parameters:\n- Learning period: The time range to establish the baseline. Default is set to 7 days.\n- Run time: The time range for current analysis. Default is set to 1 day.", "displayName": "GSA - Detect Protocol Changes for Destination Ports", "enabled": false, "query": "let LearningPeriod = 7d;\nlet RunTime = 1d;\nlet StartLearningPeriod = ago(LearningPeriod + RunTime);\nlet EndRunTime = ago(RunTime);\nlet LearningPortToProtocol = \n NetworkAccessTraffic\n | where TimeGenerated between (StartLearningPeriod .. EndRunTime)\n | where isnotempty(DestinationPort)\n | summarize LearningTimeCount = count() by LearningTimeDstPort = DestinationPort, LearningTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;\nlet AlertTimePortToProtocol = \n NetworkAccessTraffic\n | where TimeGenerated between (EndRunTime .. now())\n | where isnotempty(DestinationPort)\n | summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;\nAlertTimePortToProtocol\n | join kind=leftouter (LearningPortToProtocol) on $left.AlertTimeDstPort == $right.LearningTimeDstPort and $left.SourceIp == $right.SourceIp and $left.DestinationFqdn == $right.DestinationFqdn\n | where isnull(LearningTimeProtocol) or LearningTimeProtocol != AlertTimeProtocol\n | project AlertTimeDstPort, AlertTimeProtocol, LearningTimeProtocol, SourceIp, DestinationFqdn\n | extend IPCustomEntity = SourceIp, FqdnCustomEntity = DestinationFqdn\n", @@ -2780,7 +2659,7 @@ { "connectorId": "AzureActiveDirectory", "dataTypes": [ - "EnrichedMicrosoft365AuditLogs" + "NetworkAccessTrafficLogs" ] } ], @@ -2791,22 +2670,22 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "FqdnCustomEntity" + "columnName": "FqdnCustomEntity", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2814,13 +2693,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject18').analyticRuleId18,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject17').analyticRuleId17,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 18", - "parentId": "[variables('analyticRuleObject18').analyticRuleId18]", - "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "description": "Global Secure Access Analytics Rule 17", + "parentId": "[variables('analyticRuleObject17').analyticRuleId17]", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject18').analyticRuleVersion18]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2845,18 +2724,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "contentKind": "AnalyticsRule", "displayName": "GSA - Detect Protocol Changes for Destination Ports", - "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", - "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", - "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" + "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject19').analyticRuleTemplateSpecName19]", + "name": "[variables('analyticRuleObject18').analyticRuleTemplateSpecName18]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2865,18 +2744,18 @@ "description": "SWG - Source IP Port Scan_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", + "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "name": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.", + "description": "Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.\n Configurable Parameters:\n - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.\n - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100.", "displayName": "GSA - Detect Source IP Scanning Multiple Open Ports", "enabled": false, "query": "let port_scan_time = 30s;\nlet min_ports_threshold = 100;\nNetworkAccessTraffic\n| where TimeGenerated > ago(1d)\n| where Action == 'Allowed'\n| summarize PortsScanned = dcount(DestinationPort) by SourceIp, DestinationFqdn, bin(TimeGenerated, port_scan_time)\n| where PortsScanned > min_ports_threshold\n| project SourceIp, PortsScanned, TimeGenerated,DestinationFqdn\n", @@ -2892,7 +2771,7 @@ { "connectorId": "AzureActiveDirectory", "dataTypes": [ - "EnrichedMicrosoft365AuditLogs" + "NetworkAccessTrafficLogs" ] } ], @@ -2904,22 +2783,22 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIp" + "columnName": "SourceIp", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "DestinationFqdn" + "columnName": "DestinationFqdn", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2927,13 +2806,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject19').analyticRuleId19,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject18').analyticRuleId18,'/'))))]", "properties": { - "description": "Global Secure Access Analytics Rule 19", - "parentId": "[variables('analyticRuleObject19').analyticRuleId19]", - "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "description": "Global Secure Access Analytics Rule 18", + "parentId": "[variables('analyticRuleObject18').analyticRuleId18]", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject19').analyticRuleVersion19]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]", "source": { "kind": "Solution", "name": "Global Secure Access", @@ -2958,12 +2837,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "contentKind": "AnalyticsRule", "displayName": "GSA - Detect Source IP Scanning Multiple Open Ports", - "contentProductId": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", - "id": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", - "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" + "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" } }, { @@ -4761,7 +4640,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "Global Secure Access", "publisherDisplayName": "Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Global Secure Access is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below.

\n

Prerequisite:

\n

Install one or more of the listed solutions to unlock the value provided by this solution.

\n
    \n
  1. Microsoft Entra ID
    2. \n
\n

Underlying Microsoft Technologies used:

\n

This solution depends on the following technologies, and some of these dependencies may either be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Product solutions as described above
    2. \n
\n

Workbooks: 2, Analytic Rules: 19, Hunting Queries: 21

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Global Secure Access is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below.

\n

Prerequisite:

\n

Install one or more of the listed solutions to unlock the value provided by this solution.

\n
    \n
  1. Microsoft Entra ID
    2. \n
\n

Underlying Microsoft Technologies used:

\n

This solution depends on the following technologies, and some of these dependencies may either be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Product solutions as described above
    2. \n
\n

