diff --git a/documentation/azure-powershell-modules.md b/documentation/azure-powershell-modules.md
index 8a0e807f8d4a..7d5139dfce8f 100644
--- a/documentation/azure-powershell-modules.md
+++ b/documentation/azure-powershell-modules.md
@@ -100,6 +100,7 @@ Resource Mover | `Az.ResourceMover`
Resources | `Az.Resources` | [![Resources]][ResourcesGallery]
Search | `Az.Search` | [![Search]][SearchGallery]
Security | `Az.Security` | [![Security]][SecurityGallery]
+Sentinel (SecurityInsights) | `Az.SecurityInsights` | [![SecurityInsights]][SecurityInsightsGallery]
Service Bus | `Az.ServiceBus` | [![ServiceBus]][ServiceBusGallery]
Service Fabric | `Az.ServiceFabric` | [![ServiceFabric]][ServiceFabricGallery]
SignalR | `Az.SignalR` | [![SignalR]][SignalRGallery]
@@ -214,6 +215,7 @@ Web App Service | `Az.Websites`
[Resources]: https://img.shields.io/powershellgallery/v/Az.Resources.svg?style=flat-square&label=Az.Resources
[Search]: https://img.shields.io/powershellgallery/v/Az.Search.svg?style=flat-square&label=Az.Search
[Security]: https://img.shields.io/powershellgallery/v/Az.Security.svg?style=flat-square&label=Az.Security
+[SecurityInsights]: https://img.shields.io/powershellgallery/v/Az.SecurityInsights.svg?style=flat-square&label=Az.SecurityInsights
[ServiceBus]: https://img.shields.io/powershellgallery/v/Az.ServiceBus.svg?style=flat-square&label=Az.ServiceBus
[ServiceFabric]: https://img.shields.io/powershellgallery/v/Az.ServiceFabric.svg?style=flat-square&label=Az.ServiceFabric
[SignalR]: https://img.shields.io/powershellgallery/v/Az.SignalR.svg?style=flat-square&label=Az.SignalR
@@ -325,6 +327,7 @@ Web App Service | `Az.Websites`
[ResourcesGallery]: https://www.powershellgallery.com/packages/Az.Resources/
[SearchGallery]: https://www.powershellgallery.com/packages/Az.Search/
[SecurityGallery]: https://www.powershellgallery.com/packages/Az.Security/
+[SecurityInsightsGallery]: https://www.powershellgallery.com/packages/Az.SecurityInsights/
[ServiceBusGallery]: https://www.powershellgallery.com/packages/Az.ServiceBus/
[ServiceFabricGallery]: https://www.powershellgallery.com/packages/Az.ServiceFabric/
[SignalRGallery]: https://www.powershellgallery.com/packages/Az.SignalR/
diff --git a/src/SecurityInsights/SecurityInsights.Test/Properties/AssemblyInfo.cs b/src/SecurityInsights/SecurityInsights.Test/Properties/AssemblyInfo.cs
new file mode 100644
index 000000000000..cf32335f5380
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/Properties/AssemblyInfo.cs
@@ -0,0 +1,52 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+using Xunit;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("Commands.SecurityInsights.Test")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("Commands.SecurityInsights.Test")]
+[assembly: AssemblyCopyright("Copyright © 2018")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components. If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("CA24A45A-9D2D-4BBD-9F71-EF5599ADAD96")]
+
+// Version information for an assembly consists of the following four values:
+//
+// Major Version
+// Minor Version
+// Build Number
+// Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]
+[assembly: CollectionBehavior(DisableTestParallelization = true)]
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/ActionsTests.cs b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/ActionsTests.cs
new file mode 100644
index 000000000000..66d8407540ac
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/ActionsTests.cs
@@ -0,0 +1,68 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.ScenarioTest;
+using Microsoft.Azure.ServiceManagement.Common.Models;
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Xunit;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests
+{
+ public class ActionsTests
+ {
+ private readonly XunitTracingInterceptor _logger;
+
+ public ActionsTests(Xunit.Abstractions.ITestOutputHelper output)
+ {
+ _logger = new XunitTracingInterceptor(output);
+ XunitTracingInterceptor.AddToContext(_logger);
+ TestExecutionHelpers.SetUpSessionAndProfile();
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void ListByAlertRule()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzSentinelAlertRuleAction-ListByAlertRule");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void GetAction()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzSentinelAlertRuleAction-GetAction");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void CreateAction()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "New-AzSentinelAlertRuleAction-Create");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void UpdateAction()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Update-AzSentinelAlertRuleAction-Update");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void RemoveAction()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Remove-AzSentinelAlertRuleAction-Delete");
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/ActionsTests.ps1 b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/ActionsTests.ps1
new file mode 100644
index 000000000000..4b34ec69e4f1
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/ActionsTests.ps1
@@ -0,0 +1,170 @@
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.SYNOPSIS
+List Actions by Alert Rule
+#>
+function Get-AzSentinelAlertRuleAction-ListByAlertRule
+{
+ $AlertRuleId = "1b64dc0e-4bf6-43c4-a503-52cba30b5c47"
+ $ActionId = "cd9f21e2-1718-4b8b-871e-b8d59c65f317"
+ $ActionId2 = "ccef9243-4f96-4ec5-8042-9df44e2df452"
+ $LogicAppResourceId = "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser"
+ $TriggerUri = "https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E"
+ $LogicAppResourceId2 = "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage"
+ $TriggerUri2 = "https://prod-16.westus.logic.azure.com:443/workflows/18c75599cf3742c998d14af0f89cf3b1/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=rREdJWoN3PNCmhqwMz0KRy8apQDt8DQbZZuvlm1l4Oo"
+
+ #Create Alert Rule
+ $alertRule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Scheduled -Enabled -DisplayName "PoshModuleTest" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
+ #Create Alert Rule Action
+ $action = New-AzSentinelAlertRuleAction -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -ActionId $ActionId -AlertRuleId ($alertRule.Name) -LogicAppResourceId $LogicAppResourceId -TriggerUri $TriggerUri
+ #Create Alert Rule Action
+ $action2 = New-AzSentinelAlertRuleAction -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -ActionId $ActionId2 -AlertRuleId ($alertRule.Name) -LogicAppResourceId $LogicAppResourceId2 -TriggerUri $TriggerUri2
+
+ #Get Alert Rule Actions
+ $actions = Get-AzSentinelAlertRuleAction -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertRule.Name)
+ # Validate
+ Validate-Actions $actions
+
+ #Cleanup
+ Remove-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertRule.Name)
+}
+
+<#
+.SYNOPSIS
+Get Action
+#>
+function Get-AzSentinelAlertRuleAction-GetAction
+{
+ $AlertRuleId = "77def5f7-ab37-4aaf-8711-904d1ab55787"
+ $ActionId = "27dda575-93f0-4925-92b3-039ef4d89cad"
+ $LogicAppResourceId = "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser"
+ $TriggerUri = "https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E"
+
+ #Create Alert Rule
+ $alertRule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Scheduled -Enabled -DisplayName "PoshModuleTest" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
+ #Create Alert Rule Action
+ $action = New-AzSentinelAlertRuleAction -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertRule.Name) -ActionId $ActionId -LogicAppResourceId $LogicAppResourceId -TriggerUri $TriggerUri
+
+ #Get Alert Rule Action
+ $action = Get-AzSentinelAlertRuleAction -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertRule.Name) -ActionId ($action.Name)
+ # Validate
+ Validate-Action $action
+
+ #Cleanup
+ Remove-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertRule.Name)
+}
+
+<#
+.SYNOPSIS
+Create Action
+#>
+function New-AzSentinelAlertRuleAction-Create
+{
+ $AlertRuleId = "26501c9d-8f07-419d-8bcb-f9aac8ec1a7f"
+ $ActionId = "10d54e5f-8c03-42fc-b1d9-1bd881535af0"
+ $LogicAppResourceId = "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser"
+ $TriggerUri = "https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E"
+
+ #Create Alert Rule
+ $alertRule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Scheduled -Enabled -DisplayName "PoshModuleTest" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
+ #Create Alert Rule Action
+ $action = New-AzSentinelAlertRuleAction -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertRule.Name) -ActionId $ActionId -LogicAppResourceId $LogicAppResourceId -TriggerUri $TriggerUri
+
+ #Validate
+ Validate-Action $action
+
+ #Cleanup
+ Remove-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertRule.Name)
+}
+
+<#
+.SYNOPSIS
+Update Action
+#>
+function Update-AzSentinelAlertRuleAction-Update
+{
+ $AlertRuleId = "1584e7a3-802c-435b-9178-5720a44be2f3"
+ $ActionId = "91c2ea2f-f40c-4bef-ab3b-43c09e4a9699"
+ $LogicAppResourceId = "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser"
+ $TriggerUri = "https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E"
+ $LogicAppResourceId2 = "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage"
+ $TriggerUri2 = "https://prod-16.westus.logic.azure.com:443/workflows/18c75599cf3742c998d14af0f89cf3b1/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=rREdJWoN3PNCmhqwMz0KRy8apQDt8DQbZZuvlm1l4Oo"
+
+ #Create Alert Rule
+ $alertRule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Scheduled -Enabled -DisplayName "PoshModuleTest" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
+ #Create Alert Rule Action
+ $action = New-AzSentinelAlertRuleAction -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertRule.Name) -ActionId $ActionId -LogicAppResourceId $LogicAppResourceId -TriggerUri $TriggerUri
+
+ #update action
+ $action = Update-AzSentinelAlertRuleAction -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertRule.Name) -ActionId ($action.Name) -LogicAppResourceId $LogicAppResourceId2 -TriggerUri $TriggerUri2
+
+ # Validate
+ Validate-Action $action
+
+ #Cleanup
+ Remove-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertRule.Name)
+}
+
+<#
+.SYNOPSIS
+Delete Action
+#>
+function Remove-AzSentinelAlertRuleAction-Delete
+{
+ $AlertRuleId = "d1ae0250-f1d8-4cd2-9806-e2375dd7c4ae"
+ $ActionId = "4044b6d3-de80-4c37-81f2-46d96dfdd78b"
+ $LogicAppResourceId = "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser"
+ $TriggerUri = "https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E"
+
+ #Create Alert Rule
+ $alertRule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Scheduled -Enabled -DisplayName "PoshModuleTest" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
+ #Create Alert Rule Action
+ $action = New-AzSentinelAlertRuleAction -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertRule.Name) -ActionId $ActionId -LogicAppResourceId $LogicAppResourceId -TriggerUri $TriggerUri
+ #delete
+ Remove-AzSentinelAlertRuleAction -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -ActionId ($action.Name) -AlertRuleId ($alertRule.Name)
+ # Validate
+ Validate-Action $action
+
+ #Cleanup
+ Remove-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertRule.Name)
+}
+
+<#
+.SYNOPSIS
+Validates a list of actions
+#>
+function Validate-Actions
+{
+ param($actions)
+
+ Assert-True { $actions.Count -gt 0 }
+
+ Foreach($action in $actions)
+ {
+ Validate-Action $action
+ }
+}
+
+<#
+.SYNOPSIS
+Validates a single action
+#>
+function Validate-Action
+{
+ param($action)
+
+ Assert-NotNull $action
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRuleTemplatesTests.cs b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRuleTemplatesTests.cs
new file mode 100644
index 000000000000..8f82acd35807
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRuleTemplatesTests.cs
@@ -0,0 +1,47 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.ScenarioTest;
+using Microsoft.Azure.ServiceManagement.Common.Models;
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Xunit;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests
+{
+ public class AlertRuleTemplatesTests
+ {
+ private readonly XunitTracingInterceptor _logger;
+
+ public AlertRuleTemplatesTests(Xunit.Abstractions.ITestOutputHelper output)
+ {
+ _logger = new XunitTracingInterceptor(output);
+ XunitTracingInterceptor.AddToContext(_logger);
+ TestExecutionHelpers.SetUpSessionAndProfile();
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void List()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzSentinelAlertRuleTemplate-List");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void Get()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzSentinelAlertRuleTemplate-Get");
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRuleTemplatesTests.ps1 b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRuleTemplatesTests.ps1
new file mode 100644
index 000000000000..8bafd8bdbd56
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRuleTemplatesTests.ps1
@@ -0,0 +1,68 @@
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.SYNOPSIS
+List Alert Rule Templates
+#>
+function Get-AzSentinelAlertRuleTemplate-List
+{
+ #Get Alert Rule Templates
+ $alertruletemplates = Get-AzSentinelAlertRuleTemplate -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName)
+ # Validate
+ Validate-AlertRuleTemplates $alertruletemplates
+}
+
+
+<#
+.SYNOPSIS
+Get Alert Rule Template
+#>
+function Get-AzSentinelAlertRuleTemplate-Get
+{
+ #Get Alert Rule Templates
+ $alertruletemplates = Get-AzSentinelAlertRuleTemplate -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName)
+
+ #Get Alert Rule Template
+ $alertrule = Get-AzSentinelAlertRuleTemplate -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleTemplateId ($alertruletemplates[0].Name)
+ # Validate
+ Validate-AlertRuleTemplate $alertrule
+}
+
+<#
+.SYNOPSIS
+Validates a list of alert rule templates
+#>
+function Validate-AlertRuleTemplates
+{
+ param($alertruletemplates)
+
+ Assert-True { $alertruletemplates.Count -gt 0 }
+
+ Foreach($alertruletemplate in $alertruletemplates)
+ {
+ Validate-AlertRuleTemplate $alertruletemplate
+ }
+}
+
+<#
+.SYNOPSIS
+Validates a single alert rule template
+#>
+function Validate-AlertRuleTemplate
+{
+ param($alertruletemplate)
+
+ Assert-NotNull $alertruletemplate
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRulesTests.cs b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRulesTests.cs
new file mode 100644
index 000000000000..3bf3cd5214bf
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRulesTests.cs
@@ -0,0 +1,89 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.ScenarioTest;
+using Microsoft.Azure.ServiceManagement.Common.Models;
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Xunit;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests
+{
+ public class AlertRulesTests
+ {
+ private readonly XunitTracingInterceptor _logger;
+
+ public AlertRulesTests(Xunit.Abstractions.ITestOutputHelper output)
+ {
+ _logger = new XunitTracingInterceptor(output);
+ XunitTracingInterceptor.AddToContext(_logger);
+ TestExecutionHelpers.SetUpSessionAndProfile();
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void ListAlertRules()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzSentinelAlertRule-List");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void GetAction()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzSentinelAlertRule-Get");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void CreateAlertRuleFusion()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "New-AzSentinelAlertRule-CreateFusion");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void CreateAlertRuleMSIC()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "New-AzSentinelAlertRule-CreateMSIC");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void CreateAlertRuleScheduled()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "New-AzSentinelAlertRule-CreateScheduled");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void UpdateAlertRule()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Update-AzSentinelAlertRule-Update");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void InputObject()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Update-AzSentinelAlertRule-InputObject");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void RemoveAlertRule()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Remove-AzSentinelAlertRule-Delete");
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRulesTests.ps1 b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRulesTests.ps1
new file mode 100644
index 000000000000..7b7ff23ff03c
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRulesTests.ps1
@@ -0,0 +1,191 @@
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.SYNOPSIS
+List Alert Rules
+#>
+function Get-AzSentinelAlertRule-List
+{
+ $AlertRuleId = "3fefb3df-b5af-4bae-b3b9-2b32e7bb9fa9"
+ $AlertRuleId2 = "3a516217-ec98-4bbf-8d00-c6d7d60095ff"
+ #Create Alert Rule
+ $alertRule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Scheduled -Enabled -DisplayName "PoshModuleTest" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
+ $alertRule2 = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId2 -Scheduled -Enabled -DisplayName "PoshModuleTest2" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
+
+ #Get Alert Rules
+ $alertrules = Get-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName)
+ # Validate
+ Validate-AlertRules $alertrules
+
+ #Cleanup
+ Remove-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertRule.Name)
+ Remove-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertRule2.Name)
+}
+
+<#
+.SYNOPSIS
+Get Alert Rule
+#>
+function Get-AzSentinelAlertRule-Get
+{
+ $AlertRuleId = "4324441a-de38-42c2-83dd-bb93db929e7c"
+ #create Alert Rule
+ $alertRule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Scheduled -Enabled -DisplayName "PoshModuleTest" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
+
+ #Get Alert Rule
+ $alertrule = Get-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertrule.Name)
+ # Validate
+ Validate-AlertRule $alertrule
+
+ #Cleanup
+ Remove-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertrule.Name)
+}
+
+<#
+.SYNOPSIS
+Create Fusion Alert Rule
+#>
+function New-AzSentinelAlertRule-CreateFusion
+{
+ $AlertRuleTemplateName = "f71aba3d-28fb-450b-b192-4e76a83015c8"
+ $AlertRuleId = "db5ded90-76a4-4c59-8581-1c8b7601b375"
+
+ #Create Alert Rule
+ $alertrule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Fusion -Enabled -AlertRuleTemplateName $AlertRuleTemplateName
+
+ #Validate
+ Validate-AlertRule $alertrule
+
+ #Cleanup
+ Remove-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertrule.Name)
+}
+
+<#
+.SYNOPSIS
+Create Microsoft Incident Create Alert Rule
+#>
+function New-AzSentinelAlertRule-CreateMSIC
+{
+ $AlertRuleTemplateName = "a2e0eb51-1f11-461a-999b-cd0ebe5c7a72"
+ $AlertRuleId = "b3ccc517-c3ba-4134-abd1-43256d0d9f4e"
+
+ #Create Alert Rule
+ $alertRule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -MicrosoftSecurityIncidentCreation -Enabled -AlertRuleTemplateName $AlertRuleTemplateName -DisplayName "MSICposhTest" -ProductFilter "Azure Security Center for IoT"
+
+ # Validate
+ Validate-AlertRule $alertrule
+
+ #Cleanup
+ Remove-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertrule.Name)
+}
+
+<#
+.SYNOPSIS
+Create Scheduled Alert Rule
+#>
+function New-AzSentinelAlertRule-CreateScheduled
+{
+ $AlertRuleTemplateName = "a2e0eb51-1f11-461a-999b-cd0ebe5c7a72"
+ $AlertRuleId = "103818ba-9f48-41af-bf1b-101f797ab82e"
+
+ #Create Alert Rule
+ $alertrule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Scheduled -Enabled -DisplayName "PoshModuleTest" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