Workbooks: 2, Analytic Rules: 18, Hunting Queries: 21

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -4886,11 +4765,6 @@ "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", - "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" - }, { "kind": "HuntingQuery", "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", From 3a08662dd3d418f9a00acfe7a76e752aa102cff4 Mon Sep 17 00:00:00 2001 From: Javier Soriano Date: Thu, 2 Jan 2025 11:14:51 +0100 Subject: [PATCH 09/22] Fix for issue #11329 This modification fixes #11329 --- .../v2/LinkedTemplates/solutionsAndAlerts.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Tools/Sentinel-All-In-One/v2/LinkedTemplates/solutionsAndAlerts.json b/Tools/Sentinel-All-In-One/v2/LinkedTemplates/solutionsAndAlerts.json index 005bcf1aff9..196b7af9588 100644 --- a/Tools/Sentinel-All-In-One/v2/LinkedTemplates/solutionsAndAlerts.json +++ b/Tools/Sentinel-All-In-One/v2/LinkedTemplates/solutionsAndAlerts.json @@ -96,7 +96,7 @@ }, { "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]" + "[resourceId('Microsoft.Authorization/roleAssignments', variables('roleGuidId'))]" ], "type": "Microsoft.Resources/deploymentScripts", "apiVersion": "2020-10-01", @@ -122,4 +122,4 @@ } ], "outputs": {} -} \ No newline at end of file +} From 887c7dae7819981d9ff0911d5dda16613e856a08 Mon Sep 17 00:00:00 2001 From: Shain <45466083+shainw@users.noreply.github.com> Date: Thu, 2 Jan 2025 11:22:42 -0800 Subject: [PATCH 10/22] Fixing version after merge conflict --- Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml | 2 +- .../ExcessiveFailedAuthenticationsfromInvalidInputs.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml b/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml index e36953f92b9..338df82e826 100644 --- a/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml +++ b/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml @@ -37,6 +37,6 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 1.0.3 +version: 1.0.4 status: Available kind: Scheduled \ No newline at end of file diff --git a/Solutions/Symantec VIP/Analytic Rules/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml b/Solutions/Symantec VIP/Analytic Rules/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml index de98d5f6464..c16f8cf2d2d 100644 --- a/Solutions/Symantec VIP/Analytic Rules/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml +++ b/Solutions/Symantec VIP/Analytic Rules/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml @@ -31,6 +31,6 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 1.0.3 +version: 1.0.4 status: Available kind: Scheduled \ No newline at end of file From aa9ed01d2df05bb5b79c0fd9c35a46fba20948eb Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Fri, 3 Jan 2025 10:38:53 +0530 Subject: [PATCH 11/22] Repackaged - Trend Micro Deep Security --- ...on_TrendMicroDeepSecurityTemplateSpec.json | 7 +- .../Package/3.0.1.zip | Bin 0 -> 9272 bytes .../Package/createUiDefinition.json | 33 +- .../Package/mainTemplate.json | 413 +----------------- .../Trend Micro Deep Security/ReleaseNotes.md | 1 + 5 files changed, 10 insertions(+), 444 deletions(-) create mode 100644 Solutions/Trend Micro Deep Security/Package/3.0.1.zip diff --git a/Solutions/Trend Micro Deep Security/Data/Solution_TrendMicroDeepSecurityTemplateSpec.json b/Solutions/Trend Micro Deep Security/Data/Solution_TrendMicroDeepSecurityTemplateSpec.json index 5fab94a8f3d..9fed9bbffbb 100644 --- a/Solutions/Trend Micro Deep Security/Data/Solution_TrendMicroDeepSecurityTemplateSpec.json +++ b/Solutions/Trend Micro Deep Security/Data/Solution_TrendMicroDeepSecurityTemplateSpec.json @@ -2,10 +2,7 @@ "Name": "Trend Micro Deep Security", "Author": "Trend Micro", "Logo": "", - "Description": "The [Trend Micro Deep Security](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security.html) solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\r\n \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", - "Data Connectors": [ - "Data Connectors/TrendMicroDeepSecurity.json" - ], + "Description": "The [Trend Micro Deep Security](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security.html) solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\r\n \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", "Workbooks": [ "Workbooks/TrendMicroDeepSecurityAttackActivity.json", "Workbooks/TrendMicroDeepSecurityOverview.json" @@ -17,7 +14,7 @@ "azuresentinel.azure-sentinel-solution-commoneventformat" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Trend Micro Deep Security", - "Version": "3.0.0", + "Version": "3.0.1", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Trend Micro Deep Security/Package/3.0.1.zip b/Solutions/Trend Micro Deep Security/Package/3.0.1.zip new file mode 100644 index 0000000000000000000000000000000000000000..281cc83b08441d717456f569f0da7a153c75043d GIT binary patch literal 9272 zcmZ{Kbxa)2x9{S`-QC^Y7I!c1Qrw}iKw)urDAM9uio08JcPUcbi!HwR`+k4-rGkc1b7}4zBnG9VRGNk& zaQIUjPC+pD#`g>ND)(KBL#Z|oO{aClQqC!yTh9lDz}H*Gcm#=7Et-!MCUsOE9Ib?3 zmD+KBi0!ea#7;)Me6o}!I%!&K{MraH^aV~Q7^u{LHzDcEh3+h+8;q-pls7_JG}U|5 z26~NhU)hNK43TH7=+VYH(o^R2I8BA_x{S$KcAL2f;-lMWtJbF5cgo$VV22ou`mIVD zOHIxR>gdizA5*f4;#6v?i1Ou3zkj&6oUBi;Jby_D*i zs<@JmM`iX&-IN}KUJ&DWa2;Xoq{hY)%p63&6Q>MacAsB5&^MhfiCK^mcf!*IK4-tc zQQ%VR$2jHnX4~DI-QIGp#l$UW-y0#jBJf%-^{hop)VWBZ&3wy>yD3o7lNM~N4ysSxQZW&*wEoS1mdv^wWX z)Om^ul+%t_?oxdM(Ul8cBJTO}$wZahAIVR(S9;c8xPik6`2&4m|8~m*2|?oFwx|k+vip9M>kK?r5u+!1>k{TA(Z(HNgh190C0( zB7sMEsEn~EM_ioA*iXI;^=Qm#2+PoT0rk>__Bp-+RHu?lOP2w4;YVkt9G5&clz3j} zEW9irXFNS*ZlDgW&&hRGi(L+;B|ooc;n1V-uGn0dG3%MsYNpG+XEs7Kd9|Bi2jRD8 z)Y)a#OzDYHzQmuV?*?2h|1K3#a_(0xp?LHH2*II$39dz=7(4euW+0K}9!Wzj6A* zWc0Og%+9E?mWebD?W!XVRd0&VBM*WfBu9y=BM@)$tyPswd5H@XSCoYq$c;&ImlI$g zjR{TnViQ3cK1yMK?ELAf+Ut~PE6jt*H|-XX`^}^#9lc zyE_wsn{F7s>qSQw&qv~O)cI z^q5KyBeRU*52eKZe2p`2<(&}pi-7xsyg{33{f)PfVQPiic4v|7*X!#U`|I&7?H?9R z!(Wn?>K#jF3Jq?ngbmX3ZclLsDW6qS)0`_&z^pDI!?#*c6pc$3ug1=BW0Urd8f79Nxe70(S*d40P3Z-K5cj+S9 znmDE}ays|k8nl{N<=DAtz*yxdJ^>#G8Zyc9tna_lh_D>?Bt%b-!c zL2#P?jTd+{SK;fE0suc=008WNc!7(hgR72>i@Wnb?BG9);LP;Yb6qIotylLM!{F{r z`C>l3<+F>;u#1mKg;2}{h*5$jlN84?#>H$A-a#SPdkHuJTmz0#0N{~R3ly2hRjn3y z9aQMtU4@PY`h?T&9=G1n3x~Ikz0}G6_(qc4P#MhHb?3Fsd)LL;4N|+#4h2O3Pt?U3 zI~4rogCI={Tc@{3;$PXE-NuG1%v%BV>H-jYyuEBfY0V$ zThuTD9>3_IlN`V3$q+x!*vZU*ce9QY`0vEIb8x+gc*igD{Xj$jLp<54x%4Ai8v+p; z>yYVDzT0YxRSUWc_$`EcZU|yM-gJxLPzV-p2RvceK`56kAB5e9;lQHE_=4NRu8-^j zBXxqIy}yvWYXmfU1inSSlMYf2yz6$KTRTzaAY`e|A*M0%`fD7g_+!|ZQ<9qAmQ<}D z&>sG6P&Oor;M>P=a2YQAZwpkCf~_Q4hTO(>!Zll@AD}>nT>TZnG78n_?zmZ`P_|4& z`0RKVltcK}z|+UyULj>Av_miC8`IS%WQKU(2U}f(57IA%1E5zhv5b5re|&a_a!u;R z#vJdbNIYFWgW-?hBC8LXzk6_AB}4RNOZP^b3x6(1rE%3-m<`^3?eDkAR$Z;M6}`&R z)82HuI5SB*&HLyVVLP;`r*wdsO6e)3Nr5r4iALVGVurY!)^CK9AH7|$sSBvzLCjEb zZs|&c-?1uX!JX-(@FF^y%BbVwo9lag3?lE5FAI;TkHPr0Ey!lAGEkjmx~c5MRhyob zR^b?cuN&091HIE&ihqqwzC?T`$Xk&`=usiYa*OC0njaA&)6gma69$8^l9J)%89E8M zVlik}4mddZD)Gdh=4FZg_{@DlXdaqMT4v(;P&3s=(Q52=>Z zE64fLV=3Ta^2}5uUZ~Ks>G9{Hr2?&6vOK)J6*!u0Z-Vdl-PfFH#}O|1ST8mOT0NUSFIjMos=2dM3~y}3>*H)rt!!|Tx6ag3 zpsg0mJmeE_nVwg#+UZ2N5+?g3s>g#UV|xcH=Z&KvJP~vGeTR=gjK?6jR%slkg16=2 zdD3eNbOV~-=S;5K{$6JxTkI~9&jMD%V&d)CE~>9U3!Ch)b|u9x8e~dL^${HGtsgy) zg>tnJQ_7b@xqAAbT*`X`ObM99hC`+aZp)?#o<37q$Y&Zc@2=NKB^F_e>H*BI)ge(- zg`08sjSS)Xw4E4kR<2D7-1}p8@XziRMj=2K9VHs-*w zX2t}%nSg*KycRb}zo9&(c-8-LUZmLVEOr6d250GBilBo33pbl%9jHWG&yS$ED#&Cun7(#bSJ_nQ-cDE>!#YRYtL z>g^#7uY~DZyULboZXnMCUkF1Gux!f_jx&F<1YvJMFCtC=Q}57~gp)hOY2u(j@o0td zhpi;X1yb%Cu7Svu=IaSxPwv(42LkkZmsdHg$j=98FY)PlZSC7~+gA&x*>jI4oDDeJ z3h4m0?p1i3va@k(LzCT8frf@Z2XdS!4Zgt+TJAHYVrWOsQv@n$QcWO4lsYv-6Z0Fz zm7iCBf1+XC{`d;mmWuU{-dc!~39ju$B3vo$EGrO=2B4Z@Y?ROf3poJ^& za;0e=dl<*ug~Bm_IvnrhJ`P5<}8ley^n!@b9JgNn?Iz^e{0p?8;d=5o>H9o1~wd0!s!>J?YepS&)%C z7*eu5d{JCP?C+1@a}P=g71f}?pCT3$h^6DY&nKAEMoXu)zs;8~G7rYDckyqHqDB`( zay7HeP8AIdLsT(l+vsm_8P7y-U=8x)Sgygmq=(994kzq8U()+Gr*BpA2IfL(d>^RJ zH-=!APP|Zd_Z+eYU6q1M#4=8qO!PX`eCV9iaMjm`0S zk*$aURLabb5v$1~qghr3li%0E3-w9W*jk5n5A=6=Xd5>BEP4h?izR91qXUe510nM? zEsuI6+wlqj0FiZow&yR_?SMQYvJv|wWCi7rv?Pf-mxKHEhlw)g`mHPWuxl7Wf@TH~ z-hm!gyC%F_S8S}A;kL`sFj`*)k_8o&Cu!yR!d5f=tmo z1e`S~wv}b&ANr~YBN`@caw@a5@grGUF6 zKff=Uk9c}Xn1rGFagHG`Az!|gpiqOYo+PbZqHFIhcdJ~$Oxxa*7HquQ8K*wW7@R=a z{=#2d>)(O*0bgfu4Mq##cxtH{7k>Tv#Itvndcuuyvhm6)Jx}7B21|QEAcK&)`zRv| zmrq`RDjACn_tU0#&2t{3jKUX{@0iyrWJFsq2vh5&H z0Drz>@L|0vQ%bX>{0|tD<958bPZL18W!qDsLH1>u22bfs+%v98Z%Hidz_|*EBk6=T zWm=o&%TTWM#sWUlG))CAgt$Qy@Iefdv5NyMKhqxxb)~(i3~zt6oz{trdA+UpMt4ZJd^*iceq%Z#{~lsX7ToNKgpUfP|^v^}`#=KSJd&_`GdIOT>tO{+6S) z)*a_FscW)ipZ}5olMZc+OGbxx-{&AgFn;!ysV<4q4)$Er%}ce+E){-VEbi`IPgV%W z`YN+)_6E|^Wz>$jlOB?7p{8gR^Yz!E;(*us#gdg^VrlYbU*4GSRUj#_>s#ZM^~vpr z-6*5-Z?V{5^*CuBvw^ctK`6y zlltBWTnB2kzge;55}A+B_x%eAJ61hR%>?gUdRRD*()*J|7>&|+^Zab{JWfyLT^n#m z+iUfm;j?{c>F&H_Oc*Ud7V7G!sE0N6A!CN$k$8F+K&>eagTv>Y9UG?Ckkv4IFVgRI z(hr4mx%#m)8+;$FVBb6BA8H?Iw{V=hi%eN51LeareTi8?w_nNOCUTKczVoJ&8srMD z^dKOtAD13{HFjQi;e(x+hDHnKIZ4?9ZXR_d_UqkuKMOz_rX+{~PVHFvuJ$*yr${^@ zVQVyKZQl6b-~4jD_p;BcCUBfK6l+OO5L$brX-#j#d-8!IZrUlmwh(ue3s;I9+0h%Owwsr?PDH(USbUTn(2PhPcUUZtGM=( z40+b~2X4RpGP`z;N$o4m6KXHp7WAwg{2Rom(cR<(t=w_ThUjAfoZu{)8|&C+@pHp= zB%(I0h+m)Nc~xTS>v{Iz&3R{@Uy*Qy0=F;I9uwl&mFq>>gAb6r5;N{AXJ+}aw(O`9 zEo(-1dX>`Fful;G7&jFLg+Wuj(T|jiJ7S=WmFeoA4sw&ZmsoVCbj`!VcV8E;nG8g= z!O0&)MMV7dik<1x(h&+tteujbe_4k93{%CHIqjgov)ecQDkZd_}bUZ!$&&cZU3OeV;f;zCT z9z?kI5E>#OR>`XjeyPEJ1kyI3beB%Qt4SNl$+BK}<>DxZdVgK;5Bew}TuI6FGvx9O z*4%-mg9Wgx4!p!PYB+**9AuN5e4-8};iBZR2((;(f7`avtqKUn)Z$KJ4l=17o+c5c zgau_N^ux)|c{faxD4o(ZAiIgyvXA6_x26}#Lgwm`TX&FiY~6yT3u^A_Ao_XQ@9b*&Nv&6cuJZFP$*<*^82!ihwQ`6LCU~T{ zc;87EWED>Oqh>1zPbaM!yIy_}DIq$d9s-%=PA39}k2?(G|5dnjQmx{y=fYY>9CS=y zxD^}#OC5M+BP^bWHOL;sckHE(Tx?+}U&a3!QT}wu3UjKw*A}_`jM~RtQVn``!|7ZO zuF;Vm>p4rA-ELj@lxPF-|7Ow=^=NJDAT=hEUgdEXxMN_*Vn_hzWS8=QjzHPpC$a~B z*ViFGK!V;2u>kj_g;EJIZY#Sl6McVSKv*~6s24?U=!OgLsvl)%d=nJO#YMWQ|1YIW zVeo}Qy+eEEq&r1xPShYcO1(WNR|}6I7jw?1Y+-ZoovAHcb>BILzM*V9bLv&+^EbsbStW zfi(_p72Ap+8d}lZ@IelUzlO{i|4Y>0Wc>lU-@rp)vo%CBgG=0EBJjZREz;RLYJOem zf~qBOs2Yv}t)hhh2Thli-)C*gTCLNQFz&#)rFd1Xy&>0@boC#^Lz$p#;`w1mEB~W! zOu%Pb;nNeMJsJZto3vC<4uWOy_r;a(i0@D~rCx@K!a#)#Alp#D|3yGEF|-xB#N+>m zfm0BD=XS*+(XJ0-P4MqhIi$O1P+-z-)ZWj4K1y|Y=baT>HXqn%H7ROwl~=P-(2KXT z%Qujybj)y9+>g*CkK_IXgS$Fg2cjsb3uW>SP6VtyK#vu$D403p-K zlTqi#R{a)FQ>PQ?W4hGp^%GzT%X1t;e}4fhi7l!Tcu|@Yz@&gT-_~LRG=1_Q2L6?e zPcBN10?32Um}zqQHVv&A5X@2Z8!gPRJ^vA}`I2WZf7tFl9h3bh#d|dg6OwhA7u@?i zSDF=1`4LM#;RsNXqnr4aQzEn<@RQODnv$qn`WI}#cR&%H)g|uiFE0h?8mQs7lG`$S zb9I--bV55cxl=AYiv=(?De$9FrQrQzA}kjbHULwbOhNM@u)>LZ?eh+R^;@(@*^?{< z>>`I-TM3bkRSmfqoPu&D<@hXfg*+Kg?``{rP~TglhGPzM`xi!k=4|A0xAez~8o-YQ zC-?dPV5?v4ND~o$(KE5?*T$`JYX!md4YqIkC^CO@?6szS1u927Cj1HEDsO?-Pq^`km2;v+fxG^;LZ2%P!=g&Za9$TkeJ*3&RFSt!?x=4jWzut4$rDm_AWVzfOp*C`7%!RI^Lat@ z4|G(*w@*iLTAE$LZ?(#idlZU_fhp=zqB)jJQ9>DQ@X0F{R?YA@PPVZqO!_`p6LN)* z7!Q@t36K zX`Kn8dSNPLLWG3T_h#N&>CAj8OlQ;u{`Tu@2bs(s8;R^^3i~g>tWRHJHs~G8^94v7 zHH^xM`JU-?uT!|Cwv&HPZeC0827|v$4s4rg&*KbrtDMFLG}ucTpLNnlyExi%16z)! zja=>5gN?GNMO_Z|%pRYI<>M1Phvkv?HWG*~Gk7=Ej71DD^(oNh6@Ka2DZb)0pK^n$ zD=YQ34X?^7AIslnhtm=hLCFV28FOx=VfO`FZW60@?}(6@;Gj;38zx$6fRk3Ssr2O# z)@U8286q>;{a0%FW>lboSxAyr%uLO=!i_lXK>&#LYBlcBT0+@q+OifW>h)WgQB#F< zP%qA_0{80~t?2<7h3+myXpV|mk2d4WGlfreB$ENm-)PFAZn?~zG>h@KI)K%6)$t8J zmtw@M;V&_ZUs#;zpS=>1)~zk~4TTQh1cc96$e=$GF;o|DIxjhSPD^M`p0Mj}ze&*c zx&M*e#W(qa;TEVvrwT5S9*xyQ$^QK8I2?GgM?BHnmLXvbQ{Ar;QjFsyYch?gVYcSm z!r-z0SeZ2@H>x{@Ab)}Hb}&95i65jm0_I<$2kYgpq9loHR*qgHY96^wvqLh_;PtON&mE{j`Z48dB&0IlfPU{6(xt)&W` zSSdwBx}Fhr6!L($Op-M?@_|0?JS=0Mky$e~vYyKBpTrb!afenr?lS)M?$DZhs~w2= z`B4AP^IBZQ0Hp)x^$x`D_W6^|31w7WU&p8I+kRZVAXwULP^P^wfj!mzMjqV(3nKB#(&m($j?PdDlBF7P5kpFn=5{@&vL#@=T{ z#XX2zHWXjYA~c3H3fT0S>BkNgDJT_IMFE=Oz`u;leF8yOFgNYyT8a_v+h}oQ94YbfmjC%)JOVuGID(@ft zEUkA)s(i|q&u2yL{a(MF$)|sr=Fb1kwdwTR-f-M8%5G-h-yK3`!x=y6V@X>0fL zVqrTdw+T7khJox`VPRyLGXTsew?CZ(9W5+L9iz^DZ~k;=8fj`c9q%q-sST=G#ZkO zv&mu66>0a$WUf-@;}u1(C8gi(;(hiTLq@yT&@t5bWwRI+Vs+Q`FB{ zw2-u%i8r8sJH#v>(9HA4hx@>mRaiv41l$iF|Mfw*Zl^E=kOnu|nD&~yzKsZmj~ccZ zO1$pQii0(dK*o^rC{VAmTiu?Hut)S9%Q$^4lZ^!n>5(6sKPN9Qn=@}H6^J&34>>-I zn%$IewBE*2rIonS3DzmGlplQZC>Q#9Lx+g*U0r+T(8pW|OZ$gHku?`A0jYGJk_pt5 z_ZAzRs{CxXmW4o7tu#S`4d2tg8b^FPIZCQj&sQA|PUZ>FHs;ptNp$4DA z*r-P(U9f-Hk-xxUqy&t!_+#$vSZ{nAR7`0AZ4X8meS%d9=n8mAuuaj%vtG|XLfBL2 zDMVr(>SE^Hx&8d1Yyjfi!St&5{SoT8ang$WR?6i=TziwH-_b#4P9g&4hjc+l@`Jv` zybrx^OH7B|1>fwildRxspO)d^3!-@{O6qOv>TugzZJF?_<$oX!9a}KEgDg^;1%Cbu zTm-LzUIo+9z*=_|PiUt+hLL_5Y66&d_Wj?W547hh&DeL7BrM+&{>+)K5b;Y{tQ>ye z-ue3Fj-QEYxorBy+dA(QdggUdZ(=gn9Xt|5_C*)(`3XNT2u4!{1{M$Szt89V(~1MY w0I2>A|E&LITIYWz`Jc_af4}}$5~2_PpVpqH3IgK4PhkJq;s3-u+JA5V2Sxeovj6}9 literal 0 HcmV?d00001 diff --git a/Solutions/Trend Micro Deep Security/Package/createUiDefinition.json b/Solutions/Trend Micro Deep Security/Package/createUiDefinition.json index 93a9f899b81..dcebb161fff 100644 --- a/Solutions/Trend Micro Deep Security/Package/createUiDefinition.json +++ b/Solutions/Trend Micro Deep Security/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20Deep%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro Deep Security](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security.html) solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\r\n \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20Deep%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro Deep Security](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security.html) solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\r\n \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Parsers:** 1, **Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,37 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Trend Micro Deep Security. You can get Trend Micro Deep Security CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", diff --git a/Solutions/Trend Micro Deep Security/Package/mainTemplate.json b/Solutions/Trend Micro Deep Security/Package/mainTemplate.json index 199c986e450..b047705a7c5 100644 --- a/Solutions/Trend Micro Deep Security/Package/mainTemplate.json +++ b/Solutions/Trend Micro Deep Security/Package/mainTemplate.json @@ -47,18 +47,9 @@ }, "variables": { "_solutionName": "Trend Micro Deep Security", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "trendmicro.trend_micro_deep_security_mss", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "TrendMicro", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "TrendMicro", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "TrendMicroDeepSecurityAttackActivityWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", @@ -82,393 +73,6 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Trend Micro Deep Security data connector with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Trend Micro Deep Security via Legacy", - "publisher": "Trend Micro", - "descriptionMarkdown": "The Trend Micro Deep Security connector allows you to easily connect your Deep Security logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's networks/systems and improves your security operation capabilities.", - "additionalRequirementBanner": "These queries and workbooks are dependent on Kusto functions based on Kusto to work as expected. Follow the steps to use the Kusto functions alias \"TrendMicroDeepSecurity\" \nin queries and workbooks. [Follow steps to get this Kusto function.](https://aka.ms/TrendMicroDeepSecurityFunction)", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "TrendMicroDeepSecurity", - "baseQuery": "\nTrendMicroDeepSecurity\n" - } - ], - "sampleQueries": [ - { - "description": "Intrusion Prevention Events", - "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Intrusion Prevention\"\n | sort by TimeGenerated" - }, - { - "description": "Integrity Monitoring Events", - "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Integrity Monitoring\"\n | sort by TimeGenerated" - }, - { - "description": "Firewall Events", - "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Firewall Events\"\n | sort by TimeGenerated" - }, - { - "description": "Log Inspection Events", - "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Log Inspection\"\n | sort by TimeGenerated" - }, - { - "description": "Anti-Malware Events", - "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Anti-Malware\"\n | sort by TimeGenerated" - }, - { - "description": "Web Reputation Events", - "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Web Reputation\"\n | sort by TimeGenerated" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nTrendMicroDeepSecurity\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (TrendMicroDeepSecurity)", - "lastDataReceivedQuery": "\nTrendMicroDeepSecurity\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine's IP address.\n2. Forward Trend Micro Deep Security events to the Syslog agent.\n3. Define a new Syslog Configuration that uses the CEF format by referencing [this knowledge article](https://aka.ms/Sentinel-trendmicro-kblink) for additional information.\n4. Configure the Deep Security Manager to use this new configuration to forward events to the Syslog agent using [these instructions](https://aka.ms/Sentinel-trendMicro-connectorInstructions).\n5. Make sure to save the [TrendMicroDeepSecurity](https://aka.ms/TrendMicroDeepSecurityFunction) function so that it queries the Trend Micro Deep Security data properly.", - "title": "2. Forward Trend Micro Deep Security logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "metadata": { - "id": "abf0937a-e5be-4587-a805-fd5dbcffd6cd", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "Trend Micro" - }, - "support": { - "name": "Trend Micro", - "link": "https://success.trendmicro.com/technical-support", - "tier": "developer" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Trend Micro Deep Security", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Trend Micro" - }, - "support": { - "name": "Trend Micro", - "tier": "Partner", - "link": "https://success.trendmicro.com/dcx/s/?language=en_US" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Trend Micro Deep Security via Legacy", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Trend Micro Deep Security", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Trend Micro" - }, - "support": { - "name": "Trend Micro", - "tier": "Partner", - "link": "https://success.trendmicro.com/dcx/s/?language=en_US" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Trend Micro Deep Security via Legacy", - "publisher": "Trend Micro", - "descriptionMarkdown": "The Trend Micro Deep Security connector allows you to easily connect your Deep Security logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's networks/systems and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "TrendMicroDeepSecurity", - "baseQuery": "\nTrendMicroDeepSecurity\n" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (TrendMicroDeepSecurity)", - "lastDataReceivedQuery": "\nTrendMicroDeepSecurity\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nTrendMicroDeepSecurity\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Intrusion Prevention Events", - "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Intrusion Prevention\"\n | sort by TimeGenerated" - }, - { - "description": "Integrity Monitoring Events", - "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Integrity Monitoring\"\n | sort by TimeGenerated" - }, - { - "description": "Firewall Events", - "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Firewall Events\"\n | sort by TimeGenerated" - }, - { - "description": "Log Inspection Events", - "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Log Inspection\"\n | sort by TimeGenerated" - }, - { - "description": "Anti-Malware Events", - "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Anti-Malware\"\n | sort by TimeGenerated" - }, - { - "description": "Web Reputation Events", - "query": "\nTrendMicroDeepSecurity\n\n | where DeepSecurityModuleName == \"Web Reputation\"\n | sort by TimeGenerated" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine's IP address.\n2. Forward Trend Micro Deep Security events to the Syslog agent.\n3. Define a new Syslog Configuration that uses the CEF format by referencing [this knowledge article](https://aka.ms/Sentinel-trendmicro-kblink) for additional information.\n4. Configure the Deep Security Manager to use this new configuration to forward events to the Syslog agent using [these instructions](https://aka.ms/Sentinel-trendMicro-connectorInstructions).\n5. Make sure to save the [TrendMicroDeepSecurity](https://aka.ms/TrendMicroDeepSecurityFunction) function so that it queries the Trend Micro Deep Security data properly.", - "title": "2. Forward Trend Micro Deep Security logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "These queries and workbooks are dependent on Kusto functions based on Kusto to work as expected. Follow the steps to use the Kusto functions alias \"TrendMicroDeepSecurity\" \nin queries and workbooks. [Follow steps to get this Kusto function.](https://aka.ms/TrendMicroDeepSecurityFunction)" - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -478,7 +82,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TrendMicroDeepSecurityAttackActivity Workbook with template version 3.0.0", + "description": "TrendMicroDeepSecurityAttackActivity Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -568,7 +172,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TrendMicroDeepSecurityOverview Workbook with template version 3.0.0", + "description": "TrendMicroDeepSecurityOverview Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -658,7 +262,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TrendMicroDeepSecurity Data Parser with template version 3.0.0", + "description": "TrendMicroDeepSecurity Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -782,12 +386,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Trend Micro Deep Security", "publisherDisplayName": "Trend Micro", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Trend Micro Deep Security solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.