+
+ # Validate
+ Validate-AlertRule $alertrule
+
+ #Cleanup
+ Remove-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertrule.Name)
+}
+
+<#
+.SYNOPSIS
+Update AlertRule
+#>
+function Update-AzSentinelAlertRule-Update
+{
+ $AlertRuleId = "51d3e29d-5e17-48f3-ab1f-68c0dcd010f4"
+ #Create Alert Rule
+ $alertrule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Scheduled -Enabled -DisplayName "PoshModuleTest" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
+
+ #update alert rule
+ $alertrule = Update-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertrule.Name) -Disabled
+
+ # Validate
+ Validate-AlertRule $alertrule
+
+ #Cleanup
+ Remove-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertrule.Name)
+}
+
+function Update-AzSentinelAlertRule-InputObject
+{
+ $AlertRuleId = "4037076e-479a-4d18-93f9-bcdb72f0c856"
+ #Create Alert Rule
+ $alertrule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Scheduled -Enabled -DisplayName "PoshModuleTest" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
+ #update alert rule
+ Update-AzSentinelAlertRule -InputObject $alertrule -Disabled
+ $alertrule = Get-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertrule.Name)
+
+ # Validate
+ Validate-AlertRule $alertrule
+
+ #Cleanup
+ Remove-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertrule.Name)
+}
+
+<#
+.SYNOPSIS
+Delete AlertRule
+#>
+function Remove-AzSentinelAlertRule-Delete
+{
+ $AlertRuleId = "c0a45694-5077-4fd0-a81c-95de70659378"
+ #Create Alert Rule
+ $alertrule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Scheduled -Enabled -DisplayName "PoshModuleTest" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
+
+ #delete alert rule
+ Remove-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId ($alertrule.Name)
+
+ # Validate
+ Validate-AlertRule $alertrule
+}
+
+<#
+.SYNOPSIS
+Validates a list of alert rules
+#>
+function Validate-AlertRules
+{
+ param($alertrules)
+
+ Assert-True { $alertrules.Count -gt 0 }
+
+ Foreach($alertrule in $alertrules)
+ {
+ Validate-AlertRule $alertrule
+ }
+}
+
+<#
+.SYNOPSIS
+Validates a single alert rule
+#>
+function Validate-AlertRule
+{
+ param($alertrule)
+
+ Assert-NotNull $alertrule
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/BookmarksTests.cs b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/BookmarksTests.cs
new file mode 100644
index 000000000000..d18d1705fcda
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/BookmarksTests.cs
@@ -0,0 +1,75 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.ScenarioTest;
+using Microsoft.Azure.ServiceManagement.Common.Models;
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Xunit;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests
+{
+ public class BookmarksTests
+ {
+ private readonly XunitTracingInterceptor _logger;
+
+ public BookmarksTests(Xunit.Abstractions.ITestOutputHelper output)
+ {
+ _logger = new XunitTracingInterceptor(output);
+ XunitTracingInterceptor.AddToContext(_logger);
+ TestExecutionHelpers.SetUpSessionAndProfile();
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void List()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzSentinelBookmark-List");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void Get()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzSentinelBookmark-Get");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void Create()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "New-AzSentinelBookmark-Create");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void Update()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Update-AzSentinelBookmark-Update");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void InputObject()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Update-AzSentinelBookmark-InputObject");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void Remove()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Remove-AzSentinelBookmark-Remove");
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/BookmarksTests.ps1 b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/BookmarksTests.ps1
new file mode 100644
index 000000000000..a71ab96b01ee
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/BookmarksTests.ps1
@@ -0,0 +1,155 @@
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.SYNOPSIS
+List Bookmarks
+#>
+function Get-AzSentinelBookmark-List
+{
+ $BookmarkId = "a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664"
+ $BookmarkId2 = "91c29052-8ec9-4395-ad6c-e5c6cf562eec"
+ #Create bookmark
+ $bookmark = New-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId $BookmarkId -DisplayName "PoshModuleTest" -Query "SecurityAlert | take 1"
+ #Create bookmark
+ $bookmark2 = New-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId $BookmarkId2 -DisplayName "PoshModuleTest2" -Query "SecurityAlert | take 1"
+
+ #Get Bookmarks
+ $bookmarks = Get-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName)
+ # Validate
+ Validate-Bookmarks $bookmarks
+
+ #Cleanup
+ Remove-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId ($bookmark.Name)
+ Remove-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId ($bookmark2.Name)
+}
+
+<#
+.SYNOPSIS
+Get Bookmark
+#>
+function Get-AzSentinelBookmark-Get
+{
+ $BookmarkId = "2032256f-9912-476d-805b-ea3f60243ac8"
+ #Create $bookmark
+ $bookmark = New-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId $BookmarkId -DisplayName "PoshModuleTest" -Query "SecurityAlert | take 1"
+
+ #Get Bookmark
+ $bookmark = Get-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId ($bookmark.Name)
+ # Validate
+ Validate-Bookmark $bookmark
+
+ #Cleanup
+ Remove-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId ($bookmark.Name)
+}
+
+<#
+.SYNOPSIS
+Create Bookmark
+#>
+function New-AzSentinelBookmark-Create
+{
+ $BookmarkId = "3a1bd654-9986-4fb9-8584-36f9aba00356"
+ #Create $bookmark
+ $bookmark = New-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId $BookmarkId -DisplayName "PoshModuleTest" -Query "SecurityAlert | take 1"
+
+ # Validate
+ Validate-Bookmark $bookmark
+
+ #Cleanup
+ Remove-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId ($bookmark.Name)
+}
+
+<#
+.SYNOPSIS
+Update Bookmark
+#>
+function Update-AzSentinelBookmark-Update
+{
+ $BookmarkId = "e1606ca5-cd05-42ba-ac77-cdf0da4b719f"
+ #Create $bookmark
+ $bookmark = New-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId $BookmarkId -DisplayName "PoshModuleTest" -Query "SecurityAlert | take 1"
+
+ #update $bookmark
+ $bookmark2 = Update-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId ($bookmark.Name) -Note "PoshModuleTest"
+
+ # Validate
+ Validate-Bookmark $bookmark
+
+ #Cleanup
+ Remove-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId ($bookmark.Name)
+
+
+ }
+
+ function Update-AzSentinelBookmark-InputObject
+{
+ $BookmarkId = "4324441a-de38-42c2-83dd-bb93db929e7c"
+ #Create $bookmark
+ $bookmark = New-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId $BookmarkId -DisplayName "PoshModuleTest" -Query "SecurityAlert | take 1"
+ #update $bookmark
+ $bookmark2 = Update-AzSentinelBookmark -Note "testnotes" -InputObject $bookmark
+
+ # Validate
+ Validate-Bookmark $bookmark2
+
+ #Cleanup
+ Remove-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId ($bookmark.Name)
+
+
+ }
+
+<#
+.SYNOPSIS
+Delete Bookmark
+#>
+function Remove-AzSentinelBookmark-Remove
+{
+ $BookmarkId = "a18251f2-1a0f-45f2-bb0d-ad4121911fce"
+ #Create $bookmark
+ $bookmark = New-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId $BookmarkId -DisplayName "PoshModuleTest" -Query "SecurityAlert | take 1"
+
+ #delete
+ Remove-AzSentinelBookmark -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -BookmarkId ($bookmark.Name)
+ # Validate
+ Validate-Bookmark $bookmark
+
+}
+
+<#
+.SYNOPSIS
+Validates a list of bookmarks
+#>
+function Validate-Bookmarks
+{
+ param($bookmarks)
+
+ Assert-True { $bookmarks.Count -gt 0 }
+
+ Foreach($bookmark in $bookmarks)
+ {
+ Validate-Bookmark $bookmark
+ }
+}
+
+<#
+.SYNOPSIS
+Validates a single bookmark
+#>
+function Validate-Bookmark
+{
+ param($bookmark)
+
+ Assert-NotNull $bookmark
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/Common.ps1 b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/Common.ps1
new file mode 100644
index 000000000000..5c6bae82e240
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/Common.ps1
@@ -0,0 +1,54 @@
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.SYNOPSIS
+Gets test resource group name
+#>
+function Get-TestResourceGroupName
+{
+ "ndicola-azsposh"
+}
+
+function Get-TestWorkspaceName
+{
+ "azsposh"
+}
+
+
+<#
+.SYNOPSIS
+Gets test resource group name
+#>
+function Extract-ResourceLocation{
+param(
+ [string]$ResourceId
+)
+ $match = [Regex]::Match($ResourceId, "locations/(.*?)/")
+
+ return $match.Captures.Groups[1].Value
+}
+
+<#
+.SYNOPSIS
+Gets test resource group name
+#>
+function Extract-ResourceGroup{
+param(
+ [string]$ResourceId
+)
+ $match = [Regex]::Match($ResourceId, "resourceGroups/(.*?)/")
+
+ return $match.Captures.Groups[1].Value
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/DataConnectorsTests.cs b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/DataConnectorsTests.cs
new file mode 100644
index 000000000000..f2d6ecb2d2c6
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/DataConnectorsTests.cs
@@ -0,0 +1,75 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.ScenarioTest;
+using Microsoft.Azure.ServiceManagement.Common.Models;
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Xunit;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests
+{
+ public class DataConnectorsTests
+ {
+ private readonly XunitTracingInterceptor _logger;
+
+ public DataConnectorsTests(Xunit.Abstractions.ITestOutputHelper output)
+ {
+ _logger = new XunitTracingInterceptor(output);
+ XunitTracingInterceptor.AddToContext(_logger);
+ TestExecutionHelpers.SetUpSessionAndProfile();
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void List()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzSentinelDataConnector-List");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void Get()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzSentinelDataConnector-Get");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void Create()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "New-AzSentinelDataConnector-Create");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void Update()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Update-AzSentinelDataConnector-Update");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void InputObject()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Update-AzSentinelDataConnector-InputObject");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void Delete()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Remove-AzSentinelDataConnector-Delete");
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/DataConnectorsTests.ps1 b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/DataConnectorsTests.ps1
new file mode 100644
index 000000000000..a49378cd353c
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/DataConnectorsTests.ps1
@@ -0,0 +1,146 @@
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.SYNOPSIS
+List Data Connectors
+#>
+function Get-AzSentinelDataConnector-List
+{
+ $DataConnectorId = "934ce201-63c5-4911-9e04-50b348020378"
+ #Create Data Connector
+ $DataConnector = New-AzSentinelDataConnector -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -DataConnectorId $DataConnectorId -AzureSecurityCenter -Alerts Enabled -SubscriptionId ((Get-AzContext).Subscription.Id)
+ #Get Data Connector
+ $DataConnectors = Get-AzSentinelDataConnector -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName)
+ # Validate
+ Validate-DataConnectors $DataConnectors
+
+ Start-Sleep 15
+ #Cleanup
+ Remove-AzSentinelDataConnector -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -DataConnectorId ($DataConnector.Name)
+}
+
+<#
+.SYNOPSIS
+Get Data Connector
+#>
+function Get-AzSentinelDataConnector-Get
+{
+ $DataConnectorId = "3da7055e-fcd4-4715-b2ab-72170ee57612"
+ #Create Data Connector
+ $DataConnector = New-AzSentinelDataConnector -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -DataConnectorId $DataConnectorId -AzureSecurityCenter -Alerts Enabled -SubscriptionId ((Get-AzContext).Subscription.Id)
+
+ #Get Data Connector
+ $DataConnector = Get-AzSentinelDataConnector -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -DataConnectorId ($DataConnector.Name)
+ # Validate
+ Validate-DataConnector $DataConnector
+
+ #Cleanup
+ Remove-AzSentinelDataConnector -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -DataConnectorId ($DataConnector.Name)
+}
+
+<#
+.SYNOPSIS
+Create Data Connector
+#>
+function New-AzSentinelDataConnector-Create
+{
+ $DataConnectorId = "cd2f31a6-98db-4834-8696-36a184436387"
+ #Create Data Connector
+ $DataConnector = New-AzSentinelDataConnector -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -DataConnectorId $DataConnectorId -AzureSecurityCenter -Alerts Enabled -SubscriptionId ((Get-AzContext).Subscription.Id)
+
+ # Validate
+ Validate-DataConnector $DataConnector
+
+ #Cleanup
+ Remove-AzSentinelDataConnector -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -DataConnectorId ($DataConnector.Name)
+}
+
+<#
+.SYNOPSIS
+Update DataConnector
+#>
+function Update-AzSentinelDataConnector-Update
+{
+ $DataConnectorId = "f3abb0bf-9f8b-4f03-8865-8e71e2889ba2"
+ #Create Data Connector
+ $DataConnector = New-AzSentinelDataConnector -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -DataConnectorId $DataConnectorId -AzureSecurityCenter -Alerts Enabled -SubscriptionId ((Get-AzContext).Subscription.Id)
+
+ #Update Data Connector
+ $DataConnector2 = Update-AzSentinelDataConnector -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -DataConnectorId ($DataConnector.Name) -Alerts Disabled
+ # Validate
+ Validate-DataConnector $DataConnector2
+
+ #Cleanup
+ Remove-AzSentinelDataConnector -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -DataConnectorId ($DataConnector.Name)
+}
+
+function Update-AzSentinelDataConnector-InputObject
+{
+ $DataConnectorId = "44c3bfc6-5361-41af-a50d-65232c3f9b13"
+ #Create Data Connector
+ $DataConnector = New-AzSentinelDataConnector -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -DataConnectorId $DataConnectorId -AzureSecurityCenter -Alerts Enabled -SubscriptionId ((Get-AzContext).Subscription.Id)
+ #Update Data Connector
+ $DataConnector2 = $DataConnector | Update-AzSentinelDataConnector -Alerts Disabled
+ # Validate
+ Validate-DataConnector $DataConnector2
+
+ #Cleanup
+ Remove-AzSentinelDataConnector -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -DataConnectorId ($DataConnector.Name)
+}
+
+<#
+.SYNOPSIS
+Delete Data Connector
+#>
+function Remove-AzSentinelDataConnector-Delete
+{
+ $DataConnectorId = "f2bc6c20-6785-4b98-8dd3-26767b7de5b4"
+ #Create Data Connector
+ $DataConnector = New-AzSentinelDataConnector -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -DataConnectorId $DataConnectorId -AzureSecurityCenter -Alerts Enabled -SubscriptionId ((Get-AzContext).Subscription.Id)
+
+ #Update Data Connector
+ Remove-AzSentinelDataConnector -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -DataConnectorId ($DataConnector.Name)
+
+ # Validate
+ Validate-DataConnector $DataConnector
+
+}
+
+<#
+.SYNOPSIS
+Validates a list of data connectors
+#>
+function Validate-DataConnectors
+{
+ param($DataConnectors)
+
+ Assert-True { $DataConnectors.Count -gt 0 }
+
+ Foreach($DataConnector in $DataConnectors)
+ {
+ Validate-DataConnector $DataConnector
+ }
+}
+
+<#
+.SYNOPSIS
+Validates a single data connector
+#>
+function Validate-DataConnector
+{
+ param($DataConnector)
+
+ Assert-NotNull $DataConnector
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/IncidentCommentsTests.cs b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/IncidentCommentsTests.cs
new file mode 100644
index 000000000000..9750c1515693
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/IncidentCommentsTests.cs
@@ -0,0 +1,54 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.ScenarioTest;
+using Microsoft.Azure.ServiceManagement.Common.Models;
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Xunit;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests
+{
+ public class IncidentCommentsTests
+ {
+ private readonly XunitTracingInterceptor _logger;
+
+ public IncidentCommentsTests(Xunit.Abstractions.ITestOutputHelper output)
+ {
+ _logger = new XunitTracingInterceptor(output);
+ XunitTracingInterceptor.AddToContext(_logger);
+ TestExecutionHelpers.SetUpSessionAndProfile();
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void List()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzSentinelIncidentComment-ListByIncident");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void Get()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzSentinelIncidentComment-Get");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void Create()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "New-AzSentinelIncidentComment-Create");
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/IncidentCommentsTests.ps1 b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/IncidentCommentsTests.ps1
new file mode 100644
index 000000000000..dde8213980a0
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/IncidentCommentsTests.ps1
@@ -0,0 +1,109 @@
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.SYNOPSIS
+List IncidentComment Comments by Incident
+#>
+function Get-AzSentinelIncidentComment-ListbyIncident
+{
+ $IncidentId = "9d9782b4-8896-414b-b22a-68618548ba5b"
+ $IncidentCommentId = "9d639724-938d-4551-b7d6-ab89c9d8b7df"
+ $IncidentCommentId2 = "1dc74bd0-7b2b-4ff6-b4b8-d809193c36c1"
+ #Create Incident
+ $Incident = New-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId $IncidentId -Title "PoshModuleTest" -Severity Low -Status New
+ #Create IncidentComment Comment
+ $IncidentCommentComment = New-AzSentinelIncidentComment -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name) -IncidentCommentId $IncidentCommentId -Message "PoshModuleTest"
+ $IncidentCommentComment2 = New-AzSentinelIncidentComment -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name) -IncidentCommentId $IncidentCommentId2 -Message "PoshModuleTest2"
+
+ #Get Incident Commments
+ $IncidentComments = Get-AzSentinelIncidentComment -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name)
+ # Validate
+ Validate-IncidentComments $IncidentComments
+
+ #Cleanup
+ Remove-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name)
+
+}
+
+<#
+.SYNOPSIS
+Get Incident Comment
+#>
+function Get-AzSentinelIncidentComment-Get
+{
+ $IncidentId = "85f5ceeb-e5ae-47e5-991f-cbcbb080644c"
+ $IncidentCommentId = "5fb3ef3e-cdf9-4699-ae87-4da1af12a9a7"
+ #Create Incident
+ $Incident = New-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId $IncidentId -Title "PoshModuleTest" -Severity Low -Status New
+
+ #Create IncidentComment
+ $IncidentComment = New-AzSentinelIncidentComment -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name) -IncidentCommentId $IncidentCommentId -Message "PoshModuleTest"
+
+ #Get IncidentComment
+ $IncidentComment = Get-AzSentinelIncidentComment -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name) -IncidentCommentId ($IncidentComment.Name)
+ # Validate
+ Validate-IncidentComment $IncidentComment
+
+ #Cleanup
+ Remove-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name)
+}
+
+<#
+.SYNOPSIS
+Create Incident Comment
+#>
+function New-AzSentinelIncidentComment-Create
+{
+ $IncidentId = "055ddb69-f086-4765-89f2-dafe0b9c8e74"
+ $IncidentCommentId = "3d67df3d-2b58-430b-9eb4-da652bf59c4a"
+ #Create Incident
+ $Incident = New-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId $IncidentId -Title "PoshModuleTest" -Severity Low -Status New
+
+ #Create IncidentComment
+ $IncidentComment = New-AzSentinelIncidentComment -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name) -IncidentCommentId $IncidentCommentId -Message "PoshModuleTest"
+
+ # Validate
+ Validate-IncidentComment $IncidentComment
+
+ #Cleanup
+ Remove-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name)
+}
+
+<#
+.SYNOPSIS
+Validates a list of IncidentComments
+#>
+function Validate-IncidentComments
+{
+ param($IncidentComments)
+
+ Assert-True { $IncidentComments.Count -gt 0 }
+
+ Foreach($IncidentComment in $IncidentComments)
+ {
+ Validate-IncidentComment $IncidentComment
+ }
+}
+
+<#
+.SYNOPSIS
+Validates a single IncidentComment
+#>
+function Validate-IncidentComment
+{
+ param($IncidentComment)
+
+ Assert-NotNull $IncidentComment
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/IncidentsTests.cs b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/IncidentsTests.cs
new file mode 100644
index 000000000000..65a51efe42dc
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/IncidentsTests.cs
@@ -0,0 +1,75 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.ScenarioTest;
+using Microsoft.Azure.ServiceManagement.Common.Models;
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Xunit;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests
+{
+ public class IncidentsTests
+ {
+ private readonly XunitTracingInterceptor _logger;
+
+ public IncidentsTests(Xunit.Abstractions.ITestOutputHelper output)
+ {
+ _logger = new XunitTracingInterceptor(output);
+ XunitTracingInterceptor.AddToContext(_logger);
+ TestExecutionHelpers.SetUpSessionAndProfile();
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void List()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzSentinelIncident-List");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void Get()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzSentinelIncident-Get");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void Create()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "New-AzSentinelIncident-Create");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void Update()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Update-AzSentinelIncident-Update");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void InputObject()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Update-AzSentinelIncident-InputObject");
+ }
+
+ [Fact]
+ [Trait(Category.AcceptanceType, Category.CheckIn)]
+ public void Remove()
+ {
+ TestController.NewInstance.RunPowerShellTest(_logger, "Remove-AzSentinelIncident-Delete");
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/IncidentsTests.ps1 b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/IncidentsTests.ps1
new file mode 100644
index 000000000000..03e86d7dbca3
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/IncidentsTests.ps1
@@ -0,0 +1,157 @@
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.SYNOPSIS
+List Incidents
+#>
+function Get-AzSentinelIncident-List
+{
+ $IncidentId = "9948fe0a-433c-4230-ab18-41ba430d68bc"
+ $IncidentId2 = "93a8577f-b4e6-4225-9240-57bd52238502"
+ #Create Incident
+ $Incident = New-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId $IncidentId -Title "PoshModuleTest" -Severity Low -Status New
+ #Create Incident
+ $Incident2 = New-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId $IncidentId2 -Title "PoshModuleTest2" -Severity Low -Status New
+
+ #Get Incidents
+ $Incidents = Get-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName)
+ # Validate
+ Validate-Incidents $Incidents
+
+ #Cleanup
+ Remove-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name)
+ Remove-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident2.Name)
+}
+
+<#
+.SYNOPSIS
+Get Incident
+#>
+function Get-AzSentinelIncident-Get
+{
+ $IncidentId = "a45dd647-301b-427b-ac4c-6455f65d3081"
+ #Create $Incident
+ $Incident = New-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId $IncidentId -Title "PoshModuleTest" -Severity Low -Status New
+
+ #Get Incident
+ $Incident = Get-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name)
+ # Validate
+ Validate-Incident $Incident
+
+ #Cleanup
+ Remove-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name)
+}
+
+<#
+.SYNOPSIS
+Create Incident
+#>
+function New-AzSentinelIncident-Create
+{
+ $IncidentId = "1877f91c-570c-46aa-8a2e-b2c6c3fd4a37"
+ #Create $Incident
+ $Incident = New-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId $IncidentId -Title "PoshModuleTest" -Severity Low -Status New
+
+ # Validate
+ Validate-Incident $Incident
+
+ #Cleanup
+ Remove-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name)
+}
+
+<#
+.SYNOPSIS
+Update Incident
+#>
+function Update-AzSentinelIncident-Update
+{
+ $IncidentId = "4c3f56e0-c40c-4c03-af08-a40f6be36715"
+ #Create $Incident
+ $Incident = New-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId $IncidentId -Title "PoshModuleTest" -Severity Low -Status New
+
+ #update $Incident
+ $Incident = Update-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name) -Status Closed -Classification FalsePositive -ClassificationReason InaccurateData
+
+ # Validate
+ Validate-Incident $Incident
+
+ #Cleanup
+ Remove-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name)
+
+
+ }
+
+ function Update-AzSentinelIncident-InputObject
+{
+ $IncidentId = "1624cb38-732b-4775-9aef-6206344b3b92"
+ #Create $Incident
+ $Incident = New-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId $IncidentId -Title "PoshModuleTest" -Severity Low -Status New
+ #update $Incident
+ $Incident2 = Update-AzSentinelIncident -Severity Medium -InputObject $Incident
+
+ # Validate
+ Validate-Incident $Incident2
+
+ #Cleanup
+ Remove-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name)
+
+
+ }
+
+<#
+.SYNOPSIS
+Delete Incident
+#>
+function Remove-AzSentinelIncident-Delete
+{
+ $IncidentId = "a91c3054-ced5-4e5b-90ba-ef3d031a34e2"
+ #Create $Incident
+ $Incident = New-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId $IncidentId -Title "PoshModuleTest" -Severity Low -Status New
+
+ #delete
+ Remove-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name)
+ # Validate
+ Validate-Incident $Incident
+
+ #Cleanup
+ Remove-AzSentinelIncident -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -IncidentId ($Incident.Name)
+}
+
+<#
+.SYNOPSIS
+Validates a list of Incidents
+#>
+function Validate-Incidents
+{
+ param($Incidents)
+
+ Assert-True { $Incidents.Count -gt 0 }
+
+ Foreach($Incident in $Incidents)
+ {
+ Validate-Incident $Incident
+ }
+}
+
+<#
+.SYNOPSIS
+Validates a single Incident
+#>
+function Validate-Incident
+{
+ param($Incident)
+
+ Assert-NotNull $Incident
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/TestController.cs b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/TestController.cs
new file mode 100644
index 000000000000..20d001a7e242
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/TestController.cs
@@ -0,0 +1,136 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.IO;
+using System.Linq;
+using Microsoft.Azure.Commands.Common.Authentication;
+using Microsoft.Azure.Management.SecurityInsights;
+using Microsoft.Azure.Management.Storage.Version2017_10_01;
+using Microsoft.Azure.Test.HttpRecorder;
+using Microsoft.Rest.ClientRuntime.Azure.TestFramework;
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Microsoft.WindowsAzure.Commands.Test.Utilities.Common;
+using TestEnvironmentFactory = Microsoft.Rest.ClientRuntime.Azure.TestFramework.TestEnvironmentFactory;
+using Microsoft.Azure.Management.Internal.Resources;
+using Microsoft.Azure.Commands.TestFx;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests
+{
+ ///
+ /// Setup for Scenario Tests
+ ///
+ public class TestController : RMTestBase
+ {
+ private readonly EnvironmentSetupHelper _helper;
+
+ public ResourceManagementClient ResourceManagementClient { get; private set; }
+
+ public SecurityInsightsClient SecurityInsightsClient { get; private set; }
+
+ public StorageManagementClient StorageManagementClient { get; private set; }
+
+ public static TestController NewInstance => new TestController();
+
+ protected TestController()
+ {
+ _helper = new EnvironmentSetupHelper();
+ }
+
+ protected void SetupManagementClients(MockContext context)
+ {
+ ResourceManagementClient = context.GetServiceClient(TestEnvironmentFactory.GetTestEnvironment());
+ SecurityInsightsClient = context.GetServiceClient(TestEnvironmentFactory.GetTestEnvironment());
+ StorageManagementClient = context.GetServiceClient(TestEnvironmentFactory.GetTestEnvironment());
+
+ _helper.SetupManagementClients(
+ ResourceManagementClient,
+ StorageManagementClient,
+ SecurityInsightsClient);
+ }
+
+ ///
+ /// Methods for invoking PowerShell scripts
+ ///
+ ///
+ ///
+ public void RunPowerShellTest(ServiceManagement.Common.Models.XunitTracingInterceptor logger, params string[] scripts)
+ {
+ var sf = new StackTrace().GetFrame(1);
+ var callingClassType = sf.GetMethod().ReflectedType?.ToString();
+ var mockName = sf.GetMethod().Name;
+
+ _helper.TracingInterceptor = logger;
+ RunPsTestWorkflow(
+ () => scripts,
+ // no custom cleanup
+ null,
+ callingClassType,
+ mockName);
+ }
+
+ private void RunPsTestWorkflow(
+ Func scriptBuilder,
+ Action cleanup,
+ string callingClassType,
+ string mockName)
+ {
+
+ var d = new Dictionary
+ {
+ {"Microsoft.Resources", null},
+ {"Microsoft.Features", null},
+ {"Microsoft.Authorization", null},
+ {"Microsoft.Compute", null}
+ };
+ var providersToIgnore = new Dictionary
+ {
+ {"Microsoft.Azure.Management.Resources.ResourceManagementClient", "2016-02-01"}
+ };
+ HttpMockServer.Matcher = new PermissiveRecordMatcherWithApiExclusion(true, d, providersToIgnore);
+
+ HttpMockServer.RecordsDirectory = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "SessionRecords");
+
+ using (var context = MockContext.Start(callingClassType, mockName))
+ {
+ SetupManagementClients(context);
+
+ _helper.SetupEnvironment(AzureModule.AzureResourceManager);
+
+ var callingClassName = callingClassType.Split(new[] { "." }, StringSplitOptions.RemoveEmptyEntries).Last();
+ _helper.SetupModules(AzureModule.AzureResourceManager,
+ "ScenarioTests\\Common.ps1",
+ "ScenarioTests\\" + callingClassName + ".ps1",
+ _helper.RMProfileModule,
+ _helper.GetRMModulePath("AzureRM.SecurityInsights.psd1"),
+ "AzureRM.Resources.ps1",
+ "AzureRM.Storage.ps1");
+ try
+ {
+ var psScripts = scriptBuilder?.Invoke();
+ if (psScripts != null)
+ {
+ _helper.RunPowerShellTest(psScripts);
+ }
+ }
+ finally
+ {
+ cleanup?.Invoke();
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SecurityInsights.Test.csproj b/src/SecurityInsights/SecurityInsights.Test/SecurityInsights.Test.csproj
new file mode 100644
index 000000000000..9151c1b76982
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SecurityInsights.Test.csproj
@@ -0,0 +1,29 @@
+
+
+
+ SecurityInsights
+
+
+
+
+
+ $(LegacyAssemblyPrefix)$(PsModuleName)$(AzTestAssemblySuffix)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PreserveNewest
+
+
+
+
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/CreateAction.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/CreateAction.json
new file mode 100644
index 000000000000..be4cf77b5e8a
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/CreateAction.json
@@ -0,0 +1,215 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/26501c9d-8f07-419d-8bcb-f9aac8ec1a7f?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzI2NTAxYzlkLThmMDctNDE5ZC04YmNiLWY5YWFjOGVjMWE3Zj9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "5d22062e-dc45-4442-856b-4d37f14601ef"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "372"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "6d82d299-d67e-4288-aa8b-2f653302960e"
+ ],
+ "x-ms-correlation-request-id": [
+ "6d82d299-d67e-4288-aa8b-2f653302960e"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211011Z:6d82d299-d67e-4288-aa8b-2f653302960e"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:11 GMT"
+ ],
+ "Content-Length": [
+ "972"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/26501c9d-8f07-419d-8bcb-f9aac8ec1a7f\",\r\n \"name\": \"26501c9d-8f07-419d-8bcb-f9aac8ec1a7f\",\r\n \"etag\": \"\\\"c200c4a2-0000-0100-0000-5fd28eb30000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:10:10.5112338Z\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/26501c9d-8f07-419d-8bcb-f9aac8ec1a7f/actions/10d54e5f-8c03-42fc-b1d9-1bd881535af0?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzI2NTAxYzlkLThmMDctNDE5ZC04YmNiLWY5YWFjOGVjMWE3Zi9hY3Rpb25zLzEwZDU0ZTVmLThjMDMtNDJmYy1iMWQ5LTFiZDg4MTUzNWFmMD9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"triggerUri\": \"https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "fb6c1119-f1d5-4447-b2b0-cb9aa968b023"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "541"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "07dae192-8252-4eb4-988e-176d1fb0b51b"
+ ],
+ "x-ms-correlation-request-id": [
+ "07dae192-8252-4eb4-988e-176d1fb0b51b"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211012Z:07dae192-8252-4eb4-988e-176d1fb0b51b"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:12 GMT"
+ ],
+ "Content-Length": [
+ "621"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/26501c9d-8f07-419d-8bcb-f9aac8ec1a7f/actions/10d54e5f-8c03-42fc-b1d9-1bd881535af0\",\r\n \"name\": \"10d54e5f-8c03-42fc-b1d9-1bd881535af0\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/26501c9d-8f07-419d-8bcb-f9aac8ec1a7f?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzI2NTAxYzlkLThmMDctNDE5ZC04YmNiLWY5YWFjOGVjMWE3Zj9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "6a016b7e-ba54-43e3-8978-bc34efb4ba0d"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "89b5e083-10e0-46b6-b849-824e16f0033b"
+ ],
+ "x-ms-correlation-request-id": [
+ "89b5e083-10e0-46b6-b849-824e16f0033b"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211012Z:89b5e083-10e0-46b6-b849-824e16f0033b"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:12 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/GetAction.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/GetAction.json
new file mode 100644
index 000000000000..2e095ed17400
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/GetAction.json
@@ -0,0 +1,278 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/77def5f7-ab37-4aaf-8711-904d1ab55787?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzc3ZGVmNWY3LWFiMzctNGFhZi04NzExLTkwNGQxYWI1NTc4Nz9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "4e0aa13c-3e4e-46c9-803a-d437616d03b9"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "372"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "eb1ead1b-9405-4830-bc8f-33ee4bc54a50"
+ ],
+ "x-ms-correlation-request-id": [
+ "eb1ead1b-9405-4830-bc8f-33ee4bc54a50"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211044Z:eb1ead1b-9405-4830-bc8f-33ee4bc54a50"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:44 GMT"
+ ],
+ "Content-Length": [
+ "972"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/77def5f7-ab37-4aaf-8711-904d1ab55787\",\r\n \"name\": \"77def5f7-ab37-4aaf-8711-904d1ab55787\",\r\n \"etag\": \"\\\"c20078a6-0000-0100-0000-5fd28ed40000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:10:42.4515714Z\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/77def5f7-ab37-4aaf-8711-904d1ab55787/actions/27dda575-93f0-4925-92b3-039ef4d89cad?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzc3ZGVmNWY3LWFiMzctNGFhZi04NzExLTkwNGQxYWI1NTc4Ny9hY3Rpb25zLzI3ZGRhNTc1LTkzZjAtNDkyNS05MmIzLTAzOWVmNGQ4OWNhZD9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"triggerUri\": \"https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "a9b0a11e-998e-4ef8-9186-21e2f4c61501"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "541"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "ae717d23-97fe-4aaf-98aa-50932434edd7"
+ ],
+ "x-ms-correlation-request-id": [
+ "ae717d23-97fe-4aaf-98aa-50932434edd7"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211045Z:ae717d23-97fe-4aaf-98aa-50932434edd7"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:45 GMT"
+ ],
+ "Content-Length": [
+ "621"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/77def5f7-ab37-4aaf-8711-904d1ab55787/actions/27dda575-93f0-4925-92b3-039ef4d89cad\",\r\n \"name\": \"27dda575-93f0-4925-92b3-039ef4d89cad\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/77def5f7-ab37-4aaf-8711-904d1ab55787/actions/27dda575-93f0-4925-92b3-039ef4d89cad?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzc3ZGVmNWY3LWFiMzctNGFhZi04NzExLTkwNGQxYWI1NTc4Ny9hY3Rpb25zLzI3ZGRhNTc1LTkzZjAtNDkyNS05MmIzLTAzOWVmNGQ4OWNhZD9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "d2b83957-497e-479f-aba3-1eb74b3ed2c0"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "a7e67e98-17e3-4cf4-a39c-e6b440edc225"
+ ],
+ "x-ms-correlation-request-id": [
+ "a7e67e98-17e3-4cf4-a39c-e6b440edc225"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211045Z:a7e67e98-17e3-4cf4-a39c-e6b440edc225"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:45 GMT"
+ ],
+ "Content-Length": [
+ "671"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/77def5f7-ab37-4aaf-8711-904d1ab55787/actions/27dda575-93f0-4925-92b3-039ef4d89cad\",\r\n \"name\": \"27dda575-93f0-4925-92b3-039ef4d89cad\",\r\n \"etag\": \"\\\"2c05ff74-0000-0300-0000-5fd28ed50000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/77def5f7-ab37-4aaf-8711-904d1ab55787?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzc3ZGVmNWY3LWFiMzctNGFhZi04NzExLTkwNGQxYWI1NTc4Nz9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "f64dbed2-9b95-4a67-b760-f57376e15dbd"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "5201200d-fd94-48e9-8dd1-a6d7da4b8de6"
+ ],
+ "x-ms-correlation-request-id": [
+ "5201200d-fd94-48e9-8dd1-a6d7da4b8de6"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211045Z:5201200d-fd94-48e9-8dd1-a6d7da4b8de6"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:45 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/ListByAlertRule.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/ListByAlertRule.json
new file mode 100644
index 000000000000..b3906cedf8d9
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/ListByAlertRule.json
@@ -0,0 +1,347 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzFiNjRkYzBlLTRiZjYtNDNjNC1hNTAzLTUyY2JhMzBiNWM0Nz9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "bef58047-059d-4833-bcf0-1c592e481d3f"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "372"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "ae2a959c-5d23-4531-9bac-4d7a7b435bab"
+ ],
+ "x-ms-correlation-request-id": [
+ "ae2a959c-5d23-4531-9bac-4d7a7b435bab"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211006Z:ae2a959c-5d23-4531-9bac-4d7a7b435bab"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:05 GMT"
+ ],
+ "Content-Length": [
+ "972"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47\",\r\n \"name\": \"1b64dc0e-4bf6-43c4-a503-52cba30b5c47\",\r\n \"etag\": \"\\\"c20033a2-0000-0100-0000-5fd28eae0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:10:00.3265773Z\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47/actions/cd9f21e2-1718-4b8b-871e-b8d59c65f317?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzFiNjRkYzBlLTRiZjYtNDNjNC1hNTAzLTUyY2JhMzBiNWM0Ny9hY3Rpb25zL2NkOWYyMWUyLTE3MTgtNGI4Yi04NzFlLWI4ZDU5YzY1ZjMxNz9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"triggerUri\": \"https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "6ca479a4-903d-4915-b3c9-c71952161fc8"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "541"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "4594ffa1-6146-4566-b01c-6377deafec00"