\n\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 1, Parsers: 1, Workbooks: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Trend Micro Deep Security solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Parsers: 1, Workbooks: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -809,11 +413,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", diff --git a/Solutions/Trend Micro Deep Security/ReleaseNotes.md b/Solutions/Trend Micro Deep Security/ReleaseNotes.md index 4cc5b799798..ff09f0b1e8d 100644 --- a/Solutions/Trend Micro Deep Security/ReleaseNotes.md +++ b/Solutions/Trend Micro Deep Security/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.1 | 03-01-2025 | Removed Deprecated **Data connector** | | 3.0.0 | 27-06-2024 | Deprecating data connectors | | 2.0.1 | 11-11-2022 | Updated OfferId | | 2.0.0 | 20-07-2022 | Initial Package | \ No newline at end of file From e898783651fb211d0c583c67034d7613fbfcd02d Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Fri, 3 Jan 2025 11:31:44 +0530 Subject: [PATCH 12/22] Repackage - AristaAwakeSecurity --- .../HighMatchCountsByDevice.yaml | 5 +- .../HighSeverityMatchesByDevice.yaml | 5 +- ...tchesWithMultipleDestinationsByDevice.yaml | 5 +- .../Data/Solution_AristaAwakeSecurity.json | 7 +- .../AristaAwakeSecurity/Package/3.0.1.zip | Bin 0 -> 9992 bytes .../Package/createUiDefinition.json | 28 +- .../Package/mainTemplate.json | 515 +++--------------- Solutions/AristaAwakeSecurity/ReleaseNotes.md | 1 + 8 files changed, 70 insertions(+), 496 deletions(-) create mode 100644 Solutions/AristaAwakeSecurity/Package/3.0.1.zip diff --git a/Solutions/AristaAwakeSecurity/Analytic Rules/HighMatchCountsByDevice.yaml b/Solutions/AristaAwakeSecurity/Analytic Rules/HighMatchCountsByDevice.yaml index 19ff9a1af6e..bb692638138 100644 --- a/Solutions/AristaAwakeSecurity/Analytic Rules/HighMatchCountsByDevice.yaml +++ b/Solutions/AristaAwakeSecurity/Analytic Rules/HighMatchCountsByDevice.yaml @@ -4,9 +4,6 @@ description: This query searches for devices with unexpectedly large number of a severity: Medium status: Available requiredDataConnectors: - - connectorId: AristaAwakeSecurity - dataTypes: - - CommonSecurityLog (AwakeSecurity) - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -65,5 +62,5 @@ incidentConfiguration: groupByAlertDetails: [] groupByCustomDetails: - Device -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/AristaAwakeSecurity/Analytic Rules/HighSeverityMatchesByDevice.yaml b/Solutions/AristaAwakeSecurity/Analytic Rules/HighSeverityMatchesByDevice.yaml index b5455cca631..810bc2222bf 100644 --- a/Solutions/AristaAwakeSecurity/Analytic Rules/HighSeverityMatchesByDevice.yaml +++ b/Solutions/AristaAwakeSecurity/Analytic Rules/HighSeverityMatchesByDevice.yaml @@ -4,9 +4,6 @@ description: This query searches for devices with high severity event(s). severity: Medium status: Available requiredDataConnectors: - - connectorId: AristaAwakeSecurity - dataTypes: - - CommonSecurityLog (AwakeSecurity) - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -63,5 +60,5 @@ incidentConfiguration: groupByAlertDetails: [] groupByCustomDetails: - Device -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/AristaAwakeSecurity/Analytic Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml b/Solutions/AristaAwakeSecurity/Analytic Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml index 862fa15593d..ca4870ec60e 100644 --- a/Solutions/AristaAwakeSecurity/Analytic Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml +++ b/Solutions/AristaAwakeSecurity/Analytic Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml @@ -4,9 +4,6 @@ description: This query searches for devices with multiple possibly malicious de severity: Medium status: Available requiredDataConnectors: - - connectorId: AristaAwakeSecurity - dataTypes: - - CommonSecurityLog (AwakeSecurity) - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -63,5 +60,5 @@ incidentConfiguration: groupByAlertDetails: [] groupByCustomDetails: - Device -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/AristaAwakeSecurity/Data/Solution_AristaAwakeSecurity.json b/Solutions/AristaAwakeSecurity/Data/Solution_AristaAwakeSecurity.json index 7a9a4846791..452f16d2e36 100644 --- a/Solutions/AristaAwakeSecurity/Data/Solution_AristaAwakeSecurity.json +++ b/Solutions/AristaAwakeSecurity/Data/Solution_AristaAwakeSecurity.json @@ -2,10 +2,7 @@ "Name": "AristaAwakeSecurity", "Author": "Arista Networks - support-security@arista.com", "Logo": "", - "Description": "The [Awake Security Arista Networks solution](https://awakesecurity.com/) for Microsoft Sentinel enable users to send detection model matches from the Awake Security Platform to Microsoft Sentinel.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", - "Data Connectors": [ - "Data Connectors/Connector_AristaAwakeSecurity_CEF.json" - ], + "Description": "The [Awake Security Arista Networks solution](https://awakesecurity.com/) for Microsoft Sentinel enable users to send detection model matches from the Awake Security Platform to Microsoft Sentinel.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", "Analytic Rules": [ "Analytic Rules/HighMatchCountsByDevice.yaml", "Analytic Rules/HighSeverityMatchesByDevice.yaml", @@ -19,7 +16,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\Sentinel-Repos\\19.05.22\\Azure-Sentinel\\Solutions\\AristaAwakeSecurity", - "Version": "3.0.0", + "Version": "3.0.1", "TemplateSpec": true, "Is1Pconnector": false } \ No newline at end of file diff --git a/Solutions/AristaAwakeSecurity/Package/3.0.1.zip b/Solutions/AristaAwakeSecurity/Package/3.0.1.zip new file mode 100644 index 0000000000000000000000000000000000000000..796ec0aea11b3899466af455bd8ee36b729f0375 GIT binary patch literal 9992 zcmZ{~RZtuZ&@74scXxLW?(XjH5M*(82+rab+yVsm;I50iyDveOV8QKv|2<*r;E<1)7YR7W;AN`Ac(i4WUF3Xp;*`{<-!m&aU?AWxWVUZM}aw|UG-S}Hz zos907X=h=5sAfy*y%YbGe-8j78Ewt*kq-@oSqnli1pg_pyPZ7;IRC>?lYUJiHf%F_mfG3;kFC+T_`KvN;GVVNiktCcunx8}>}@<6N3FANp15sVY+p1od-aE*jDH8|ej zD>Aio*FbGb6!3K5nOc(yi0zW<7R}bGl;6D~^I3kIR%H!oCbSeLM-rnR%Tc;Ing5If z%~AH7u@sxsD4I02bgIokwcJd2WVeyl=x6euG2G9@0wX9(+{$^c(^zBUnPDZ>q5>cu zhKq3=Y{-$0T=;MQ$s^VpV|u2iJn@Lwi?CzLzLm%1_NPqF(OhiQU3T-KQ*%YFkNd;8m;J5V!N6kT$*Y; z*U85Ip_HptMay_UhE#qnZBLsN)Z=^`#Sv3IR+7GSM>>Rq@hx6Xq@pbrXJtyXZMZe) z0RNE*@R!ocUJB*VaX~n&$;wp=p$nP*n0YZdf4ROM^Y(~gCJap1i{g7OF)c9$k>pwY z^dJLf8P(Ys@Wf2I&j&B~TimjY&>uJAv+BwIy5E!z-+rP$pV>8^Ui#v(ib>2!`8;^w=K=*0mZSMYPA&v6EdtNQ}duba3c2=>#Yx zTcy@J@tlVW5Wjvq@cYf*_t2&B8IJA{6HcqeBksRPUgS%Iqn(|YFEcLhm#{g3B*~Qz zY59E+jC0CTH~|p+?3IYx$@?43xf9q18x_-IT*Gq=nh6wYJPrFu)!V=tjYapKCZMLj zJ+L3Qs+D0zk6(D0evWbXNj|M(M5N;UIXvZNYX(9} zDj1~-h-Jeh5N2q$+&xqeyiE#s-1^WbjBo4Xw0VM6>qROiuK(_!8<@L-m_TjI)Q~kG zpOvbj15QSmkEt$3Lg$8X{FnvP6};AWk_}HSEw7!Z4cPiLOI=W}wC}uRzt@7B`rb7c zD%Q?blFlakB-sT4CkCjq1wAy7MZ68PwpoY5Ll_CAWtr^6#wlDJ;yF3!ZP2YELD6 ztCoyxmfP$C9mcw7gV?=2+BnZTBuk`F$~kt7$)u{nC3nO2`sS*r&@JzL z!ND`d?5(MXcbR6JodY>5#iTz2?^`ABKKuIceYLbnur_Upk4LMIYvMh{k<6y9LCR$Z z1pwzWM_<9GuHfR=q_+^5H;NW=--gw4h%o9GAO(pGL<6kA`*6=DjO|Di)Dd7xaw}f5 z#xCuCJDhKgDFyPTLH0RC1ufG$kKF3?Ol%`YrYlbKaxu@O!=-7n5g{}>hEMP4xiApC zi_{N^Gs8TH2Yks#B9%RRZ|O;R_tR|r1jtLuxMd@wORj;k%RZ;jzkhI&g`B(WaEu!~ zV$`CFf`Rqlw8erLo^+DMKU+i#bto-DikmsXeyp%n9xwb-5mQUnKm7rtU5CYDel^>+ z{*PRxox3@0?1H^hWy_;UAIAmoC$S4Se|hN-v+~EvUxrLobPo9wkLyq{ePcB@<~s+j zg)((HO3@WPS7dl#7pwEQW0*enA2BrkKaGKEOk+eCGx2qc3<}C*2nq`8KaJsR32@P| zadvb1Pig$W>H;F_=(#1Aw%2g}F^ubJsHq$IC7fdc53H7XB!jo1XQ=cxsKX>}pG&*YkF@CW;|~KwBw)C~#cfgKOJW(OpqdBz=4L{gZ$y@iP`el(#g>y_gNUp$_oz zV=N?{u2QdXntgi;{b)kn2qT*Y8+h60TozmUpfv}dHbxO_AM~*BnfvkBB77#neCEl; zb66mRpj!9;{^|isu?C>Xei9cHv*Yx(PrwZtMYsmC9~ojEE~n2YS}B<|Kk*@o%ZyMi zcr+mntpl@rQFosHeliw?k03<`O$espP(@D-7>_o7jiqz{h8-!hFWOl~v0f&#EU};Q z6Cf##>;*kRRNXUB-ee&u79Ml66Mn#@N!sR0$EziYLr!wm1`n4<(+4(6+ii&G&VW{u&eZQABNhK}68 zw}ageZy{B{h9gx&^ek-#y)PBDGHpaA_iR}g>?gV9R0lD!m9!!Teem32YK zVREZ%Y&YQ(EpBht+1tk?Ee@vx)XrrbkY2z@Hj*=3fj)B+x_Q}lAP~HDngrPTIef5A z=ml@vAIx(~dLK=sVkmx zhmBi31=s9uy=ADJ-ik4?u(#!UNmgI%(a?&t`Lnob&FJOtl`{RTK{GwUtDu-yo(C5E z?4n*^DPgQ+UM`VM=Y)fDjUBaSV4W!O-y43Jc^@YGbOGi;L3^vT6#TFuG)iaVp9hrcu@!6gjoxbmL$f4uTxbzmKO)iCU);H z%uesJ%qGe4Y&z>N7rGtz>W>-+v-Eg>m-Q{hR&wUin`1ILeHgjBoIR})ULy)QEiX%b zvb+miVsxwB{$S~JjK19KcHHS#xv{ag{l_HuIppoPSvkav%>s{PTPkqGLqLWLleY-D zr;_+x;2?BvB=-f(`^c4-&U%|A@Vw=&+50=NqD(}&+g6VAcA7}LHjCErT?|M^odg{b?c@VV^CNzTB1?$)CwmZty{uD)pSd%An#z@{KuODf|4;9JXFgG%Q4N1=fJ{vM*QZmV#?@k6{X?GLg%$_4 zi?mZMLM0kDtWpmPHtji8T>3L)u&PPT?cW>u#^*M#RPah~%xb`LMkM1fLQaE03;{a}Mr) z%EBGdv~~vDTM)#dpZ8z37tMx3gc?Ijb3FHO3MeZVKfg&GkebYF14E%Pt`tV>5r4_{ zM1rr6Fp;9nUm!T^McIP8WHMpV0M?S~fyjYX#b6NmlS9*;h0yIMO?O96YSKsE}8)8MwU zWfKP%&PwU~>NvxI7H+qg{;%!YZBJQs2gc;Eu@el61CwiUcbIpti2+QQ#Qb6bxAzVt zD?Rnc$B8F3?0?#rpvo_2__){USBhIas_gfuwth}jsJ`mxn#ouzO~N@m&DxfM)A*42 z9E<>wEOv)w`_#jcD+P={1qkgg3pAv`AW~n!F(jJ5+;V6@A-O(1md?puRHCdxXD36mpGY|zSN9H9&=Lhf@psT{?fnUspn)a3BPLxKG zfoAamWl^6?bntCHD3%2R=!J_6X)7C1W?J6f*u79!v=J%nhNQ}d0NKT#OMvn6ZLW9L zBTDj~FtkV=>$5W-)pk3yyudC3R(Ma%UeZTK)-LEG|A>#YhOC>S7gdFUd6eCKGiZZd zZ5OCxwFHuj9`hQgbSkwO*o<13knWPV~4+mW;^Fa?{a5<~~ zNY}W!*kSO|lmO29jN|Z&?#gV@$&4z!Om+7}y{qRdEV|F3+LC}&|CF}>KgSvRjcif$ ztS*6wx!dslVZyXeC&HzLZ%Q6Q42RD<820PiXoX#i{IyNlCN!ZF`mBYq8kcGQCNq4g zUPg`DD_)8;jdV6t5i)b)_u)W6JCCDZPOW;T4U&AxM|?wBK~e{jSb+uK`h1?*I)gN= ziu0rHaD$xj3w2=mbO#+*=I@+QY7GK-;_@sIwoQne zO`W!7?d5efLe@eXsXZfuB2hK_?29g88osW_>(7Gco75T$>^eq!U89L#r!*{Cc$p@E zGTSX?N{__UYT`3*)1{*A@MX_b1`eiVos{z4A71I(O4W*KJ)b&R^byCRm-L$sCJoG? zqg>4WKP@4{#_z0i_u~7kx*OoN;$`Zd!Wx_b`q$id?sP?4I0S~QwdwC>rS1-Dva%i9 zR-LPoHH6YAaS?cKBpJLYG#DRr93cetB{^L=$pACl*&=?!tg&jRYPdVL&cK_r2lhMG zPW8|`ET`%ry^iDOcE@c)5@O%gdiOtKdPiz>{9F{fyjNbxjL>x#FuM&+{&u>X_tdYX zXX4fV{L&b|UJxVoFLM_@U|+lx<7LSE`%N2?=2#x9#vgz6J08(Fi^OdF%@2rlaybD! z2Ct#9ghRS4Cmh$%w!DXZb{b9jSrH!8FQRqZ0)Y-epw18?IS)DP31>*5sKcJ})iKV) zxo@A+!qL$~@9#WwPkvwLhC|1-hqQT+e0STL^p+Wj8SdNZcaN>9#j0z3XAU$343|J> z{eDXI#fNG`@ihDY2#XNYt&5HN%d)Vo%38y020-8nFGuqBL$y9*kNibVT+zRywXOEP zHqbMokFMowcYB`@iII7M>BUrV!m56*Z1XAEH`j(tGYGp#=ERCm@7FpxrGZ&*=&QAL zlnWi=*Z=hl0=_JUXx4B>k1_HP`x#GXegnA;Ek&>Xzu6tj@eJver8&;?_D7>Jtz+Xj zUSmFNjjzFJiP2QO-8WC|F<^q^#@6-S)(IbHE?&nq`mNT9mIl*2R^h-k`lYbT&2QDJ z(R;n!|ER_kUkqDeMM~Zc);Hm^Pb=|+?VtHf@TE87Yf`T8>zb$kfG9KT&^gz9mmL0X z)l=yOT@qVicRks!VFubu*BVrZ^1Q3N0KHoVJ>R3VqazUbN7`7dQWyZh6;^7+mhNZ+ zz(YONgVP%3(txwhD(iGQ&&YXh)|eyES(~IsUcNT2_}`XE`xVeR{tgSZX6WJZ99Y$` z!y2q_-52J)m-bYDSLPXW^=n@7_QcTvz?6|Te5sXu%;9L7(ZA+r>Q-lYrjxVDrA_+K zH%2S@Q>xA$o~pKaMDH5$0=$2UarXbC)N47NxjuG1Wj(#9K{56lJ< zL%YUY8&rRN)0McsyV{MSzCg9Wkzs1W&bx36wfwAHvN>6Atg8ojz1ofuQVhy1xzCAN z**2&qJ0<;GWgZtP3S+BkUoPVMSTD6cp_@|_qBK0Gu2?YM;0Zf;TDs2@u+-48->jBC)_^G&<`V^&iQYn zp22p$xGRwxuY&-y5xZO4qYTU(r0*>4R1}HCX9SH10Jnq82$Wf~F4Zce(8?!71ntsA zm-bbI4A1dO596XVGz3+RL___-wuH-&3Ok{nfb`O^g-f)6(Rm13f>?w!XXEKe(-!Hf zZQ-LMbrFk@+E=rK$5@d6ZTjGy%tqsA;z0?ei{NZ1I0m~5%PdYpQ<$d;M31S6n$MZC z9Wm_A10cc4Q?vJ7FFx}5bg#q%1JLR=!gzmhc?vX6Cs`ZNm&!ekLwkybi63ZStPenh z)IL*>nUPC{v^;5KjT$@y#&}_M>UY>r^IO&a{9rj|tC6|!1MmwXPP=y&Q|NX~rfHQz zAEZQE4otkA`UZ#O4tbq~md~PN^LQA=Rl9+sXRlf?M;aF(yd?N{5^8j7Crbz z-O4@}XL&#)Boz8_DyNKE|IA~#VPacqba$|Rk1Qz%86_8tOt~W7NgOX4O?LeX}qkQ5#^OCzy&b zRYWl~>0z|KL}J=Oo%x~Y7XHbt@v7EC8sc%%R|Z~zcj0?=qdt->f8@zG^uYw>!ENfI zs7MQ-`oF!Qj8BcHk8=w@Hg~>kn@u#%pr6E3!X)42NBfr@VjX6{V4Gz->e_C;%B+~N z2(z;5Rh^}wD{?Yu2!D>^7k@*alveed1wkkIMVSp)r~B2F6w&*67`dFa21$xq$YCBL zh_Of3Sj>OqZ^db1Z_1~@^$f~$+{Dc)_z45p-tB^gAGIOt=l+;{*1s9mj&^=@{Ysz1CizJHv-+G75p zRyPOS+(|m8dF;Im_??9{SF&Px#q|2LbDxq#Ow4n3l`nBeJI(WrPD9XNc1oKBAxH~g zt&Q_lm){!n`tNlA(#8NTQ)~&TyL~Z8nB2#v`~uGcpWmeG^Rj*s!w*W9PpXeMxEv>$ zCO0q!Rf$Bz{;uR9vqpsgm5I6+F#3myx{yc0lw?v@`Ts>;zdb9f^fZLSotq&W~J2X1LaI$i>8n$Ue(dcY(D)ApesjIy8sa#lZrj zP++RJ)@vQhO(*P$y*Obwc@iyp*Bezvp#cHP%-5xIEJteIB3aRZs4FUULL0}yXE@_r zjNFzqJS6$6PEUS%t14MS3j)y`cTy15u4H_s^|NCEQmgG$8q(w7Ahdc5ilbfd9YH34 z@{P0!v#Z%rM(Vjm6JL|Y?S7?4C!9Dn)YwofB9GKm@gNT9yR($Z0iMD>=6?6X&!`+z zdQa#AuRl}IWy1G6NF(GSZ$kxLr-e`C;|Ez(A0x8+4A!ek$C{4PDL+>5!XTV2Rj z=VkTAc2oSh9?vwML)~Wcem*L{qGbK6ekPN6pdq_BW1Lx0u`7JtDOX9)lP_`3M=3$Dh&j*me<=ukUHJ`6~rsK_5flD&5u zkRQGK7GM}2xcU5D_W8AYa;SbBmO^K}PHwkBs?XF=$XKx6yfRDo9|IF>ji?CAO6(on zsH($Cy#VP)F{ry`7l`?H5D{+b6 zOi+QFbob3-K<_~O>pvn+Kbya812kE6Gs#e;{LWRpe{e~o8^k5kI%&1;3a%OlEyE2d zuN1<-+D`qB<1Ly#@ASaNxa@m7pWBR+m-G-2U&@$i+MN#swq`omL6HwbolYTxN%`d~ z->@lXkRT3)-fgU0q~s;73TO!;2K;YKMz zVc?pe{FfGFQ$#6pn@-+8Jc*)(0d&r_+HJP?4o<`@h4@7>P8z!AEV+MS40OX(k7iJ= zCEfp=Q=U1*V!mod&lMzFHT{K18LKT9rR35LrJYo`wXOH(Mu|!e7wK=LU*IVPGU1i9 z#dPt7*~n)G!Gpch)4v zCh9K9?}SAZTHM4^ryQ@0DU?-9F-q$uR9g5q74SIvN#Hj5&xz1+(u<>@?^j%7!y!TO~t4k zTb0GB9YsmvYr)zBARW`d zkg7L?-+~hk@+n@4UL)hw&Nae7%&@iSb-*8^EZZR%V?sst@lu_Vy+1dGPiUOyOET}j z65gWFGh}v^>HN2HQNWc~b6!-PUp~DN!kMmX2x&tJT0YufUC@W9(s$t2;;xl^(_IMQ zhA0gL7&dw#B-#?~4(`nW;kaHwE9k(_yR|(?n$RTEfNlN`)LAG0h=_a(_dQwfio2m! zhE%rOVxpkx3)vTxJ4?_b5?nq&cTS6&~r-Zj) zM`%Vxd|J3l9m=7aHzdP%sC}{dyZF9lpZbM{leafqgLGi;oog)9L*-$1_;O3ic=dlu z*sdzzML5#d;xi@`qS_Mt(63?Hm*937{msF?&KV_fb}#txi{9d!C0cpBv9ST-p)3&& zsW5)~FP9}&X`Fd7O1=c;NTx4x^|}bFPSw=M$_||Si+zCK4FOhE~?eh`s*VhySp&JWMP^m;wIxGhfbpDyCXUnNVwZgC0 zrF+Kk)(>VSA7;`^9b3t)5@fNO?z31?CXKuZx}Nr=8Do41dC$efht|3tm`En=e{l`{ zA$SRW+n{?nBBR=MS%e(SzG5;fq&fc|6~^1D2=TKhX))K+3r^k0?TQuAtCC7At$H}c z>ikn8bxcvwqVBeYu(oE!s0jv#HHRAhPI=L*MV9J^DJ_4$Y1alH*VWYQ=d=XH-V@n5j6=$aHjZVInjx9tE;e-{!4t$_Ae2zKIt!%K_I{)ct zX!!)jxVqg~auC3-0T1x(8BrFsK}EU(sj7s9vV=vVZZKcIw^u(#d!_P( zJSF&h%Y9T>-qGj;*#ulYbHrypGo?}ZM~KblUJe9QhU2fhj%L`CO{dsqnwHsfPF{9@ zxKF0Y_t&=0@yp*SmzZ|M*uTq3#Gsbm!)j*AdTz(Rc60_5z@t@+X0+HfqHa+zM>)M; z@?Sr~X(&U(;6nZ1^Jf3q!BEgpl>Y<&)&C`Z_WwWfe=?N+hx)&ceEToT_P^Q78p?3+ R|FZ(~Uq}9jF7*F1{XeGWX&nFn literal 0 HcmV?d00001 diff --git a/Solutions/AristaAwakeSecurity/Package/createUiDefinition.json b/Solutions/AristaAwakeSecurity/Package/createUiDefinition.json index 8a0e6b99fb5..d8f5c1b6718 100644 --- a/Solutions/AristaAwakeSecurity/Package/createUiDefinition.json +++ b/Solutions/AristaAwakeSecurity/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/AristaAwakeSecurity/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Awake Security Arista Networks solution](https://awakesecurity.com/) for Microsoft Sentinel enable users to send detection model matches from the Awake Security Platform to Microsoft Sentinel.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/AristaAwakeSecurity/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Awake Security Arista Networks solution](https://awakesecurity.com/) for Microsoft Sentinel enable users to send detection model matches from the Awake Security Platform to Microsoft Sentinel.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,30 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the Awake Security CEF connector which allows users to send detection model matches from the Awake Security Platform to Microsoft Sentinel. The connector also enables the creation of network security-focused custom alerts, incidents, workbooks, and notebooks that align with your existing security operations workflows. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", @@ -88,7 +64,7 @@ "name": "workbooks-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The workbook installed with the Awake Security Arista Networks help’s you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." } }, { diff --git a/Solutions/AristaAwakeSecurity/Package/mainTemplate.json b/Solutions/AristaAwakeSecurity/Package/mainTemplate.json index bb47c630b9b..8471695f2e7 100644 --- a/Solutions/AristaAwakeSecurity/Package/mainTemplate.json +++ b/Solutions/AristaAwakeSecurity/Package/mainTemplate.json @@ -41,38 +41,29 @@ "email": "support-security@arista.com", "_email": "[variables('email')]", "_solutionName": "AristaAwakeSecurity", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "arista-networks.awake-security", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "AristaAwakeSecurity", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "AristaAwakeSecurity", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.1", + "analyticRuleVersion1": "1.0.2", "_analyticRulecontentId1": "90b7ac11-dd6c-4ba1-a99b-737061873859", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '90b7ac11-dd6c-4ba1-a99b-737061873859')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('90b7ac11-dd6c-4ba1-a99b-737061873859')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','90b7ac11-dd6c-4ba1-a99b-737061873859','-', '1.0.1')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','90b7ac11-dd6c-4ba1-a99b-737061873859','-', '1.0.2')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.1", + "analyticRuleVersion2": "1.0.2", "_analyticRulecontentId2": "d5e012c2-29ba-4a02-a813-37b928aafe2d", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd5e012c2-29ba-4a02-a813-37b928aafe2d')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d5e012c2-29ba-4a02-a813-37b928aafe2d')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d5e012c2-29ba-4a02-a813-37b928aafe2d','-', '1.0.1')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d5e012c2-29ba-4a02-a813-37b928aafe2d','-', '1.0.2')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.1", + "analyticRuleVersion3": "1.0.2", "_analyticRulecontentId3": "dfa3ec92-bdae-410f-b675-fe1814e4d43e", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dfa3ec92-bdae-410f-b675-fe1814e4d43e')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dfa3ec92-bdae-410f-b675-fe1814e4d43e')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dfa3ec92-bdae-410f-b675-fe1814e4d43e','-', '1.0.1')))]" + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dfa3ec92-bdae-410f-b675-fe1814e4d43e','-', '1.0.2')))]" }, "workbookVersion1": "1.0.0", "workbookContentId1": "arista-networks", @@ -84,365 +75,6 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AristaAwakeSecurity data connector with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Awake Security via Legacy Agent", - "publisher": "Arista Networks", - "descriptionMarkdown": "The Awake Security CEF connector allows users to send detection model matches from the Awake Security Platform to Microsoft Sentinel. Remediate threats quickly with the power of network detection and response and speed up investigations with deep visibility especially into unmanaged entities including users, devices and applications on your network. The connector also enables the creation of network security-focused custom alerts, incidents, workbooks and notebooks that align with your existing security operations workflows. ", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "AwakeSecurity", - "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\"" - } - ], - "sampleQueries": [ - { - "description": "Top 5 Adversarial Model Matches by Severity", - "query": "union CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize TotalActivities=sum(EventCount) by Activity,LogSeverity\n| top 5 by LogSeverity desc" - }, - { - "description": "Top 5 Devices by Device Risk Score", - "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)), DeviceCustomNumber1, long(null))\r\n| summarize MaxDeviceRiskScore=max(DeviceCustomNumber1),TimesAlerted=count() by SourceHostName=coalesce(SourceHostName,\"Unknown\")\r\n| top 5 by MaxDeviceRiskScore desc" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (AwakeSecurity)", - "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Perform the following steps to forward Awake Adversarial Model match results to a CEF collector listening on TCP port **514** at IP **192.168.0.1**:\n- Navigate to the Detection Management Skills page in the Awake UI.\n- Click + Add New Skill.\n- Set the Expression field to,\n>integrations.cef.tcp { destination: \"192.168.0.1\", port: 514, secure: false, severity: Warning }\n- Set the Title field to a descriptive name like,\n>Forward Awake Adversarial Model match result to Microsoft Sentinel.\n- Set the Reference Identifier to something easily discoverable like,\n>integrations.cef.sentinel-forwarder\n- Click Save.\n\nNote: Within a few minutes of saving the definition and other fields the system will begin sending new model match results to the CEF events collector as they are detected.\n\nFor more information, refer to the **Adding a Security Information and Event Management Push Integration** page from the Help Documentation in the Awake UI.", - "title": "2. Forward Awake Adversarial Model match results to a CEF collector." - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "metadata": { - "id": "69203ebb-3834-43bf-9cdd-2936c4e6ae79", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "solution", - "name": "Awake Security" - }, - "author": { - "name": "Awake Security" - }, - "support": { - "tier": "developer", - "name": "Arista - Awake Security", - "email": "support-security@arista.com", - "link": "https://awakesecurity.com/" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "AristaAwakeSecurity", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Arista Networks", - "email": "[variables('_email')]" - }, - "support": { - "name": "Arista - Awake Security", - "email": "support-security@arista.com", - "tier": "Partner", - "link": "https://awakesecurity.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Awake Security via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "AristaAwakeSecurity", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Arista Networks", - "email": "[variables('_email')]" - }, - "support": { - "name": "Arista - Awake Security", - "email": "support-security@arista.com", - "tier": "Partner", - "link": "https://awakesecurity.com/" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Awake Security via Legacy Agent", - "publisher": "Arista Networks", - "descriptionMarkdown": "The Awake Security CEF connector allows users to send detection model matches from the Awake Security Platform to Microsoft Sentinel. Remediate threats quickly with the power of network detection and response and speed up investigations with deep visibility especially into unmanaged entities including users, devices and applications on your network. The connector also enables the creation of network security-focused custom alerts, incidents, workbooks and notebooks that align with your existing security operations workflows. ", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "AwakeSecurity", - "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\"" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (AwakeSecurity)", - "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 5 Adversarial Model Matches by Severity", - "query": "union CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize TotalActivities=sum(EventCount) by Activity,LogSeverity\n| top 5 by LogSeverity desc" - }, - { - "description": "Top 5 Devices by Device Risk Score", - "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)), DeviceCustomNumber1, long(null))\r\n| summarize MaxDeviceRiskScore=max(DeviceCustomNumber1),TimesAlerted=count() by SourceHostName=coalesce(SourceHostName,\"Unknown\")\r\n| top 5 by MaxDeviceRiskScore desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Perform the following steps to forward Awake Adversarial Model match results to a CEF collector listening on TCP port **514** at IP **192.168.0.1**:\n- Navigate to the Detection Management Skills page in the Awake UI.\n- Click + Add New Skill.\n- Set the Expression field to,\n>integrations.cef.tcp { destination: \"192.168.0.1\", port: 514, secure: false, severity: Warning }\n- Set the Title field to a descriptive name like,\n>Forward Awake Adversarial Model match result to Microsoft Sentinel.\n- Set the Reference Identifier to something easily discoverable like,\n>integrations.cef.sentinel-forwarder\n- Click Save.\n\nNote: Within a few minutes of saving the definition and other fields the system will begin sending new model match results to the CEF events collector as they are detected.\n\nFor more information, refer to the **Adding a Security Information and Event Management Push Integration** page from the Help Documentation in the Awake UI.", - "title": "2. Forward Awake Adversarial Model match results to a CEF collector." - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -452,7 +84,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HighMatchCountsByDevice_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "HighMatchCountsByDevice_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -479,12 +111,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "AristaAwakeSecurity", - "dataTypes": [ - "CommonSecurityLog (AwakeSecurity)" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -496,8 +122,8 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "SourceHostName" + "columnName": "SourceHostName", + "identifier": "HostName" } ], "entityType": "Host" @@ -505,8 +131,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIPs" + "columnName": "SourceIPs", + "identifier": "Address" } ], "entityType": "IP" @@ -516,32 +142,32 @@ "aggregationKind": "AlertPerResult" }, "customDetails": { - "Matches_Max_Severity": "MaxSeverity", - "Device": "SourceHostName", + "Matches_ASP_URLs": "ASPMatchURLs", "Matches_Dest_IPs": "DestinationIPs", - "Matched_Models": "Models", "Matches_Count": "ModelMatchCount", - "Matches_ASP_URLs": "ASPMatchURLs" + "Device": "SourceHostName", + "Matches_Max_Severity": "MaxSeverity", + "Matched_Models": "Models" }, "alertDetailsOverride": { - "alertSeverityColumnName": "SeverityName", "alertDescriptionFormat": "The following Awake model(s):\n\n{{Models}}\n\nmatched {{ModelMatchCount}} activities, an unexpectedly large number. The destination IPs associated with these matches were:\n\n{{DestinationIPs}}", - "alertDisplayNameFormat": "Awake Security - High Model Match Counts On Device {{SourceHostName}}" + "alertDisplayNameFormat": "Awake Security - High Model Match Counts On Device {{SourceHostName}}", + "alertSeverityColumnName": "SeverityName" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "reopenClosedIncident": true, + "enabled": true, "lookbackDuration": "3d", + "groupByEntities": [ + "Host" + ], "matchingMethod": "Selected", - "enabled": true, "groupByCustomDetails": [ "Device" ], - "groupByEntities": [ - "Host" - ] - } + "reopenClosedIncident": true + }, + "createIncident": true } } }, @@ -596,7 +222,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HighSeverityMatchesByDevice_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "HighSeverityMatchesByDevice_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -623,12 +249,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "AristaAwakeSecurity", - "dataTypes": [ - "CommonSecurityLog (AwakeSecurity)" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -640,8 +260,8 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "SourceHostName" + "columnName": "SourceHostName", + "identifier": "HostName" } ], "entityType": "Host" @@ -649,8 +269,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIPs" + "columnName": "SourceIPs", + "identifier": "Address" } ], "entityType": "IP" @@ -660,32 +280,32 @@ "aggregationKind": "AlertPerResult" }, "customDetails": { - "Matches_Max_Severity": "MaxSeverity", - "Device": "SourceHostName", + "Matches_ASP_URLs": "ASPMatchURLs", "Matches_Dest_IPs": "DestinationIPs", - "Matched_Models": "Models", "Matches_Count": "ModelMatchCount", - "Matches_ASP_URLs": "ASPMatchURLs" + "Device": "SourceHostName", + "Matches_Max_Severity": "MaxSeverity", + "Matched_Models": "Models" }, "alertDetailsOverride": { - "alertSeverityColumnName": "MaxSeverity", "alertDescriptionFormat": "Device {{SourceHostName}} matched the following high-severity Awake model(s):\n\n{{Models}}\n\nThe destination IPs associated with these matches were:\n\n{{DestinationIPs}}\n", - "alertDisplayNameFormat": "Awake