+ ],
+ "x-ms-correlation-request-id": [
+ "4594ffa1-6146-4566-b01c-6377deafec00"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211007Z:4594ffa1-6146-4566-b01c-6377deafec00"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:06 GMT"
+ ],
+ "Content-Length": [
+ "621"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47/actions/cd9f21e2-1718-4b8b-871e-b8d59c65f317\",\r\n \"name\": \"cd9f21e2-1718-4b8b-871e-b8d59c65f317\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47/actions/ccef9243-4f96-4ec5-8042-9df44e2df452?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzFiNjRkYzBlLTRiZjYtNDNjNC1hNTAzLTUyY2JhMzBiNWM0Ny9hY3Rpb25zL2NjZWY5MjQzLTRmOTYtNGVjNS04MDQyLTlkZjQ0ZTJkZjQ1Mj9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage\",\r\n \"triggerUri\": \"https://prod-16.westus.logic.azure.com:443/workflows/18c75599cf3742c998d14af0f89cf3b1/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=rREdJWoN3PNCmhqwMz0KRy8apQDt8DQbZZuvlm1l4Oo\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "ae32257a-83e0-47be-afed-ea8963e1b1a8"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "557"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1197"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "5446850f-25a2-4ddd-bdb1-c1610e6760d9"
+ ],
+ "x-ms-correlation-request-id": [
+ "5446850f-25a2-4ddd-bdb1-c1610e6760d9"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211008Z:5446850f-25a2-4ddd-bdb1-c1610e6760d9"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:07 GMT"
+ ],
+ "Content-Length": [
+ "637"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47/actions/ccef9243-4f96-4ec5-8042-9df44e2df452\",\r\n \"name\": \"ccef9243-4f96-4ec5-8042-9df44e2df452\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"18c75599cf3742c998d14af0f89cf3b1\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47/actions?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzFiNjRkYzBlLTRiZjYtNDNjNC1hNTAzLTUyY2JhMzBiNWM0Ny9hY3Rpb25zP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "608fa582-fe0c-4eaa-ac17-ee76306cf32d"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "ada96fe8-3b76-47e5-a95c-c6ad77ff3d4d"
+ ],
+ "x-ms-correlation-request-id": [
+ "ada96fe8-3b76-47e5-a95c-c6ad77ff3d4d"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211008Z:ada96fe8-3b76-47e5-a95c-c6ad77ff3d4d"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:08 GMT"
+ ],
+ "Content-Length": [
+ "1481"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_1b64dc0e-4bf6-43c4-a503-52cba30b5c47_cd9f21e2-1718-4b8b-871e-b8d59c65f317/actions/cd9f21e2-1718-4b8b-871e-b8d59c65f317\",\r\n \"name\": \"cd9f21e2-1718-4b8b-871e-b8d59c65f317\",\r\n \"etag\": \"\\\"2c05a571-0000-0300-0000-5fd28eae0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_1b64dc0e-4bf6-43c4-a503-52cba30b5c47_ccef9243-4f96-4ec5-8042-9df44e2df452/actions/ccef9243-4f96-4ec5-8042-9df44e2df452\",\r\n \"name\": \"ccef9243-4f96-4ec5-8042-9df44e2df452\",\r\n \"etag\": \"\\\"2c05ce71-0000-0300-0000-5fd28eb00000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"18c75599cf3742c998d14af0f89cf3b1\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n }\r\n ]\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzFiNjRkYzBlLTRiZjYtNDNjNC1hNTAzLTUyY2JhMzBiNWM0Nz9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "8fa9e4d6-1774-4501-bdad-0ffcb87f1105"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "e752a4ae-b2d1-4116-8163-eec5fe20e481"
+ ],
+ "x-ms-correlation-request-id": [
+ "e752a4ae-b2d1-4116-8163-eec5fe20e481"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211009Z:e752a4ae-b2d1-4116-8163-eec5fe20e481"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:08 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/RemoveAction.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/RemoveAction.json
new file mode 100644
index 000000000000..770a18f6502a
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/RemoveAction.json
@@ -0,0 +1,275 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/d1ae0250-f1d8-4cd2-9806-e2375dd7c4ae?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzL2QxYWUwMjUwLWYxZDgtNGNkMi05ODA2LWUyMzc1ZGQ3YzRhZT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "f1b4cef9-77e9-416b-b513-8227c616ff6a"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "372"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "6e87242e-035d-47ad-b18d-73af35267a05"
+ ],
+ "x-ms-correlation-request-id": [
+ "6e87242e-035d-47ad-b18d-73af35267a05"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211047Z:6e87242e-035d-47ad-b18d-73af35267a05"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:47 GMT"
+ ],
+ "Content-Length": [
+ "972"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/d1ae0250-f1d8-4cd2-9806-e2375dd7c4ae\",\r\n \"name\": \"d1ae0250-f1d8-4cd2-9806-e2375dd7c4ae\",\r\n \"etag\": \"\\\"c200c6a6-0000-0100-0000-5fd28ed70000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:10:47.2745527Z\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/d1ae0250-f1d8-4cd2-9806-e2375dd7c4ae/actions/4044b6d3-de80-4c37-81f2-46d96dfdd78b?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzL2QxYWUwMjUwLWYxZDgtNGNkMi05ODA2LWUyMzc1ZGQ3YzRhZS9hY3Rpb25zLzQwNDRiNmQzLWRlODAtNGMzNy04MWYyLTQ2ZDk2ZGZkZDc4Yj9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"triggerUri\": \"https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "9a9b2323-2f57-448a-97f7-e6d91ce13d87"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "541"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "a7a3ad25-d71e-4bd1-a60d-5f0f806ac354"
+ ],
+ "x-ms-correlation-request-id": [
+ "a7a3ad25-d71e-4bd1-a60d-5f0f806ac354"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211049Z:a7a3ad25-d71e-4bd1-a60d-5f0f806ac354"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:48 GMT"
+ ],
+ "Content-Length": [
+ "621"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/d1ae0250-f1d8-4cd2-9806-e2375dd7c4ae/actions/4044b6d3-de80-4c37-81f2-46d96dfdd78b\",\r\n \"name\": \"4044b6d3-de80-4c37-81f2-46d96dfdd78b\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/d1ae0250-f1d8-4cd2-9806-e2375dd7c4ae/actions/4044b6d3-de80-4c37-81f2-46d96dfdd78b?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzL2QxYWUwMjUwLWYxZDgtNGNkMi05ODA2LWUyMzc1ZGQ3YzRhZS9hY3Rpb25zLzQwNDRiNmQzLWRlODAtNGMzNy04MWYyLTQ2ZDk2ZGZkZDc4Yj9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "5ea069aa-ae04-415a-b753-bbaa1e5ec92f"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "x-ms-request-id": [
+ "e3df8dc9-1ab9-4040-80e6-d0a7e0321540"
+ ],
+ "x-ms-correlation-request-id": [
+ "e3df8dc9-1ab9-4040-80e6-d0a7e0321540"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211049Z:e3df8dc9-1ab9-4040-80e6-d0a7e0321540"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:49 GMT"
+ ],
+ "Expires": [
+ "-1"
+ ],
+ "Content-Length": [
+ "0"
+ ]
+ },
+ "ResponseBody": "",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/d1ae0250-f1d8-4cd2-9806-e2375dd7c4ae?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzL2QxYWUwMjUwLWYxZDgtNGNkMi05ODA2LWUyMzc1ZGQ3YzRhZT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "2dc2bf21-1720-484d-a119-35b7656c3a9d"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "2f95e8b9-ea6f-471f-8c25-29f033783822"
+ ],
+ "x-ms-correlation-request-id": [
+ "2f95e8b9-ea6f-471f-8c25-29f033783822"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211049Z:2f95e8b9-ea6f-471f-8c25-29f033783822"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:10:49 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/UpdateAction.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/UpdateAction.json
new file mode 100644
index 000000000000..3f16c62c5270
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/UpdateAction.json
@@ -0,0 +1,347 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzE1ODRlN2EzLTgwMmMtNDM1Yi05MTc4LTU3MjBhNDRiZTJmMz9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "5efe1b33-9380-494f-a985-3ff6dcba0fb8"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "372"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "0384ca21-0888-4e8e-aa0d-045f214f9eb0"
+ ],
+ "x-ms-correlation-request-id": [
+ "0384ca21-0888-4e8e-aa0d-045f214f9eb0"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T212658Z:0384ca21-0888-4e8e-aa0d-045f214f9eb0"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:26:57 GMT"
+ ],
+ "Content-Length": [
+ "971"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3\",\r\n \"name\": \"1584e7a3-802c-435b-9178-5720a44be2f3\",\r\n \"etag\": \"\\\"c3009c04-0000-0100-0000-5fd292a20000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:26:54.679712Z\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3/actions/91c2ea2f-f40c-4bef-ab3b-43c09e4a9699?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzE1ODRlN2EzLTgwMmMtNDM1Yi05MTc4LTU3MjBhNDRiZTJmMy9hY3Rpb25zLzkxYzJlYTJmLWY0MGMtNGJlZi1hYjNiLTQzYzA5ZTRhOTY5OT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"triggerUri\": \"https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "631a0705-5765-4554-af99-8ffb4005ae92"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "541"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "47d309dc-0a14-4b7d-958d-6d6237eb0e9d"
+ ],
+ "x-ms-correlation-request-id": [
+ "47d309dc-0a14-4b7d-958d-6d6237eb0e9d"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T212659Z:47d309dc-0a14-4b7d-958d-6d6237eb0e9d"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:26:59 GMT"
+ ],
+ "Content-Length": [
+ "621"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3/actions/91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"name\": \"91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3/actions/91c2ea2f-f40c-4bef-ab3b-43c09e4a9699?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzE1ODRlN2EzLTgwMmMtNDM1Yi05MTc4LTU3MjBhNDRiZTJmMy9hY3Rpb25zLzkxYzJlYTJmLWY0MGMtNGJlZi1hYjNiLTQzYzA5ZTRhOTY5OT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage\",\r\n \"triggerUri\": \"https://prod-16.westus.logic.azure.com:443/workflows/18c75599cf3742c998d14af0f89cf3b1/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=rREdJWoN3PNCmhqwMz0KRy8apQDt8DQbZZuvlm1l4Oo\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "ecd2e580-c3e1-47fa-9e18-93cfabff5969"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "557"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1197"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "a51d1af7-4e84-4c69-85de-5a9c1e851354"
+ ],
+ "x-ms-correlation-request-id": [
+ "a51d1af7-4e84-4c69-85de-5a9c1e851354"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T212700Z:a51d1af7-4e84-4c69-85de-5a9c1e851354"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:27:00 GMT"
+ ],
+ "Content-Length": [
+ "637"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3/actions/91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"name\": \"91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"18c75599cf3742c998d14af0f89cf3b1\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3/actions/91c2ea2f-f40c-4bef-ab3b-43c09e4a9699?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzE1ODRlN2EzLTgwMmMtNDM1Yi05MTc4LTU3MjBhNDRiZTJmMy9hY3Rpb25zLzkxYzJlYTJmLWY0MGMtNGJlZi1hYjNiLTQzYzA5ZTRhOTY5OT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "fd8e67a7-35ac-47ad-8105-195ee5aed493"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "ab12c248-f7ff-423f-9a33-5ce88914b165"
+ ],
+ "x-ms-correlation-request-id": [
+ "ab12c248-f7ff-423f-9a33-5ce88914b165"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T212659Z:ab12c248-f7ff-423f-9a33-5ce88914b165"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:26:59 GMT"
+ ],
+ "Content-Length": [
+ "671"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3/actions/91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"name\": \"91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"etag\": \"\\\"2c051fd2-0000-0300-0000-5fd292a30000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzE1ODRlN2EzLTgwMmMtNDM1Yi05MTc4LTU3MjBhNDRiZTJmMz9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "c7ce8373-d85a-4b17-b1e9-6033d9c1dbc2"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "ca12c214-7467-46ed-bc72-95d214c16e99"
+ ],
+ "x-ms-correlation-request-id": [
+ "ca12c214-7467-46ed-bc72-95d214c16e99"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T212701Z:ca12c214-7467-46ed-bc72-95d214c16e99"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:27:00 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRuleTemplatesTests/Get.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRuleTemplatesTests/Get.json
new file mode 100644
index 000000000000..0a056419d82b
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRuleTemplatesTests/Get.json
@@ -0,0 +1,134 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVUZW1wbGF0ZXM/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "2cca60e0-2c00-46ba-b757-af7fd3f20370"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "127a4fe5-5121-48c8-8c27-ddabf7ccdaa3"
+ ],
+ "x-ms-correlation-request-id": [
+ "127a4fe5-5121-48c8-8c27-ddabf7ccdaa3"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T214404Z:127a4fe5-5121-48c8-8c27-ddabf7ccdaa3"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:44:03 GMT"
+ ],
+ "Content-Length": [
+ "517052"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"name\": \"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated >= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated >= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Full Admin policy created and then attached to Roles, Users or Groups\",\r\n \"description\": \"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\r\n \"name\": \"fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nSymantecProxySG\\n| where TimeGenerated >= timeframe\\n| mv-expand cs_categories\\n| where cs_categories has_any (\\\"Suspicious\\\",\\\"phishing\\\", \\\"hacking\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User Accessed Suspicious URL Categories\",\r\n \"description\": \"Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecProxySG\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"name\": \"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center for IoT\",\r\n \"displayName\": \"Create incidents based on Azure Security Center for IoT alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Security Center for IoT\",\r\n \"lastUpdatedDateUTC\": \"2019-12-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"IoT\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (ASC for IoT)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 2\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\r\n \"name\": \"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName == \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount > threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\\n| where OperationName == \\\"Consent to application\\\"\\n| extend IpAddress = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)), \\ntostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType , CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 3,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare application consent\",\r\n \"description\": \"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"LateralMovement\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\r\n \"name\": \"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\\nTI_ipEntity, CallerIpAddress, Caller, OperationName, ActivityStatus, Category, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AzureActivity\",\r\n \"description\": \"Identifies a match in AzureActivity from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\r\n \"name\": \"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Office 365 Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Office 365 Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Office 365 Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2020-09-01T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OfficeATP\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (OATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 1\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\r\n \"name\": \"106813db-679e-4382-a51b-1bfc463befc3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CSL_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CSL_TimeGenerated, PA_Url, DeviceName\\n| extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to PaloAlto data\",\r\n \"description\": \"Identifies a match in PaloAlto data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\r\n \"name\": \"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated > ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 3 downloads/uploads from a new user agent today\\n| where recentCount > threshold;\\nOfficeActivity \\n| where TimeGenerated > ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SharePointFileOperation via devices with previously unseen user agents\",\r\n \"description\": \"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\r\n \"name\": \"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData = \\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from ago(starttime) to ago(endtime) step timeframe by Process;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total > TotalEventsThreshold;\\nTimeSeriesAlerts\\n| join (\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated \\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score \\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Process execution frequency anomaly\",\r\n \"description\": \"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors. \\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns. \\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\r\n \"name\": \"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (ago(starttime)..ago(endtime))\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds > TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents > TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent > PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Palo Alto - potential beaconing detected\",\r\n \"description\": \"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b\",\r\n \"name\": \"c775a46b-21b1-46d7-afa6-37e3e577a27b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 15;\\nSymantecVIP\\n| where TimeGenerated > timeframe\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\\n| where Total > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Failed Authentication from Invalid Inputs\",\r\n \"description\": \"Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecVIP\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\r\n \"name\": \"69a45b05-71f5-45ca-8944-2e038747fb39\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n) on Account\\n// Make sure that the first connection is after the second connection --> SecondHop > FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --> FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --> FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop > FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop <= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount >= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"RDP Nesting\",\r\n \"description\": \"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \\nto another system with the same account within the 60 minutes. Additionally, if historically daily \\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\r\n \"name\": \"cf3ede88-a429-493b-9108-3e46d3c741f7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated > ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess >= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SecurityEvent - Multiple authentication failures followed by a success\",\r\n \"description\": \"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\r\n \"name\": \"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to AWS Security Group ingress and egress settings\",\r\n \"description\": \"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\r\n \"name\": \"84cf1d59-f620-4fee-b569-68daf7008b7b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 10;\\nQualysHostDetection_CL\\n| where TimeGenerated >= timeframe\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s >= threshold\\n| extend timestamp = StartTime\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"New High Severity Vulnerability Detected Across Multiple Hosts\",\r\n \"description\": \"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"QualysVulnerabilityManagement\",\r\n \"dataTypes\": [\r\n \"QualysHostDetection_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\r\n \"name\": \"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable/remove policy\\n| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"AntiPhish\\\", \\\"SafeAttachment\\\", \\\"SafeLinks\\\", \\\"Dlp\\\", \\\"Audit\\\")\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Office policy tampering\",\r\n \"description\": \"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\r\n \"name\": \"2b701288-b428-4fb8-805e-e4372c574786\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\nlet timeRange = 30d;\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60min; \\n//Get Teams successful signins globally\\nlet signinData =\\n SigninLogs\\n | where TimeGenerated >= ago(timeRange)\\n | where AppDisplayName has \\\"Teams\\\"\\n | where ConditionalAccessStatus =~ \\\"success\\\"\\n | extend country = tostring(LocationDetails['countryOrRegion'])\\n | where isnotempty(country) and isnotempty(IPAddress);\\n// Collect successful signins to teams\\nlet loginEvents = \\n signinData\\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n//Calcualte delta between logins\\nlet loginDelta =\\n loginEvents\\n | summarize max(count_), min(count_) by UserPrincipalName\\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\\n | where delta >= deltaThreshold;\\n//Count number of countries used to sign in\\nlet countryCount =\\n loginEvents\\n | summarize Countries = dcount(country) by UserPrincipalName;\\n//Join delta and sign in counts to successful logins\\nloginDelta\\n| join kind=rightouter (\\n loginEvents\\n) on UserPrincipalName\\n| join kind=rightouter (\\n countryCount\\n) on UserPrincipalName\\n//Check where the record meets the minimum required countries\\n| where Countries >= minimumCountries\\n| join kind=leftouter (\\n signinData\\n | summarize count() by country\\n | join (\\n //Now get the total number of logins from any country and join it to the previous count in a single table\\n signinData\\n | summarize count() by country\\n | summarize sum(count_), make_list(country)\\n | mv-expand list_country\\n | extend country = tostring(list_country)\\n ) on country\\n | summarize by country, count_, sum_count_\\n //Now calculate each countries prevalence within login events\\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\\n | project-away sum_count_\\n | order by prevalence\\n) on country\\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\\n| where prevalence < countryPrevalenceThreshold\\n| where min_count_ == count_\\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\\n| extend EventTimes = list_TimeGenerated\\n| extend SuspiciousIP = IPAddress\\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\\n//Teams join to collect operations the user account has performed within the given time range\\n| join kind=inner( \\n TeamsData \\n | where TimeGenerated >= ago(timeRange)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\\n) on $left.UserPrincipalName == $right.UserId\\n| mv-expand StartTime = EventTimes\\n| extend StartTime = make_datetime(StartTime)\\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\\n//Limit to operations carried out by the user account in the timeframe the IP was active\\n| where OperationTime between (StartTime .. ProjectedEndTime)\\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n//Filter on suspicious actions\\n| extend activitySummary = pack(tostring(StartTime), pack(\\\"Operation\\\",tostring(Operation), \\\"OperationTime\\\", OperationTime))\\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous login followed by Teams action\",\r\n \"description\": \"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\r\n \"name\": \"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// Replace these with the usename or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic(['vip1@email.com','vip2@email.com']);\\nlet timeframe = 1d;\\nLAQueryLogs\\n| where TimeGenerated > ago(timeframe)\\n| where QueryText has_any (vips)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Users searching for VIP user activity\",\r\n \"description\": \"This query monitors for users running Log Analytics queries that contain filters \\nfor specific, defined VIP user accounts. Use this detection to alert for users specifically \\nsearching for activity of sensitive users.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-23T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(Query Audit)\",\r\n \"dataTypes\": [\r\n \"LAQueryLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\r\n \"name\": \"223db5c1-1bf8-47d8-8806-bed401b356a4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet azPortalSignins = materialize(SigninLogs\\n| where TimeGenerated >= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName, Id\\n| where TimeGenerated > TimeGenerated1\\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated >= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend FullLocation = strcat(Location,'|', LocationDetails.state, '|', LocationDetails.city)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation\\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed login attempts to Azure Portal\",\r\n \"description\": \"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\r\n \"name\": \"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Security Event log cleared\",\r\n \"description\": \"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\r\n \"name\": \"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookBack_long = 14d;\\nlet lookBack_med = 7d;\\nlet lookBack = 1d;\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack_long))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope > 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack_med))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n| top 50 by Slope desc\\n| where Slope > 0.3\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n| where Slope > 5\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous sign-in location by user account and authenticating application\",\r\n \"description\": \"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 7-day and 14-day periods.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\r\n \"name\": \"ec21493c-2684-4acd-9bc2-696dbad72426\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated > ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC's that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n | where DeviceVendor =~ 'Palo Alto Networks'\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, '.')\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CSL_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CSL_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to PaloAlto\",\r\n \"description\": \"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\r\n \"name\": \"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet timeRange = 1d;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| where TimeGenerated >= ago(timeRange)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName contains \\\"Azure Portal\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Brute force attack against Azure Portal\",\r\n \"description\": \"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae\",\r\n \"name\": \"a9956d3a-07a9-44a6-a279-081a85020cae\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 15;\\nlet rejectedAccess = SymantecVIP\\n| where TimeGenerated > timeframe\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\\n| where Total > threshold\\n| project ClientIP;\\nSymantecVIP\\n| where TimeGenerated > timeframe\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| join kind=inner rejectedAccess() on ClientIP\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ClientDeniedAccess\",\r\n \"description\": \"Creates an incident in the event a Client has an excessive amounts of denied access requests.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecVIP\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\r\n \"name\": \"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = SecurityEvent \\n| where TimeGenerated > ago(timeframe)\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, \\nGroupAddTargetUserName = TargetUserName, GroupAddTargetDomainName = TargetDomainName, GroupAddTargetSid = TargetSid, \\nGroupAddSubjectUserName = SubjectUserName, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\\nlet GroupCreated = SecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, \\nGroupCreateTargetUserName = TargetUserName, GroupCreateTargetDomainName = TargetDomainName, GroupCreateSubjectUserName = SubjectUserName, \\nGroupCreateSubjectDomainName = SubjectDomainName, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectUserName, HostCustomEntity = GroupCreateComputer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Group added to built in domain local or global group\",\r\n \"description\": \"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\r\n \"name\": \"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| project TimeGenerated, OperationName, Resource, CallerIPAddress \\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(timeframe)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s \\n) on Resource, TimeGenerated \\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure Key Vault access TimeSeries anomaly\",\r\n \"description\": \"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm \\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an \\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\r\n \"name\": \"884c4957-70ea-4f57-80b9-1bca3890315b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where TimeGenerated >= ago(timeFrame)\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"&\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"&\\\")[0]),tostring(split(csUriQuery, \\\"&\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount >= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of failed logons by a user\",\r\n \"description\": \"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8b8aec75-dc5e-4661-bc0c-9e4fff6aad02\",\r\n \"name\": \"8b8aec75-dc5e-4661-bc0c-9e4fff6aad02\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"T1027\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Highly Confidential to Confidential\",\r\n \"Highly Confidential to General\",\r\n \"Highly Confidential to Public\",\r\n \"Highly Confidential to Archive\",\r\n \"Confidential to General\",\r\n \"Confidential to Public\",\r\n \"Confidential to Archive\",\r\n \"General to Public\",\r\n \"General to Archive\",\r\n \"Public to Archive\"\r\n ],\r\n \"values\": [\r\n \"Highly Confidential to General\",\r\n \"Highly Confidential to Public\",\r\n \"Highly Confidential to Archive\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Document sensitivity label change\",\r\n \"description\": \"Sensitivity labels are security settings that have been automatically or manually applied to your files.\\nSometimes it is normal to change the labels of files.\\nChoose which label changes are severe enough to generate anomalies.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n },\r\n {\r\n \"supportedValues\": [\r\n \".doc\",\r\n \".docm\",\r\n \".docx\",\r\n \".dot\",\r\n \".dotm\",\r\n \".dotx\"\r\n ],\r\n \"values\": [\r\n \".doc\",\r\n \".docx\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Document type\",\r\n \"description\": \"Choose which document types to include or exclude from this rule.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n },\r\n {\r\n \"supportedValues\": [\r\n \"Discover, open, remove protection\",\r\n \"Discover, open, remove label\",\r\n \"Discover, open, downgrade label\",\r\n \"Discover, remove protection\",\r\n \"Discover, remove label\",\r\n \"Discover, downgrade label\"\r\n ],\r\n \"values\": [\r\n \"Discover, open, remove protection\",\r\n \"Discover, open, downgrade label\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Document action sequence\",\r\n \"description\": \"Document action sequence is the order of events that occurred while changes were made to these files. Based on the way you normally interact with your files, you may choose which actions are flagged as anomalous.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"singleSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Include\",\r\n \"Exclude\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"value\": \"Include\",\r\n \"name\": \"Private IP\",\r\n \"description\": \"Private IP relates to the status of the IP address where the operation occurred. Choose to either include or exclude operations from Private IPs.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"prioritizeExcludeObservations\": [\r\n {\r\n \"prioritize\": \"[60-100]\",\r\n \"exclude\": \"[200-]\",\r\n \"dataType\": \"number\",\r\n \"name\": \"Document count\",\r\n \"description\": \"Document count is the number of files that were involved in a particular downgrade operation. Choose a number that would indicate an unusual number of files to be edited in one batch.\\nYou may *prioritize* a certain range of numbers and you may *exclude* a certain range of numbers.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n },\r\n {\r\n \"prioritize\": null,\r\n \"exclude\": \"financial, $hr.+$\",\r\n \"dataType\": \"string\",\r\n \"name\": \"Document name\",\r\n \"description\": \"Choose to *prioritize* or *exclude* strings that appear in the names of documents. You may enter plain text and regular expressions separated by commas.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ],\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0.3\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.3\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"PT2H\",\r\n \"displayName\": \"(Preview) Anomalous Document Mass Downgrade\",\r\n \"description\": \"Description for Anomalous mass downgrade of sensitive documents template\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-12T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureInformationProtection\",\r\n \"dataTypes\": [\r\n \"InformationProtectionLogs_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0558155e-4556-447e-9a22-828f2a7de06b\",\r\n \"name\": \"0558155e-4556-447e-9a22-828f2a7de06b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nProofPointTAPMessagesDelivered_CL\\n| where TimeGenerated >= timeframe\\n| mv-expand todynamic(threatsInfoMap_s)\\n| mv-expand todynamic(messageParts_s)\\n| extend threatType = tostring(threatsInfoMap_s.threatType), classification = tostring(threatsInfoMap_s.classification)\\n| extend filename = tostring(messageParts_s.filename)\\n| where threatType =~ \\\"attachment\\\" and classification =~ \\\"malware\\\"\\n| summarize filenames = make_set(filename), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, threatType, classification, Subject = subject_s\\n| extend timestamp = StartTime, AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware attachment delivered\",\r\n \"description\": \"This query identifies a message containing a malware attachment that was delivered.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointTAP\",\r\n \"dataTypes\": [\r\n \"ProofPointTAPMessagesDelivered_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\r\n \"name\": \"32555639-b639-4c2b-afda-c0ae0abefa55\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTimeUtc desc nulls last\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Monitor AWS Credential abuse or hijacking\",\r\n \"description\": \"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce\",\r\n \"name\": \"57e56fc9-417a-4f41-a579-5475aea7b8ce\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet threshold = 1000;\\nInfobloxNIOS\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\\n| where count_ > threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n | where TimeGenerated >= ago(timeframe)\\n ) on ServerIP\\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential DHCP Starvation Attack\",\r\n \"description\": \"This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"InfobloxNIOS\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\r\n \"name\": \"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nDnsEvents\\n| where TimeGenerated > ago(timeframe)\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"DNS events related to mining pools\",\r\n \"description\": \"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\r\n \"name\": \"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n SigninLogs | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailRecipient column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend Region = tostring(LocationDetails[\\\"countryOrRegion\\\"]), State = tostring(LocationDetails[\\\"state\\\"]), City = tostring(LocationDetails[\\\"city\\\"])\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.UserPrincipalName\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SigninLogs\",\r\n \"description\": \"Identifies a match in SigninLogs table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\r\n \"name\": \"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n SecurityAlert\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nAlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to SecurityAlert data\",\r\n \"description\": \"Identifies a match in SecurityAlert data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\r\n \"name\": \"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet threshold = 15;\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount > threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SSH - Potential Brute Force\",\r\n \"description\": \"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\r\n \"name\": \"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| where StartTimeUtc >= ago(timeframe)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Base64 encoded Windows process command-lines\",\r\n \"description\": \"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2018-09-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\r\n \"name\": \"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map File Hash to CommonSecurityLog Event\",\r\n \"description\": \"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\r\n \"name\": \"f948a32f-226c-4116-bddd-d95e91d97eb9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Suspicious application consent similar to O365 Attack Toolkit\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-29T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e\",\r\n \"name\": \"9f86885f-f31f-4e66-a39d-352771ee789e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nCarbonBlackEvents_CL\\n| where TimeGenerated > timeframe\\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\\n| where targetApp_effectiveReputation_s =~ \\\"KNOWN_MALWARE\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Malware Detected\",\r\n \"description\": \"This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"VMwareCarbonBlack\",\r\n \"dataTypes\": [\r\n \"CarbonBlackEvents_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\r\n \"name\": \"a357535e-f722-4afe-b375-cff362b2b376\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let endtime = 1d;\\n(union isfuzzy=true\\n(OfficeActivity | where TimeGenerated >= ago(endtime) | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where TimeGenerated >= ago(endtime)\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation, UserAgent = extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string))),\\n(AzureDiagnostics\\n| where TimeGenerated >= ago(endtime)\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")))\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \\\"\\\\\\\"\\\"\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationNames = makeset(OperationName), UserAgentCount = dcount(UserAgent), \\nUserAgentList = makeset(UserAgent), RecordTypes = makeset(RecordType) by UserId, ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malformed user agent\",\r\n \"description\": \"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CommandAndControl\",\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\r\n \"name\": \"155f40c6-610d-497d-85fc-3cf06ec13256\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName in~ (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) or isnotempty(DNSName)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account )\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Phosphorus group domains/IP\",\r\n \"description\": \"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 1\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\r\n \"name\": \"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to AWS Elastic Load Balancer security groups\",\r\n \"description\": \"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\r\n \"name\": \"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SigninLogs\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = AlternateSignInName\\n| extend IPCustomEntity = IPAddress\\n| extend URLCustomEntity = ClientAppUsed\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Explicit MFA Deny\",\r\n \"description\": \"User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\r\n \"name\": \"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = ago(1d);\\nlet threshold = 1;\\nSigninLogs\\n| where TimeGenerated >= timeRange\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Status = makelist(Status), StatusDetails = makelist(StatusDetails), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress) , CorrelationIds = makelist(CorrelationId) by UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), Location, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name\\n| where IPAddressCount > threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = makeset(IPAddresses), Status = makeset(Status), CorrelationIds = makeset(CorrelationIds) by StartTimeUtc, EndTimeUtc, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), Location, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Attempt to bypass conditional access rule in Azure AD\",\r\n \"description\": \"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\r\n \"name\": \"173f8699-6af5-484a-8b06-8c47ba89b380\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) > max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple Teams deleted by a single user\",\r\n \"description\": \"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Azure Sentinel.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-13T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity (Teams)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\r\n \"name\": \"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nDnsEvents\\n| where TimeGenerated > ago(timeframe)\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"DNS events related to ToR proxies\",\r\n \"description\": \"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\r\n \"name\": \"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n SecurityAlert | where TimeGenerated >= ago(dt_lookBack)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend SecurityAlert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.EntityEmail\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityAlert_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = SecurityAlert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SecurityAlert\",\r\n \"description\": \"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\r\n \"name\": \"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MLBehaviorAnalytics\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Anomalous SSH Login Detection\",\r\n \"description\": \"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Azure Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\r\n \"name\": \"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated > ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld > threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld > threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P10D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential DGA detected\",\r\n \"description\": \"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\r\n \"name\": \"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco ASA - average attack detection rate increase\",\r\n \"description\": \"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\r\n \"name\": \"500415fb-bba7-4227-a08a-9857fb61b6a7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| extend p = parse_json(Parameters)\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\n \\\"Unknown\\\"\\n ) \\n| mvexpand p\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\n| extend RedirectTo = p.Value\\n| extend ClientIPOnly = case( \\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"-\\\")[0]), \\n ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\n ClientIP\\n ) \\n| extend Port = case(\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP,\\\":\\\")[1]),\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP,\\\"-\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"]-\\\")[1]),\\n ClientIP\\n )\\n| extend ClientIP = ClientIPOnly\\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Mail redirect via ExO transport rule\",\r\n \"description\": \"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-05-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\r\n \"name\": \"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where TimeGenerated >= ago(timeframe) \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where TimeGenerated >= ago(timeframe) \\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where TimeGenerated >= ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(WireData \\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(SigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known IRIDIUM IP\",\r\n \"description\": \"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(WireData)\",\r\n \"dataTypes\": [\r\n \"WireData\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\r\n \"name\": \"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, '|', 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\r\n \"description\": \"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureNetworkAnalytics_CL(NSG Flow Logs)\",\r\n \"dataTypes\": [\r\n \"AzureNetworkAnalytics_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\r\n \"name\": \"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.DestinationUserID\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to CommonSecurityLog\",\r\n \"description\": \"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\r\n \"name\": \"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where TimeGenerated > ago(timeframe) \\n| where CommandLine contains \\\".decode('base64')\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Process executed from binary hidden in Base64 encoded file\",\r\n \"description\": \"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\r\n \"name\": \"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Active Directory Identity Protection\",\r\n \"displayName\": \"Create incidents based on Azure Active Directory Identity Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectoryIdentityProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (IPC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\r\n \"name\": \"2391ce61-8c8d-41ac-9723-d945b2e90720\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday >= coalesce(CountPrev7day,0)*threshold and CountToday >= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \\nSubStatus =~ '0xC000006D', 'Bad user name or password',\\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\\nSubStatus =~ '0xC0000071', 'User logon with expired password',\\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \\nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\\nSubStatus =~ '0xC0000193', 'User logon with expired account',\\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\\nSubStatus =~ '0xC0000234', 'User logon with account locked',\\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\\nstrcat('Unknown reason substatus: ', SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Windows logon failures\",\r\n \"description\": \"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\r\n \"name\": \"f2dd4a3a-ebac-4994-9499-1a859938c947\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, 'linefit')\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated \\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score;\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog \\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime))) \\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024) \\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP), DestinationPortList = make_set(DestinationPort), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB\\n| where TotalSentBytesinMB > bytessentperhourthreshold\\n),\\n(\\nVMConnection \\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime))) \\n| extend DeviceVendor = \\\"VMConnection\\\", SourceIP = SourceIp, DestinationIP = DestinationIp\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP), DestinationPortList = make_set(DestinationPort), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DestinationIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB \\n| where TotalSentBytesinMB > bytessentperhourthreshold\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc \\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies \\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP), DestinationIPList = make_set(DestinationIPList) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount \\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Time series anomaly for data size transferred to public internet\",\r\n \"description\": \"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. \\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated. \\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour. \\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\r\n \"name\": \"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"THALLIUM domains included in DCU takedown\",\r\n \"description\": \"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-01-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\r\n \"name\": \"06a9b845-6a95-4432-a78b-83919b28c375\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 25;\\nlet TimeSeriesData = CommonSecurityLog \\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n//Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score;\\n//Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order \\nTimeSeriesAlerts \\n| join (\\n CommonSecurityLog \\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP), DestinationPortlist = make_set(DestinationPort) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor \\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal > percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist), DestinationPortlist = make_set(DestinationPortlist) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 3,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Time series anomaly detection for total volume of traffic\",\r\n \"description\": \"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. \\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. \\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour. \\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Barracuda\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CheckPoint\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"F5\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\r\n \"name\": \"3533f74c-9207-4047-96e2-0eb9383be587\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Suspicious application consent for offline access\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-29T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\r\n \"name\": \"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 10m;\\nlet threshold = 20;\\nSecurityEvent \\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !='0xc0000064' and Account !in ('\\\\\\\\', '-\\\\\\\\-')\\n// SubStatus '0xc0000064' signifies 'Account name does not exist'\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| extend Reason = case(\\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \\nSubStatus =~ '0xC000006D', 'Bad user name or password',\\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\\nSubStatus =~ '0xC0000071', 'User logon with expired password',\\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \\nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\\nSubStatus =~ '0xC0000193', 'User logon with expired account',\\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\\nSubStatus =~ '0xC0000234', 'User logon with account locked',\\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\\nstrcat('Unknown reason substatus: ', SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount >= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed logon attempts by valid accounts within 10 mins\",\r\n \"description\": \"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\r\n \"name\": \"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n| where isnotempty(FileHashValue)\\n| join (\\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map File Hash to Security Event\",\r\n \"description\": \"Identifies a match in Security Event data from any File Hash IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\r\n \"name\": \"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n DnsEvents\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to DnsEvent\",\r\n \"description\": \"Identifies a match in DnsEvent table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\r\n \"name\": \"f110287e-1358-490d-8147-ed804b328514\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AWSCloudTrail | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AWSCloudTrail\",\r\n \"description\": \"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\r\n \"name\": \"ef88eb96-861c-43a0-ab16-f3835a97c928\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\\\$Volume){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nlet decodedPS = ProcessCreationEvents\\n| where TimeGenerated >= ago(timeframe) \\n| where CommandLine contains \\\" -encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, ' ')[0]), CommandLine\\n// Note: currently the base64_decodestring function is limited to supporting UTF8\\n| extend decodedCommand = translate('\\\\0','', base64_decodestring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\\n(decodedPS\\n| union \\n(ProcessCreationEvents\\n| where TimeGenerated >= ago(timeframe)\\n| where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\")\\n| where CommandLine !contains \\\"-encodedcommand\\\")\\n| extend StartTimeUtc = TimeGenerated\\n)\\n| where CommandLine matches regex regexEmpire\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Powershell Empire cmdlets seen in command line\",\r\n \"description\": \"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\r\n \"name\": \"643c2025-9604-47c5-833f-7b4b9378a1f5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet Suspicious_signins = \\nSigninLogs\\n| where TimeGenerated >= ago(1d)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress != \\\"127.0.0.1\\\"\\n| summarize count() by IPAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where TimeGenerated > ago(1d)\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AzureAD logons but success logon to AWS Console\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\r\n \"name\": \"7249500f-3038-4b83-8549-9cd8dfa2d498\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where TimeGenerated >= ago(timeframe) \\n| where ProviderName =~ 'OATP'\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where TimeGenerated >= ago(timeframe) \\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known PHOSPHORUS group domains/IP - October 2020\",\r\n \"description\": \"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Cisco)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (PaloAlto)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Zscaler)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Fortinet)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"OfficeATP\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (OATP)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics (Azure Firewall)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\r\n \"name\": \"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account's password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where OperationName has_any (pWord) and OperationName has_any (action)\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetResourceName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = TargetResourceName, Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type),\\n(SigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where OperationName =~ \\\"Sign-in activity\\\" and ResultType has_any (\\\"50125\\\", \\\"50133\\\")\\n| project TimeGenerated, AccountType = AppDisplayName, Computer = IPAddress, Account = UserPrincipalName, Type\\n)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computer = makeset(Computer), AccountType = makeset(AccountType), Total=count() by Account, Type\\n| where Total > PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computer = makeset(Computer), Account = tostring(makeset(Account)), AccountType = makeset(AccountType), Total=count() by Type\\n| where Total > TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = tostring(Computer)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple Password Reset by user\",\r\n \"description\": \"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-09-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\r\n \"name\": \"327cd4ed-ca42-454b-887c-54e1c91363c6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Microsoft Defender Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Microsoft Defender Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Microsoft Defender Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-10-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (MDATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 1\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\r\n \"name\": \"44a555d8-ecee-4a25-95ce-055879b4b14b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| where TimeGenerated >= ago(timeFrame)\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount >= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of connections by client IP on many ports\",\r\n \"description\": \"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\r\n \"name\": \"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n AuditLogs\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to AuditLogs\",\r\n \"description\": \"Identifies a match in AuditLogs from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\r\n \"name\": \"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let szOperationNames = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatus), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationName, Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope > 0.2\\n| join kind=leftsemi (\\n// Last day's activity is anomalous\\nAzureActivity\\n| where TimeGenerated >= startofday(ago(endtime))\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatus), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationName, Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope > 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatus), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious number of resource creation or deployment activities\",\r\n \"description\": \"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-18T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\r\n \"name\": \"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 10;\\nQualysHostDetection_CL\\n| where TimeGenerated >= timeframe\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ >= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High Number of Urgent Vulnerabilities Detected\",\r\n \"description\": \"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"QualysVulnerabilityManagement\",\r\n \"dataTypes\": [\r\n \"QualysHostDetection_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\r\n \"name\": \"39198934-62a0-4781-8416-a81265c03fd6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Suspicious application consent similar to PwnAuth\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-29T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"name\": \"f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Fusion\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"displayName\": \"Advanced Multistage Attack Detection\",\r\n \"description\": \"Using Fusion technology based on machine learning, Azure Sentinel automatically detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nThere are a total of 70 Fusion incident types detected by Azure Sentinel.