Security - High Severity Matches On Device {{SourceHostName}}" + "alertDisplayNameFormat": "Awake Security - High Severity Matches On Device {{SourceHostName}}", + "alertSeverityColumnName": "MaxSeverity" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "reopenClosedIncident": true, + "enabled": true, "lookbackDuration": "3d", + "groupByEntities": [ + "Host" + ], "matchingMethod": "Selected", - "enabled": true, "groupByCustomDetails": [ "Device" ], - "groupByEntities": [ - "Host" - ] - } + "reopenClosedIncident": true + }, + "createIncident": true } } }, @@ -740,7 +360,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ModelMatchesWithMultipleDestinationsByDevice_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "ModelMatchesWithMultipleDestinationsByDevice_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -767,12 +387,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "AristaAwakeSecurity", - "dataTypes": [ - "CommonSecurityLog (AwakeSecurity)" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -784,8 +398,8 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "SourceHostName" + "columnName": "SourceHostName", + "identifier": "HostName" } ], "entityType": "Host" @@ -793,8 +407,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIPs" + "columnName": "SourceIPs", + "identifier": "Address" } ], "entityType": "IP" @@ -804,31 +418,31 @@ "aggregationKind": "AlertPerResult" }, "customDetails": { - "Matches_Max_Severity": "MaxSeverity", - "Device": "SourceHostName", + "Matches_ASP_URLs": "ASPMatchURLs", "Matches_Dest_IPs": "DestinationIPs", - "Matched_Models": "Models", "Matches_Count": "ModelMatchCount", - "Matches_ASP_URLs": "ASPMatchURLs" + "Device": "SourceHostName", + "Matches_Max_Severity": "MaxSeverity", + "Matched_Models": "Models" }, "alertDetailsOverride": { "alertDescriptionFormat": "Device {{SourceHostName}} communicated with multiple possibly malicious destinations. The destination IPs were:\n\n{{DestinationIPs}}\n\nThe associated with Awake model(s) were:\n\n{{Models}}\n", "alertDisplayNameFormat": "Awake Security - Model Matches With Multiple Destinations On Device {{SourceHostName}}" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "reopenClosedIncident": true, + "enabled": true, "lookbackDuration": "3d", + "groupByEntities": [ + "Host" + ], "matchingMethod": "Selected", - "enabled": true, "groupByCustomDetails": [ "Device" ], - "groupByEntities": [ - "Host" - ] - } + "reopenClosedIncident": true + }, + "createIncident": true } } }, @@ -883,7 +497,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AristaAwakeSecurityWorkbook Workbook with template version 3.0.0", + "description": "AristaAwakeSecurityWorkbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -971,12 +585,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "AristaAwakeSecurity", "publisherDisplayName": "Arista - Awake Security", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Awake Security Arista Networks solution for Microsoft Sentinel enable users to send detection model matches from the Awake Security Platform to Microsoft Sentinel.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Awake Security Arista Networks solution for Microsoft Sentinel enable users to send detection model matches from the Awake Security Platform to Microsoft Sentinel.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Workbooks: 1, Analytic Rules: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -1000,11 +614,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", diff --git a/Solutions/AristaAwakeSecurity/ReleaseNotes.md b/Solutions/AristaAwakeSecurity/ReleaseNotes.md index 0e86091779a..21180f026e0 100644 --- a/Solutions/AristaAwakeSecurity/ReleaseNotes.md +++ b/Solutions/AristaAwakeSecurity/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|------------------------------------------------| +| 3.0.1 | 03-01-2025 | Removed Deprecated **Data connector** | | 3.0.0 | 09-07-2024 | Deprecating data connectors. | From b0e0ed2049856559a6ecb7f89b99d4430740fb69 Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Fri, 3 Jan 2025 15:15:23 +0530 Subject: [PATCH 13/22] Repackage - Nasuni --- .../RansomwareAttackDetected.yaml | 5 +- .../RansomwareClientBlocked.yaml | 5 +- Solutions/Nasuni/Data/Solution_Nasuni.json | 7 +- .../Hunting Queries/FileDeleteEvents.yaml | 5 +- Solutions/Nasuni/Package/3.0.3.zip | Bin 0 -> 6756 bytes .../Nasuni/Package/createUiDefinition.json | 28 +- Solutions/Nasuni/Package/mainTemplate.json | 431 ++---------------- Solutions/Nasuni/ReleaseNotes.md | 1 + 8 files changed, 44 insertions(+), 438 deletions(-) create mode 100644 Solutions/Nasuni/Package/3.0.3.zip diff --git a/Solutions/Nasuni/Analytic Rules/RansomwareAttackDetected.yaml b/Solutions/Nasuni/Analytic Rules/RansomwareAttackDetected.yaml index c999b916d40..54bc8395551 100644 --- a/Solutions/Nasuni/Analytic Rules/RansomwareAttackDetected.yaml +++ b/Solutions/Nasuni/Analytic Rules/RansomwareAttackDetected.yaml @@ -4,9 +4,6 @@ description: 'Identifies ransomware attacks detected by the Ransomware Protectio kind: Scheduled severity: High requiredDataConnectors: - - connectorId: NasuniEdgeAppliance - datatypes: - - Syslog - connectorId: SyslogAma datatypes: - Syslog @@ -50,4 +47,4 @@ entityMappings: columnName: pattern suppressionDuration: 5h suppressionEnabled: false -version: 1.0.2 \ No newline at end of file +version: 1.0.3 \ No newline at end of file diff --git a/Solutions/Nasuni/Analytic Rules/RansomwareClientBlocked.yaml b/Solutions/Nasuni/Analytic Rules/RansomwareClientBlocked.yaml index f8f1b03f330..5829b44d92e 100644 --- a/Solutions/Nasuni/Analytic Rules/RansomwareClientBlocked.yaml +++ b/Solutions/Nasuni/Analytic Rules/RansomwareClientBlocked.yaml @@ -4,9 +4,6 @@ description: 'Identifies malicious clients blocked by the Ransomware Protection kind: Scheduled severity: High requiredDataConnectors: - - connectorId: NasuniEdgeAppliance - datatypes: - - Syslog - connectorId: SyslogAma datatypes: - Syslog @@ -47,4 +44,4 @@ entityMappings: columnName: SrcIpAddr suppressionDuration: 5h suppressionEnabled: false -version: 1.0.2 \ No newline at end of file +version: 1.0.3 \ No newline at end of file diff --git a/Solutions/Nasuni/Data/Solution_Nasuni.json b/Solutions/Nasuni/Data/Solution_Nasuni.json index 60a20dceba6..db0105f1161 100644 --- a/Solutions/Nasuni/Data/Solution_Nasuni.json +++ b/Solutions/Nasuni/Data/Solution_Nasuni.json @@ -2,7 +2,7 @@ "Name": "Nasuni", "Author": "Nasuni - support@nasuni.com", "Logo": "", - "Description": "The [Nasuni](https://www.nasuni.com) solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping. \n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", + "Description": "The [Nasuni](https://www.nasuni.com) solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping. \n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", "Analytic Rules": [ "/Nasuni/Analytic Rules/RansomwareClientBlocked.yaml", "/Nasuni/Analytic Rules/RansomwareAttackDetected.yaml" @@ -10,14 +10,11 @@ "Hunting Queries": [ "/Nasuni/Hunting Queries/FileDeleteEvents.yaml" ], - "Data Connectors": [ - "/Nasuni/Data Connectors/Nasuni Data Connector.json" - ], "dependentDomainSolutionIds": [ "azuresentinel.azure-sentinel-solution-syslog" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions", - "Version": "3.0.2", + "Version": "3.0.3", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Nasuni/Hunting Queries/FileDeleteEvents.yaml b/Solutions/Nasuni/Hunting Queries/FileDeleteEvents.yaml index 589887be5c5..b5a9ddadbf3 100644 --- a/Solutions/Nasuni/Hunting Queries/FileDeleteEvents.yaml +++ b/Solutions/Nasuni/Hunting Queries/FileDeleteEvents.yaml @@ -3,9 +3,6 @@ name: Nasuni File Delete Activity description: | 'This query looks for file delete audit events generated by a Nasuni Edge Appliance.' requiredDataConnectors: - - connectorId: NasuniEdgeAppliance - dataTypes: - - Syslog - connectorId: SyslogAma datatypes: - Syslog @@ -71,4 +68,4 @@ entityMappings: columnName: filename - identifier: Directory columnName: directorypath -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Nasuni/Package/3.0.3.zip b/Solutions/Nasuni/Package/3.0.3.zip new file mode 100644 index 0000000000000000000000000000000000000000..efa28b713b5654a173505d98c182cd6e1faaff89 GIT binary patch literal 6756 zcmZ{JWl$VYmn;%AxWnM?9wZPv1a}EKI1Dm`!QBG{26qN`4ek&i*x&^B3{D_u@Bo|d zy~y0^~hpSQZYwNz1Gksu)>^XeL_$iWMnWS0_i7EXwe+yn z2PxRvfxsXSkSmzi(cKli@$nc8=pcOt7M#hbnS2y1N%{?*9dPg}TwO6ky#YJ=i%N4d z71*)k9%muA;Ymd$=r=|W4uQ!*QSNlg8b6pFw7&C8?jkw@Bn^9?e!Eg!1-XVPF|SM5 zn%lV8X|SbO4Qcv}WiS#}Uf<`KzLwTf?yzV5@Z1nAIMw`7xgie*>aV>!+BW63;jGoG z3{D#{c!u4*@N+)pib5J0^FBAsFdwU+8&kH_KhIx)-PmIc~GsW7~MTX`|WP6H1N`!{} zsNQBA-E)&6Nuw%_6;*=7gbQXueox#RI(2f&pnsgIY<<~k^Ne&WOsuO?CHyA7lb*Iw z&0!o7Z^PBkfLq;6(clcIwE-~aH;2ic)Xj9xTJ)Gdg4_)2gO@|l@M^rk2A2I|W)YTv zv=m_lgKl3`85)e?D=lMI1A39=*H{i6iOAlH4M=U6bc75h%2QwwRs+?1vybdlgW{5{ zKkX5dY6k+n$_ik86m(=}*JYg&Ii|kl_f(@ZaH9{5wlGj0Ra%Ys$^PQyPh^WGg3!HJ z$%1`^iY#&VSq53@gP$iF0qZ*HglbcPpWMZaQ4z~Fj4U9WtzDhSQ(WBlnx5|`MU2FI zvVVXH0XCXgVa2FP7jW$=V%(9IIBN*(5)c0Bdm>lCK+$=qVt?3RsHt&?!^6eRJputb z#%}3DV|x9$%suSx`cJL(ihYI^JY0PoWfyzL<3nl_D9}u)UdEmVPH*LO=`VvG3ad9P znHB~%O4BAR!)M`!Qbm8+S)+Au z1`g@mIE$%UaT=q>ZwGSYR!^CD>t@N^`+t7Ar>)TlG?PAS#Hz$FJhH9r>y+n~<1b+` z>-En7T7HGX4}OQuaFQ;+LQOlC>7H?ntbmjr)~WZeMxKtu$t9MUE~I(tsDf2Dyc0*r zD+{SCSe;7g)P_+lS&di%2eeIVQU79rX~^75Y4aFAw~h5_^Rfr~x(qz-?=;{V)nEs& zg}vU(j$-$J!u^F~6D=uAdh1V_9ImIPi22%vZ};sunK6t0-!>g{-1i^4M&h+MRj9-h z-Y=k?X!mr^oHdU%@jRK~1wR{8K`c*L+-#dGzGa4lgv9q?*HNn)1x~zJ#fRYyeC&JL*>`-H3<4$TW29r5 zr)H&Y<1EIsmQph;I4ZFUP7M;D6z+r)-1bgUX2o!@qo_#`0%C{gef={)!u#kn5BZyu z<0>FOYBg`ac7}iZJtA7)N#e;BGc2^3(Jf$xfI@)1=kVw6n!bSj+^OzxLMB0P$3Z;1 zO^1DPb+0oi+K}tOX-#-rDH*~m-hpYcq(nsf$l+H1M&=gQBjh^||J25$?hR)0<5m4~ z>RE`|uMe*u+uqCqRBQ3&ik^@tj?AcdOy^cN=cY<5PFvG{F#*va`3pznYbUL9RzLk} zK>NO2G`+&<EcyY=^;x*ZaYe18t@muOr- zJwmT&j-n*uC2k_FNSwz%br*yZ&k0#E$%KU+FU*8g%-- z$*fGJYbj=>l@oNEcg>&2up8Srn-ciO-&wo>o!mkD_Utu0NTT_T?djqOlNi?D)QGTF zmoH3QAklp8QZJ8}{8D{#3k?jiIn-qLC$tqBGB0o1=IS>44Ex*CsqKq)8snVH`(>?R z9&_VzEc-tp^L~ajsjl^W4n=b~Ty66#_|mGJyw8;%gwocy&*Hl#QTy7jarQTON<_TQ zff_vy&lq$9_woGD%Vj;b^+V$rplGr`QzO8g3-FeyZmFT>fx<&6djzv+g`w8Z#4U3h zKj;Nj>%Zv_d-G`)03i}mx-}BgKR|M^1cCKzT|PPgQz8FPdHk0A4OtUQera>uLN4v% zGHNPg9tXN{!s|q*)Vhh;dY6SvJR3AoQxXT?yoX@U(5f%$-*VqNJTk9A@rhDpVj!?_ z+r?}>D4Iwo;3@JHeK6tM3k^eU@WFG0I_Q`Kq#mJkKWDB9^(YrEvlg*!IQ#*;it~K3 zsmj0DEcoX6^V+-n*?`XilsZ9h3R9np#$J2^Xl@5Pxu~E75xw@gVH)?z98|KeUK@G& zbHza{T!12e7mdoV;4Yvn_$pAwH37~SqcH*@awCcaT;YHGaY z=>4R-B*hNcErYcrTqr*A<+T!VE9&3$NVF&$`XF3(fCq&hL!)o0i1CA2y5BKqO$f zTfWBJwa;;#WxxD4W?e%rSWZp@B|TD929nC6i}k#pNJ4D<`Ap(^Bv*Tyam?;Amwb11 z`vEB(w8cjmJl%Kz1$X<~@rpccU=MmTt67)dOGvI5ODSNxI(Xs zYPCE-3uA0YChX=Z{9UIihI#!Ges^wv(9d@(Qex+MuZo`t{ReKm+HSekL>Qrk(UK$m zid|a1w{iErWM5X?Cca-NoNrnV3Wi>(-R=KY{{fcUB7#%DMqe-*3(z}A|DD(hAf^3r z>fGwD+V1RHm;HNo!pSu(EO;vGG9UW6`cQ8Xp)&?bf7RjYVNJ$(_-3s>&ep+Xd>>4g z<>=Z9T1*cn7+TBPR^O?}#V~(VroT zP;@c|4Wv--+}%mLr%#${F9%7{MPjrzJNG$~Y_1`LZ*H^5|J*8WPEGZv-@bxPuK{SN zPi`@s>)Tv&>Y<0R5qEER74YPMBzc|1y5Usf#pgsUc?i0MU|et*>d3d9jB5 zmtFkDE7@9K0Un-(3tn4JXn}TNlH6T)h8u)RSCE!n-pxOrVel5y1= zH+P!YW9nDXNtJUd^XlU^(Xeo3Fm4OyR{>;U0xs2W+=l4JsKW{l2hD!)w84jWP+!5G zQc8cyNSX6#`U)p99Q9Adgev(aSt3DfZH1YsrH4?RcPn+^LK$2g#BxR580P(7Qa@RT z1|8t^omyNE?7In1>sb{(*ZZM$p{S_r>5*TC>4Gs z9&kcy6U>7tMCbDY3;Xz;=!bvC)@m zMP_s2Swj_CB*)Q;unw7^;U1H*z~N$>0K%8tkVLJ$T}fEu*~hq0oE(0>6i{|}yJ!r` zJ4;xRt;o#AJA1Ozhs7Nb7^5Joe0#{HRSV}utEM^m0KUVoZFU8YqibrLtCo} zC0Mz!OW@riM!6fVqMqJXydIrE9a>T(mZX8xX$po8f1Cx##(Ggj&Hrtq41XEv6%L)d z+DP%6(M^w3t|y5XioPcZB{+ODNH40DCr9#=f;#@P=KNsps&=XRC$P5FerCvLLa^nf zs_d6HC91N`0Wp;X)*;6Mae<&Rqr#TAAY;X-?b`ME=g)+V+k;VzxI$#q+Oj}aH=N#7 zoA}H+sd)AXy7k<7wX_h*Q!Ly4#jic zWJDKpWmp#B<3Rry@6E?B&gEg&B}={Wer|b61(X>g`bVcc|FN0*{fmlaFr_= zdq_@YV!v!1=K{;P2yE#)rkFAc*E>cZ#L3}*qOm@~{UFj~79bnf$n!EAcER$>?r`>u zP`h8`=t}Tz2|)lgVYRM-hP~YZFTzjc@I*7)&ALb@c{pd3=#*jG4GEY~rL@}ZFpd{A=6pX}5bp_@Dn4XrtfGf+VQ7JBR@ zTgXjBjB*i_+b`09t~1&49hXY-F;}9Gr~j%aSQ8>QOkW!ZRK&9HZ!mAOoIKJ2d)`5c z8wsMhy(fU5Mms`%Pt+Zwh8Kd|_~+=4GALhulzd~CGVt`Hx{j&p5p_;fNR7o+D)_Fl zWa|mSu*IF3f0wGs$JAUrr9W;mb%Lxwe_Ulyob4PB!e}aC_sH3HHa|#ebgqux#PYrB z^K4bDR@qxx>OIJXDUX5oc1&8N8MygPKz2RuP)9LZwgAMwWyWjjGx_xQ&1&+og zXKwJSwESq+w2ZU8=%LyLg2sDQgK&J=Y1eLEpC`CHjwgWLgbxH9Vc9Mn zNE=bKpMan#Xc%+(0gd(MG%8Z#aJlbNA&QSajrDy~JMe*jjhf3X48_2AYpgHXfFu-0 zzMUEe!fJw>>v^XzFn!V2mOPt(-Vx%|d^*C{rcEFlh!QjI)A&gk8}iNYqu?dtSm$ur zZUGphH{kk9#q+6raBDP{j$hjr`O zh0;IPotZl)VD&PbH8$yj`_@S@mUXNIUdT59I0@}6L$!B?RTy-+?7u193;^cMx2)I_ z#;}n%PXzT(wLQP_wcnB7k`Vjz9P9VZJSYHiumbd6yzlf}sx&WaJ9bK7!!JQXuiDz`a2j9B3Oh@rw_KRAS z9V-rCwhnuwcs>-|1W^L78I}0+jP#=Tzobgj4~@shHnqg`qJLCyz=igKuZTj(D$T^*7Pt31{Smh@WsFihu%2hu)&@(7Uni};^&Azsa@46%HuwGJUbL~JF)HEh%niI2#_ED|`UT_WIJ;#!D#Ul3C`u3l1@^fT zdmYy|h?x{=rj!+yXs=VIe=9@G1Ba5~8laL4$JjVW8W)U|BUSJXqGrxsL_XG6Ok`lx zjfB+&w_AwFN~lB9%LW~P@~YdsQ7hHJ4uK?Hf@QNP+E+}k9i(-uE6|BPvM*;zO<4?W54#M z{p<{U4=H)wX5&QRc9$o#^d37CPoCZJwW`(!!-xrVZejM%!mA^7zfdF+%ohG(PiNIF zKE{>VLZ`#0>9Lg!{p%&asIlDx|8Md`=92^ddW%Ha*E)H!{z3kNxf@&Soi#IG&1r4& z0*B2Tj)3WLHFKQ3uHluvkG{IsqmE0E72cN5))KkZR39&^*>|1toKBo{1Mae8Oj zAH~{hnX+Eo4Xr8EmrwgW0K}mbdvP|-gMtCN%;sSK}c1>D+S$4j&$nC{k> znF^GFrh_4W>0YkB?e^%sM+=cGwn3@L2e#kfb{J0lrg)bmu$Uut*H0lHKEjf8y+dg+jv&RZ!8;BVh=Sl#81I(`llmA#Cvx$wo}L9h7X@WxVilz100z?<3L4ku zk_t%;JLUL4dr8w@YudAI4AV%e>jkdu7r#K_vj@nR49ve^Ym=3fn!EeQ=AkgY3TvDWnX0}QpBS<6cS@02-#AK7+QGQr zxgw^AR>_l{mq~hgl##e92yE*TydCmBVJw!#V<{CB7MJ(RvD7E{)#BIwsU77`m(06- z$SW)!ppxO5EI14-WlG{5ebQ;^}>pWS}ysmN$nJoWvWgrwC$hOi~BrF#ILxZQBjA z+EHnjt1P=T({KcpKEg@Ck\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Nasuni/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Nasuni](https://www.nasuni.com) solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping. \n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Nasuni/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Nasuni](https://www.nasuni.com) solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping. \n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,30 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Nasuni. You can get Nasuni Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "analytics", "label": "Analytics", @@ -162,7 +138,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query looks for file delete audit events generated by a Nasuni Edge Appliance. This hunting query depends on NasuniEdgeAppliance SyslogAma data connector (Syslog Syslog Parser or Table)" + "text": "This query looks for file delete audit events generated by a Nasuni Edge Appliance. This hunting query depends on SyslogAma data connector (Syslog Parser or Table)" } } ] diff --git a/Solutions/Nasuni/Package/mainTemplate.json b/Solutions/Nasuni/Package/mainTemplate.json index 4b97d08155a..cfb9927b67b 100644 --- a/Solutions/Nasuni/Package/mainTemplate.json +++ b/Solutions/Nasuni/Package/mainTemplate.json @@ -33,37 +33,28 @@ "email": "support@nasuni.com", "_email": "[variables('email')]", "_solutionName": "Nasuni", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "nasunicorporation.nasuni-sentinel", "_solutionId": "[variables('solutionId')]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.2", + "analyticRuleVersion1": "1.0.3", "_analyticRulecontentId1": "0c96a5a2-d60d-427d-8399-8df7fe8e6536", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0c96a5a2-d60d-427d-8399-8df7fe8e6536')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0c96a5a2-d60d-427d-8399-8df7fe8e6536')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0c96a5a2-d60d-427d-8399-8df7fe8e6536','-', '1.0.2')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0c96a5a2-d60d-427d-8399-8df7fe8e6536','-', '1.0.3')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.2", + "analyticRuleVersion2": "1.0.3", "_analyticRulecontentId2": "6c8770fb-c854-403e-a64d-0293ba344d5f", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6c8770fb-c854-403e-a64d-0293ba344d5f')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6c8770fb-c854-403e-a64d-0293ba344d5f')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6c8770fb-c854-403e-a64d-0293ba344d5f','-', '1.0.2')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6c8770fb-c854-403e-a64d-0293ba344d5f','-', '1.0.3')))]" }, "huntingQueryObject1": { - "huntingQueryVersion1": "1.0.1", + "huntingQueryVersion1": "1.0.2", "_huntingQuerycontentId1": "64a3477e-d06f-4491-86a5-6f99702e267f", "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('64a3477e-d06f-4491-86a5-6f99702e267f')))]" }, - "uiConfigId1": "NasuniEdgeAppliance", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "NasuniEdgeAppliance", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ @@ -76,7 +67,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RansomwareClientBlocked_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "RansomwareClientBlocked_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -104,16 +95,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SyslogAma", "datatypes": [ "Syslog" - ], - "connectorId": "NasuniEdgeAppliance" - }, - { - "datatypes": [ - "Syslog" - ], - "connectorId": "SyslogAma" + ] } ], "tactics": [ @@ -124,13 +109,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "columnName": "SrcIpAddr", "identifier": "Address" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { @@ -140,17 +125,17 @@ "VolumeName": "volume_name" }, "alertDetailsOverride": { - "alertnameFormat": "Nasuni: Ransomware Client Blocked", - "alertDescriptionFormat": "Nasuni has blocked a client involved in a ransomware attack from accessing a Nasuni Edge Appliance at {{TimeGenerated}}" + "alertDescriptionFormat": "Nasuni has blocked a client involved in a ransomware attack from accessing a Nasuni Edge Appliance at {{TimeGenerated}}", + "alertnameFormat": "Nasuni: Ransomware Client Blocked" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "reopenClosedIncident": false, "enabled": false, "matchingMethod": "AllEntities", - "lookbackDuration": "PT5H" - } + "lookbackDuration": "PT5H", + "reopenClosedIncident": false + }, + "createIncident": true } } }, @@ -204,7 +189,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RansomwareAttackDetected_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "RansomwareAttackDetected_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -232,16 +217,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SyslogAma", "datatypes": [ "Syslog" - ], - "connectorId": "NasuniEdgeAppliance" - }, - { - "datatypes": [ - "Syslog" - ], - "connectorId": "SyslogAma" + ] } ], "tactics": [ @@ -252,13 +231,13 @@ ], "entityMappings": [ { - "entityType": "Malware", "fieldMappings": [ { "columnName": "pattern", "identifier": "Name" } - ] + ], + "entityType": "Malware" } ], "eventGroupingSettings": { @@ -268,23 +247,23 @@ "VolumeName": "volume_name" }, "alertDetailsOverride": { + "alertDescriptionFormat": "Ransomware attack detected by Nasuni at {{TimeGenerated}}.", "alertDynamicProperties": [ { - "alertProperty": "RemediationSteps", - "value": "SyslogMessage" + "value": "SyslogMessage", + "alertProperty": "RemediationSteps" } ], - "alertnameFormat": "Nasuni: Ransomware Attack Detected", - "alertDescriptionFormat": "Ransomware attack detected by Nasuni at {{TimeGenerated}}." + "alertnameFormat": "Nasuni: Ransomware Attack Detected" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "reopenClosedIncident": false, "enabled": false, "matchingMethod": "AllEntities", - "lookbackDuration": "PT5H" - } + "lookbackDuration": "PT5H", + "reopenClosedIncident": false + }, + "createIncident": true } } }, @@ -338,7 +317,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileDeleteEvents_HuntingQueries Hunting Query with template version 3.0.2", + "description": "FileDeleteEvents_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -408,342 +387,9 @@ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "contentKind": "HuntingQuery", "displayName": "Nasuni File Delete Activity", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]", - "version": "1.0.1" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Nasuni data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Nasuni Edge Appliance", - "publisher": "Nasuni", - "descriptionMarkdown": "The [Nasuni](https://www.nasuni.com/) connector allows you to easily connect your Nasuni Edge Appliance Notifications and file system audit logs with Microsoft Sentinel. This gives you more insight into activity within your Nasuni infrastructure and improves your security operation capabilities.", - "additionalRequirementBanner": "None", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "Nasuni", - "baseQuery": "Nasuni" - } - ], - "sampleQueries": [ - { - "description": "Last 1000 generated events", - "query": "Syslog\n | top 1000 by TimeGenerated" - }, - { - "description": "All events by facility except for cron", - "query": "Syslog\n | summarize count() by Facility | where Facility != \"cron\"" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "Syslog\n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true" - ] - } - ], - "dataTypes": [ - { - "name": "Syslog", - "lastDataReceivedQuery": "Syslog\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "write permission is required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "delete": true - } - } - ] - }, - "customers": [ - { - "name": "Nasuni Edge Appliances", - "description": "must be configured to export events via Syslog" - } - ], - "instructionSteps": [ - { - "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.", - "instructions": [ - { - "parameters": { - "title": "Choose where to install the agent:", - "instructionSteps": [ - { - "title": "Install agent on Azure Linux Virtual Machine", - "description": "Select the machine to install the agent on and then click **Connect**.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxVirtualMachine" - }, - "type": "InstallAgent" - } - ] - }, - { - "title": "Install agent on a non-Azure Linux Machine", - "description": "Download the agent on the relevant machine and follow the instructions.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ], - "title": "1. Install and onboard the agent for Linux" - }, - { - "description": "Follow the configuration steps below to configure your Linux machine to send Nasuni event information to Microsoft Sentinel. Refer to the [Azure Monitor Agent documenation](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview) for additional details on these steps.\nConfigure the facilities you want to collect and their severities.\n1. Select the link below to open your workspace agents configuration, and select the Syslog tab.\n2. Select Add facility and choose from the drop-down list of facilities. Repeat for all the facilities you want to add.\n3. Mark the check boxes for the desired severities for each facility.\n4. Click Apply.\n", - "instructions": [ - { - "parameters": { - "linkType": "OpenSyslogSettings" - }, - "type": "InstallAgent" - } - ], - "title": "2. Configure the logs to be collected" - }, - { - "description": "Follow the instructions in the [Nasuni Management Console Guide](https://view.highspot.com/viewer/629a633ae5b4caaf17018daa?iid=5e6fbfcbc7143309f69fcfcf) to configure Nasuni Edge Appliances to forward syslog events. Use the IP address or hostname of the Linux device running the Azure Monitor Agent in the Servers configuration field for the syslog settings.", - "title": "3. Configure Nasuni Edge Appliance settings" - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Nasuni", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Nasuni", - "email": "[variables('_email')]" - }, - "support": { - "name": "Nasuni", - "tier": "Partner", - "link": "https://github.com/nasuni-labs/Azure-Sentinel" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Nasuni Edge Appliance", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Nasuni", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Nasuni", - "email": "[variables('_email')]" - }, - "support": { - "name": "Nasuni", - "tier": "Partner", - "link": "https://github.com/nasuni-labs/Azure-Sentinel" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Nasuni Edge Appliance", - "publisher": "Nasuni", - "descriptionMarkdown": "The [Nasuni](https://www.nasuni.com/) connector allows you to easily connect your Nasuni Edge Appliance Notifications and file system audit logs with Microsoft Sentinel. This gives you more insight into activity within your Nasuni infrastructure and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "Nasuni", - "baseQuery": "Nasuni" - } - ], - "dataTypes": [ - { - "name": "Syslog", - "lastDataReceivedQuery": "Syslog\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "Syslog\n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true" - ] - } - ], - "sampleQueries": [ - { - "description": "Last 1000 generated events", - "query": "Syslog\n | top 1000 by TimeGenerated" - }, - { - "description": "All events by facility except for cron", - "query": "Syslog\n | summarize count() by Facility | where Facility != \"cron\"" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "write permission is required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "delete": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.", - "instructions": [ - { - "parameters": { - "title": "Choose where to install the agent:", - "instructionSteps": [ - { - "title": "Install agent on Azure Linux Virtual Machine", - "description": "Select the machine to install the agent on and then click **Connect**.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxVirtualMachine" - }, - "type": "InstallAgent" - } - ] - }, - { - "title": "Install agent on a non-Azure Linux Machine", - "description": "Download the agent on the relevant machine and follow the instructions.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ], - "title": "1. Install and onboard the agent for Linux" - }, - { - "description": "Follow the configuration steps below to configure your Linux machine to send Nasuni event information to Microsoft Sentinel. Refer to the [Azure Monitor Agent documenation](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview) for additional details on these steps.\nConfigure the facilities you want to collect and their severities.\n1. Select the link below to open your workspace agents configuration, and select the Syslog tab.\n2. Select Add facility and choose from the drop-down list of facilities. Repeat for all the facilities you want to add.\n3. Mark the check boxes for the desired severities for each facility.\n4. Click Apply.\n", - "instructions": [ - { - "parameters": { - "linkType": "OpenSyslogSettings" - }, - "type": "InstallAgent" - } - ], - "title": "2. Configure the logs to be collected" - }, - { - "description": "Follow the instructions in the [Nasuni Management Console Guide](https://view.highspot.com/viewer/629a633ae5b4caaf17018daa?iid=5e6fbfcbc7143309f69fcfcf) to configure Nasuni Edge Appliances to forward syslog events. Use the IP address or hostname of the Linux device running the Azure Monitor Agent in the Servers configuration field for the syslog settings.", - "title": "3. Configure Nasuni Edge Appliance settings" - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "None" - } + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.2')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.2')))]", + "version": "1.0.2" } }, { @@ -751,12 +397,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Nasuni", "publisherDisplayName": "Nasuni", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Nasuni solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping.

\n

This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 1, Analytic Rules: 2, Hunting Queries: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Nasuni solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping.

\n

This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Analytic Rules: 2, Hunting Queries: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -794,11 +440,6 @@ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Solution", "contentId": "azuresentinel.azure-sentinel-solution-syslog" diff --git a/Solutions/Nasuni/ReleaseNotes.md b/Solutions/Nasuni/ReleaseNotes.md index c009cd81672..a5f610794e8 100644 --- a/Solutions/Nasuni/ReleaseNotes.md +++ b/Solutions/Nasuni/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.3 | 03-01-2025 | Removed Deprecated **Data connector** | | 3.0.2 | 18-07-2024 | Deprecating data connectors | | 3.0.1 | 02-08-2023 | Solution Id and Tier Updated | | 3.0.0 | 14-07-2023 | Initial Solution Release | \ No newline at end of file From c535a0bfacd11bf5c44378cf3a6d0d7f873b1459 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Tue, 7 Jan 2025 14:36:12 +0530 Subject: [PATCH 14/22] Update detection-template-schema-validations.yaml --- .github/workflows/detection-template-schema-validations.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/detection-template-schema-validations.yaml b/.github/workflows/detection-template-schema-validations.yaml index ece93382c47..06b2e03c6ae 100644 --- a/.github/workflows/detection-template-schema-validations.yaml +++ b/.github/workflows/detection-template-schema-validations.yaml @@ -14,6 +14,7 @@ jobs: dotnetSdkVersion: 3.1.401 PRNUM: ${{ github.event.pull_request.number }} steps: + - run : sudo apt-get update && sudo apt-get install -qqq libicu63 - uses: actions/checkout@v4 - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} uses: actions/setup-dotnet@v4 From 5c125125c98e62e8804fef275c9a2592c1fa216b Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Tue, 7 Jan 2025 14:52:10 +0530 Subject: [PATCH 15/22] Update detection-template-schema-validations.yaml --- .github/workflows/detection-template-schema-validations.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/detection-template-schema-validations.yaml b/.github/workflows/detection-template-schema-validations.yaml index 06b2e03c6ae..c62cb44675f 100644 --- a/.github/workflows/detection-template-schema-validations.yaml +++ b/.github/workflows/detection-template-schema-validations.yaml @@ -14,7 +14,7 @@ jobs: dotnetSdkVersion: 3.1.401 PRNUM: ${{ github.event.pull_request.number }} steps: - - run : sudo apt-get update && sudo apt-get install -qqq libicu63 + - run : sudo apt-get update && sudo apt-get install -qqq libicu - uses: actions/checkout@v4 - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} uses: actions/setup-dotnet@v4 From cea1a8f517a45652368f32e949814c10d5c63654 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Tue, 7 Jan 2025 14:58:24 +0530 Subject: [PATCH 16/22] Update detection-template-schema-validations.yaml --- .github/workflows/detection-template-schema-validations.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/detection-template-schema-validations.yaml b/.github/workflows/detection-template-schema-validations.yaml index c62cb44675f..1e18290704b 100644 --- a/.github/workflows/detection-template-schema-validations.yaml +++ b/.github/workflows/detection-template-schema-validations.yaml @@ -14,7 +14,7 @@ jobs: dotnetSdkVersion: 3.1.401 PRNUM: ${{ github.event.pull_request.number }} steps: - - run : sudo apt-get update && sudo apt-get install -qqq libicu + - run : sudo apt-get update && sudo apt-get install -qqq libicu-dev - uses: actions/checkout@v4 - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} uses: actions/setup-dotnet@v4 From e39112aa6620d19a54171b290c2cce73c0e26b86 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Tue, 7 Jan 2025 15:08:05 +0530 Subject: [PATCH 17/22] Update detection-template-schema-validations.yaml --- .github/workflows/detection-template-schema-validations.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/detection-template-schema-validations.yaml b/.github/workflows/detection-template-schema-validations.yaml index 1e18290704b..9250aea5cbf 100644 --- a/.github/workflows/detection-template-schema-validations.yaml +++ b/.github/workflows/detection-template-schema-validations.yaml @@ -14,7 +14,7 @@ jobs: dotnetSdkVersion: 3.1.401 PRNUM: ${{ github.event.pull_request.number }} steps: - - run : sudo apt-get update && sudo apt-get install -qqq libicu-dev + - run : sudo apt-get update && sudo apt-get install -qqq libicu74 - uses: actions/checkout@v4 - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} uses: actions/setup-dotnet@v4 From a12c4714f0b5d63976d3439b5c0e83592ba9ca82 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Tue, 7 Jan 2025 15:11:45 +0530 Subject: [PATCH 18/22] Update detection-template-schema-validations.yaml --- .github/workflows/detection-template-schema-validations.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/detection-template-schema-validations.yaml b/.github/workflows/detection-template-schema-validations.yaml index 9250aea5cbf..94053eb67aa 100644 --- a/.github/workflows/detection-template-schema-validations.yaml +++ b/.github/workflows/detection-template-schema-validations.yaml @@ -14,7 +14,7 @@ jobs: dotnetSdkVersion: 3.1.401 PRNUM: ${{ github.event.pull_request.number }} steps: - - run : sudo apt-get update && sudo apt-get install -qqq libicu74 + - run : sudo apt-get update && sudo apt-get -y install libicu74 - uses: actions/checkout@v4 - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} uses: actions/setup-dotnet@v4 From 01d5d90311366a2bfa20a9d806eb1eb7f40f6954 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Tue, 7 Jan 2025 15:14:53 +0530 Subject: [PATCH 19/22] Update detection-template-schema-validations.yaml --- .github/workflows/detection-template-schema-validations.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/detection-template-schema-validations.yaml b/.github/workflows/detection-template-schema-validations.yaml index 94053eb67aa..afc6c3e9522 100644 --- a/.github/workflows/detection-template-schema-validations.yaml +++ b/.github/workflows/detection-template-schema-validations.yaml @@ -14,7 +14,7 @@ jobs: dotnetSdkVersion: 3.1.401 PRNUM: ${{ github.event.pull_request.number }} steps: - - run : sudo apt-get update && sudo apt-get -y install libicu74 + - run : sudo apt-get update && sudo apt-get -y install libicu70 - uses: actions/checkout@v4 - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} uses: actions/setup-dotnet@v4 From a9a6788d845dca0452708383bbdacce59d3cad98 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Tue, 7 Jan 2025 15:16:59 +0530 Subject: [PATCH 20/22] Update detection-template-schema-validations.yaml --- .github/workflows/detection-template-schema-validations.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/detection-template-schema-validations.yaml b/.github/workflows/detection-template-schema-validations.yaml index afc6c3e9522..e0ae6a484d6 100644 --- a/.github/workflows/detection-template-schema-validations.yaml +++ b/.github/workflows/detection-template-schema-validations.yaml @@ -14,7 +14,7 @@ jobs: dotnetSdkVersion: 3.1.401 PRNUM: ${{ github.event.pull_request.number }} steps: - - run : sudo apt-get update && sudo apt-get -y install libicu70 + - run : export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 - uses: actions/checkout@v4 - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} uses: actions/setup-dotnet@v4 From 9a33b7f2aec5e0047bb019a83db8658339707f86 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Tue, 7 Jan 2025 15:21:53 +0530 Subject: [PATCH 21/22] Update detection-template-schema-validations.yaml --- .github/workflows/detection-template-schema-validations.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/detection-template-schema-validations.yaml b/.github/workflows/detection-template-schema-validations.yaml index e0ae6a484d6..78591e45237 100644 --- a/.github/workflows/detection-template-schema-validations.yaml +++ b/.github/workflows/detection-template-schema-validations.yaml @@ -8,13 +8,12 @@ on: workflow_dispatch: jobs: DetectionTemplateSchemaValidation: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 env: buildConfiguration: Release dotnetSdkVersion: 3.1.401 PRNUM: ${{ github.event.pull_request.number }} steps: - - run : export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 - uses: actions/checkout@v4 - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} uses: actions/setup-dotnet@v4 From 009462bf1f0d55c9681bdb820b16e084c7b28536 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Tue, 7 Jan 2025 15:28:00 +0530 Subject: [PATCH 22/22] Update non-ascii-validations.yaml --- .github/workflows/non-ascii-validations.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/non-ascii-validations.yaml b/.github/workflows/non-ascii-validations.yaml index ca37bec3a71..ddca1038d0b 100644 --- a/.github/workflows/non-ascii-validations.yaml +++ b/.github/workflows/non-ascii-validations.yaml @@ -9,7 +9,7 @@ on: workflow_dispatch: jobs: NonAsciiValidations: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 env: buildConfiguration: Release dotnetSdkVersion: 3.1.401