\\n- 65 of these show the combination of suspicious Azure Active Directory sign-in events followed by anomalous Office 365 activity. Out of these 65, 30 are in public preview. \\n- The remaining five incident types show the combination of anomalous signals from Microsoft Defender Advanced Threat Protection and from Palo Alto Networks firewalls. These five types are all in public preview.\\n\\nTo detect these multistage attacks, the following data connectors must be configured:\\n- Azure Active Directory Identity Protection.\\n- Microsoft Cloud App Security.\\n- Microsoft Defender Advanced Threat Protection.\\n- Palo Alto Networks.\\n\\nFor a full list and description of each scenario that is supported for these multistage attacks, go to https://aka.ms/SentinelFusion.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"CommandAndControl\",\r\n \"DefenseEvasion\",\r\n \"Discovery\",\r\n \"Execution\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"InitialAccess\",\r\n \"LateralMovement\",\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-09T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\r\n \"name\": \"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated > ago(2*timeframe) \\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectUserName, TargetSid, SubjectUserSid \\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated > ago(timeframe) \\n // A user account was disabled \\n | where EventID == 4725\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid \\n) on Computer, TargetUserName\\n| where deletionTime - creationTime < spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) >= threshold\\n| project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate, \\ndeletionTime, DeleteEventID, AccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account enabled and disabled within 10 mins\",\r\n \"description\": \"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\r\n \"name\": \"75bf9902-0789-47c1-a5d8-f57046aa72df\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]);\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents \\n| where TimeGenerated >= ago(timeframe)\\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware in the recycle bin\",\r\n \"description\": \"Identifies malware that has been hidden in the recycle bin.\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2018-09-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\r\n \"name\": \"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nAzureActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where OperationName in (operationList)\\n| where ActivityStatus == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationName, ActivityStatus, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Creation of expensive computes in Azure\",\r\n \"description\": \"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\r\n \"name\": \"aac495a9-feb1-446d-b08e-a1164a539452\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"ThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(24h)\\n| where Action == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | where TimeGenerated >= ago(24h)\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"TI map IP entity to GitHub_CL\",\r\n \"description\": \"Identifies a match in GitHub_CL table from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44\",\r\n \"name\": \"34663177-8abf-4db1-b0a4-5683ab273f44\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 20;\\nPulseConnectSecure\\n| where TimeGenerated >= timeframe\\n| where Messages contains \\\"Login failed\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\\n| where count_ > threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"PulseConnectSecure - Potential Brute Force Attempts\",\r\n \"description\": \"This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PulseConnectSecure\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\r\n \"name\": \"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to Amazon VPC settings\",\r\n \"description\": \"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\",\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\r\n \"name\": \"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let szOperationNames = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationName, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated > ago(endtime)\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatus = makeset(ActivityStatus), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious Resource deployment\",\r\n \"description\": \"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\r\n \"name\": \"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = 'FileUploaded';\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic(['exe', 'inf', 'gzip', 'cmd', 'bat']);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated >= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount > threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\\n| extend UserIdUserFolderFormat = tolower(replace('@|\\\\\\\\.', '_',UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"New executable via Office FileUploaded Operation\",\r\n \"description\": \"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-03-02T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\r\n \"name\": \"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated > ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount > threshold;\\nOfficeActivity \\n| where TimeGenerated >= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SharePointFileOperation via previously unseen IPs\",\r\n \"description\": \"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\r\n \"name\": \"871ba14c-88ef-48aa-ad38-810f26760ca3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 7d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has ':', tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP has '-', tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has ':', tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP has '-', tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has ']-', tostring(split(ClientIP,\\\"]-\\\")[1]), \\nClientIP has ']:', tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has ']-', tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) and ClientIP_ has ']:', tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount > 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple users email forwarded to same destination\",\r\n \"description\": \"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38\",\r\n \"name\": \"427e4c9e-8cf4-4094-a684-a2d060dbca38\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 50;\\nSophosXGFirewall\\n| where TimeGenerated >= timeframe\\n| where Log_Type =~ \\\"Firewall\\\"\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\\n| where dcount_Dst_Port > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Port Scan Detected\",\r\n \"description\": \"This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SophosXGFirewall\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\r\n \"name\": \"4b93c5af-d20b-4236-b696-a28b8c51407f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated > ago(2*timeframe) \\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectUserName, TargetSid, SubjectUserSid \\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated > ago(timeframe) \\n // A user account was deleted \\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid \\n) on Computer, TargetUserName\\n| where deletionTime - creationTime < spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) >= threshold\\n| project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate, \\ndeletionTime, DeleteEventID, AccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account created and deleted within 10 mins\",\r\n \"description\": \"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\r\n \"name\": \"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nlet PrivateIPregex = @\\\"^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\\\"; // exclude destinations that fall into this category\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated > ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n// sort into source->destination 'sessions'\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds > TimeDeltaThresholdInSeconds\\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// summarize the deltas by source->destination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers > 1.5 or outliers < -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes > 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity >= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Fortinet - Beacon pattern detected\",\r\n \"description\": \"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-31T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\r\n \"name\": \"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet FailureThreshold = 15;\\nlet FailedEvents = Okta_CL\\n| where TimeGenerated > timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where dcount_actor_alternateId_s > FailureThreshold\\n| project client_ipAddress_s, TimeGenerated;\\nOkta_CL\\n| where TimeGenerated > timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\\n| sort by TimeGenerated desc\\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Password Spray Attack\",\r\n \"description\": \"This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\r\n \"name\": \"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeRange = 1d;\\nlet s_threshold = 30;\\nlet l_threshold = 3;\\nSigninLogs\\n| where TimeGenerated >= ago(timeRange)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser \\n| extend LocationString= strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated),LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount > s_threshold and LocationCount >= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Distributed Password cracking attempts in AzureAD\",\r\n \"description\": \"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\r\n \"name\": \"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n OfficeActivity\\n | where TimeGenerated >= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, ';')[0])\\n | extend Office_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Office_TimeGenerated, Url, User\\n| extend timestamp = Office_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to OfficeActivity data\",\r\n \"description\": \"Identifies a match in OfficeActivity data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\r\n \"name\": \"a35f2c18-1b97-458f-ad26-e033af18eb99\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\n// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nSecurityEvent \\n| where TimeGenerated > ago(timeframe)\\n// When MemberName contains '-' this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = tostring(split(tostring(split(MemberName, \\\",\\\")[0]),\\\"CN=\\\")[1])\\n| project StartTimeUtc = TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account added to built in domain local or global group\",\r\n \"description\": \"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\r\n \"name\": \"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n SecurityAlert\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\", 1, tolower(Entities))\\n | where isnotempty(domain)\\n | extend parts = split(domain, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column extract hostname and IP address\\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\\n | extend HostName = iif(EntityType == 'host', EntityHostName, '')\\n | extend IP_addr = iif(EntityType == 'ip', EntityAddress, '')\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to SecurityAlert\",\r\n \"description\": \"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\r\n \"name\": \"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Squid proxy events for ToR proxies\",\r\n \"description\": \"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\r\n \"name\": \"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod; \\nlet GitHubFailedSSOLogins = (SigninLogs \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType == 50056); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime) \\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, tostring(set_IPAddress)\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity \\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime > LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Brute Force Attack against GitHub Account\",\r\n \"description\": \"Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\r\n \"name\": \"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"ThreatIntelligence\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Microsoft Threat Intelligence Analytics\",\r\n \"description\": \"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity and are turned ON by default. \\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-15T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\r\n \"name\": \"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where TimeGenerated > ago(timeframe)\\n| where Facility contains 'auth' and ProcessName != 'sudo'\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ > signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nSigninLogs\\n| where TimeGenerated > ago(timeframe)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed host logons but success logon to AzureAD\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\r\n \"name\": \"45b903c5-6f56-4969-af10-ae62ac709718\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare RDP Connections\",\r\n \"description\": \"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-01-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\r\n \"name\": \"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent =\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * 'TicketEncryptionType\\\">' TicketEncryptionType \\\"<\\\" *\\n| where TicketEncryptionType == '0x17'\\n| parse EventData with * 'TicketOptions\\\">' TicketOptions \\\"<\\\" *\\n| where TicketOptions == '0x40810000'\\n| parse EventData with * 'Status\\\">' Status \\\"<\\\" *\\n| where Status == '0x0'\\n| parse EventData with * 'ServiceName\\\">' ServiceName \\\"<\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * 'TargetUserName\\\">' TargetUserName \\\"<\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * 'IpAddress\\\">::ffff:' ClientIPAddress \\\"<\\\" *;\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h < prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated >= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h > prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Kerberoasting\",\r\n \"description\": \"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\r\n \"name\": \"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n Syslog\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to Syslog\",\r\n \"description\": \"Identifies a match in Syslog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\r\n \"name\": \"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1h;\\nCommonSecurityLog \\n| where TimeGenerated > ago(timeframe) \\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where AdditionalExtensions !has \\\"reason=aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where AdditionalExtensions !has \\\"reason=tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ >= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Palo Alto - possible internal to external port scanning\",\r\n \"description\": \"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\r\n \"name\": \"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe =1d;\\nlet EventCountThreshold = 25;\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ > EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Mass secret retrieval from Azure Key Vault\",\r\n \"description\": \"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\r\n \"name\": \"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.Caller\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, Category, OperationName,\\nOperationNameValue, ActivityStatus, ResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to AzureActivity\",\r\n \"description\": \"Identifies a match in AzureActivity table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\r\n \"name\": \"910124df-913c-47e3-a7cd-29e1643fa55e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where TimeGenerated >= ago(1d)\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ > signin_threshold\\n| summarize make_list(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where TimeGenerated >= ago(1d)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AWS Console logons but success logon to AzureAD\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\r\n \"name\": \"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.UserId\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to OfficeActivity\",\r\n \"description\": \"Identifies a match in OfficeActivity table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\r\n \"name\": \"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" \\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords '}'*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords '}'*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords '}'*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\\\\\')[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malicious Inbox Rule\",\r\n \"description\": \"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\r\n \"name\": \"f2eb15bd-8a88-4b24-9281-e133edfba315\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n SigninLogs | where TimeGenerated >= ago(dt_lookBack)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend Region = tostring(LocationDetails[\\\"countryOrRegion\\\"]), State = tostring(LocationDetails[\\\"state\\\"]), City = tostring(LocationDetails[\\\"city\\\"])\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to SigninLogs\",\r\n \"description\": \"Identifies a match in SigninLogs from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\r\n \"name\": \"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n Syslog\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to Syslog data\",\r\n \"description\": \"Identifies a match in Syslog data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\r\n \"name\": \"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let startdate = 1d;\\nlet threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nlet authfail = Syslog\\n| where TimeGenerated >= ago(startdate) \\n| where Facility =~ \\\"authpriv\\\" // looks at authpriv messages\\n| where SyslogMessage contains \\\"authentication failure\\\" and SyslogMessage contains \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" ExternalIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \\n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\nlet userfail = Syslog \\n| where TimeGenerated >= ago(startdate)\\n| where Facility =~ \\\"authpriv\\\" \\n| where SyslogMessage contains \\\"user unknown\\\"\\n| project TimeGenerated, Computer, HostIP, ProcessID;\\n// Join the two log messages above\\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\\n// Extract the EventTime of the first logon attempt\\nlet firstfail = userauthfail\\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\\n// Extract the EventTime of the last logon attempt\\nlet lastfail = userauthfail\\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\\n// Count the number of failed logon attempts by External IP and internal machine\\nlet totalfails = userauthfail\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\\n// Combine total attempts with timing data from above\\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\\n| order by DestinationHost asc nulls last;\\nfinalfails \\n| where TotalLogonAttempts >= threshold\\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed logon attempts in authpriv\",\r\n \"description\": \"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79\",\r\n \"name\": \"3d645a88-2724-41a7-adea-db74c439cf79\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 5000;\\nSophosXGFirewall\\n| where TimeGenerated >= timeframe\\n| where Log_Type =~ \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\\n| where count_ > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Amount of Denied Connections from a Single Source\",\r\n \"description\": \"This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SophosXGFirewall\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346\",\r\n \"name\": \"7a58b253-0ef2-4248-b4e5-c350f15a8346\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 100;\\nSymantecProxySG \\n| where TimeGenerated >= timeframe\\n| where sc_filter_result =~ \\\"DENIED\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\\n| where count_ > threshold\\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Denied Proxy Traffic\",\r\n \"description\": \"This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecProxySG\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5\",\r\n \"name\": \"2954d424-f786-4677-9ffc-c24c44c6e7d5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = ago(3h);\\nlet threshold = 2;\\nOkta_CL\\n| where published_t >= timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"\\n| where outcome_result_s =~ \\\"SUCCESS\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\\n| where NumOfCountries >= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User Login from Different Countries within 3 hours\",\r\n \"description\": \"This query searches for successful user logins to the Okta Console from different countries within 3 hours\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\r\n \"name\": \"19e01883-15d8-4eb6-a7a5-3276cd668388\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where TimeGenerated >= ago(timeFrame)\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount >= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of failed attempts from same client IP\",\r\n \"description\": \"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\r\n \"name\": \"4915c713-ab38-432e-800b-8e2d46933de6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.'; \\nlet avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet startime = 7d;\\nlet ssh_logins = Syslog\\n| where TimeGenerated >= ago(startime)\\n| where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) \\n| where isnotempty(SourceIP)\\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\");\\nssh_logins \\n| summarize privatecount=countif(ipType==\\\"private\\\"), publiccount=countif(ipType==\\\"public\\\") by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory = make_list(pack('IPCount', publiccount, 'logon_time', EventTime)),\\nprivateIPLoginHistory = make_list(pack('IPCount', privatecount, 'logon_time', EventTime)) by HostName, HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n order by todatetime(publicIPLoginHistory['logon_time']) asc\\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory['IPCount'])), publicAverage=avg(toint(publicIPLoginHistory['IPCount'])), publicStd=stdev(toint(publicIPLoginHistory['IPCount'])), maxPublicLoginCount=max(toint(publicIPLoginHistory['IPCount']))\\n)\\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory['logon_time']) asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory['IPCount'])), privateAverage=avg(toint(privateIPLoginHistory['IPCount'])), privateStd=stdev(toint(privateIPLoginHistory['IPCount']))\\n)\\n// Some logins from private IPs\\n| where privateAverage > avgthreshold\\n// There is a non-zero number of logins from public IPs\\n| where publicAverage > avgthreshold\\n// Approximate probability of seeing login from a public IP is < 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\\n| where probabilityPublic < probabilityLimit\\n// Today has the highest number of logins from public IPs that we've seen in the last week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where publicLoginCountToday >= maxPublicLoginCount\\n| extend HostCustomEntity = HostName\\n// Optionally retrieve the original raw data for those logins that we've identified as potentially suspect\\n// | join kind=rightsemi (\\n// ssh_logins\\n// | where ipType == \\\"public\\\"\\n// ) on HostName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New internet-exposed SSH endpoints\",\r\n \"description\": \"Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\r\n \"name\": \"500c103a-0319-4d56-8e99-3cec8d860757\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookBack = 1d;\\nSigninLogs \\n| where TimeGenerated >= ago(lookBack)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = makeset(UserPrincipalName), \\napplicationSet = makeset(AppDisplayName) by IPAddress\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs\\n | where TimeGenerated >= ago(lookBack)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = makeset(UserPrincipalName, 15) by IPAddress\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount < 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where successfulAccountSigninCount != 0\\n| project StartTimeUtc, EndTimeUtc, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\r\n \"description\": \"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\r\n \"name\": \"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll = \\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime >= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime < ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New UserAgent observed in last 24 hours\",\r\n \"description\": \"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection \\nextracts words from user agents to build the baseline and determine rareity rather than perform a \\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CommandAndControl\",\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\r\n \"name\": \"d3980830-dd9d-40a5-911f-76b44dfdce16\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let RunTime = 1h;\\nSigninLogs\\n| where TimeGenerated > ago(RunTime)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName\\n| where CountOfLocations > 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"GitHub Signin Burst from Multiple Locations\",\r\n \"description\": \"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8675dd7a-795e-4d56-a79c-fc848c5ee61c\",\r\n \"name\": \"8675dd7a-795e-4d56-a79c-fc848c5ee61c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nProofPointTAPClicksPermitted_CL\\n| where TimeGenerated >= timeframe\\n| where classification_s =~ \\\"malware\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s\\n| extend timestamp = StartTime, AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress, URLCustomEntity = URLClicked\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware Link Clicked\",\r\n \"description\": \"This query identifies a user clicking on an email link whose threat category is classified as a malware\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointTAP\",\r\n \"dataTypes\": [\r\n \"ProofPointTAPClicksPermitted_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\r\n \"name\": \"2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"eset_CL\\n| where event_type_s == \\\"Threat_Event\\\"\\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\",\r\n \"queryFrequency\": \"PT5M\",\r\n \"queryPeriod\": \"PT5M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Threats detected by Eset\",\r\n \"description\": \"Escalates threats detected by Eset.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"CredentialAccess\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-09T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"EsetSMC\",\r\n \"dataTypes\": [\r\n \"eset_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\r\n \"name\": \"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center\",\r\n \"displayName\": \"Create incidents based on Azure Security Center alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Security Center\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (ASC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\r\n \"name\": \"69b7723c-2889-469f-8b55-a2d355ed9c87\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to DnsEvents\",\r\n \"description\": \"Identifies a match in DnsEvents from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\r\n \"name\": \"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\\n| project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Microsoft COVID-19 file hash indicator matches\",\r\n \"description\": \"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde\",\r\n \"name\": \"884be6e7-e568-418e-9c12-89229865ffde\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet FailureThreshold = 15;\\nlet FailedLogins = Okta_CL\\n| where TimeGenerated > timeframe\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where count_ > FailureThreshold\\n| project client_ipAddress_s, actor_alternateId_s;\\nOkta_CL\\n| where TimeGenerated > timeframe\\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, published_t\\n| sort by published_t desc\\n| extend timestamp = published_t, IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed Logins from Unknown or Invalid User\",\r\n \"description\": \"This query searches for numerous login attempts to the management console with an unknown or invalid user name\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\r\n \"name\": \"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"eset_CL\\n| where event_type_s == 'FilteredWebsites_Event'\\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\",\r\n \"queryFrequency\": \"PT5M\",\r\n \"queryPeriod\": \"PT5M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Web sites blocked by Eset\",\r\n \"description\": \"Create alert on web sites blocked by Eset.\",\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"CommandAndControl\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-09T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"EsetSMC\",\r\n \"dataTypes\": [\r\n \"eset_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\r\n \"name\": \"a04cf847-a832-4c60-b687-b0b6147da219\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where TimeGenerated >= ago(1d) \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where TimeGenerated >= ago(1d) \\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Manganese IP and UserAgent activity\",\r\n \"description\": \"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\r\n \"name\": \"4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 1d;\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n//The number of URI's seen to be suspicious, higher = less likely to be suspicious\\nlet uriThreshold = 1;\\nCommonSecurityLog\\n| where TimeGenerated >= ago(timeRange)\\n// Only look at connections that were allowed through the web proxy\\n| where DeviceVendor =~ \\\"Zscaler\\\" and DeviceAction =~ \\\"Allowed\\\"\\n// Only look where some data was exchanged.\\n| where SentBytes > 0 and ReceivedBytes > 0\\n// Extract the Domain\\n| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName)\\n| extend GetData=iff(RequestURL == \\\"?\\\", 1, 0)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\\n// Determine the number of URIs that have been visited for the domain\\n| extend destinationURI = arraylength(list_RequestURL)\\n| where destinationURI <= uriThreshold\\n| where tostring(list_RequestURL) has_any(scriptExtensions)\\n//Remove matches with referer\\n| where max_RequestContext == \\\"\\\"\\n//Keep requests where data was trasferred either in a GET with parameters or a POST\\n| where set_RequestMethod in~ (\\\"POST\\\") or max_GetData == 1\\n//Defeat email click tracking, may increase FN's while decreasing FP's\\n| where list_RequestURL !has \\\"click\\\" and set_RequestMethod !has \\\"GET\\\"\\n| mvexpand list_RequestURL, list_DestinationIP\\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\\n//Extend custom entitites for incidents\\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Request for single resource on domain\",\r\n \"description\": \"This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\r\n \"name\": \"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Sensitive Azure Key Vault operations\",\r\n \"description\": \"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, KeyDecrypt, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\r\n \"name\": \"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MLBehaviorAnalytics\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Anomalous RDP Login Detections\",\r\n \"description\": \"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Azure Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73\",\r\n \"name\": \"b8266f81-2715-41a6-9062-42486cbc9c73\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet threshold = 200;\\nInfobloxNIOS\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n| where isnotempty(ResponseCode)\\n| where ResponseCode =~ \\\"NXDOMAIN\\\"\\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\\n| where count_ > threshold\\n| join kind=inner (InfobloxNIOS\\n | where TimeGenerated >= ago(timeframe)\\n | where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n | where isnotempty(ResponseCode)\\n | where ResponseCode =~ \\\"NXDOMAIN\\\"\\n ) on Client_IP\\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive NXDOMAIN DNS Queries\",\r\n \"description\": \"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"InfobloxNIOS\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\r\n \"name\": \"48607a29-a26a-4abf-8078-a06dbdd174a4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = SigninLogs\\n| where TimeGenerated >= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// collect window threshold breaches\\nSigninLogs\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName\\n| where FailedPrincipalCount >= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\n SigninLogs\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend FullLocation = strcat(Location,'|', LocationDetails.state, '|', LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches\\n| join kind= inner (\\nSigninLogs // get data on success vs. failure history for each IP\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress\\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Password spray attack against Azure AD application\",\r\n \"description\": \"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\r\n \"name\": \"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let TimeFrame = ago(1d);\\nlet Alert1 = \\nSecurityAlert\\n| where TimeGenerated > TimeFrame\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where TimeGenerated > TimeFrame\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff('minute', Alert1Time, Alert2Time)) <=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\r\n \"description\": \"When a user has both an Unfamiliar sign-in properties alert and an Atypical travel alert within 20 minutes, the alert should be handled with a higher severity\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectoryIdentityProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (IPC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\r\n \"name\": \"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 1;\\nAzureDiagnostics\\n | where TimeGenerated >= timeframe\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ >= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Several deny actions registered\",\r\n \"description\": \"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"LateralMovement\",\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\r\n \"name\": \"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Login to AWS Management Console without MFA\",\r\n \"description\": \"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\",\r\n \"PrivilegeEscalation\",\r\n \"Persistence\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\r\n \"name\": \"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe) \\n| where EventID == 4738\\n// 2089 value indicates the Don't Expire Password value has been set\\n| where UserAccountControl has \\\"%%2089\\\" \\n| extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"'Don't Expire Password' - Disabled\\\", \\\"Not Changed\\\")\\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n| extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"'Password Not Required' - Disabled\\\", \\\"Not Changed\\\")\\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n| extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"'Password Not Required' - Enabled\\\", \\\"Not Changed\\\")\\n| project StartTimeUtc = TimeGenerated, EventID, Computer, TargetUserName, TargetDomainName, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"AD account with don't expire password - disabled\",\r\n \"description\": \"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089 \\n%%2089 resolves to \\\"Don't Expire Password - Disabled\\\".\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\r\n \"name\": \"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * '\\\"MemberName\\\">' AccountAdded \\\",OU\\\" * \\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\\nlet AC_Remove = \\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * '\\\"MemberName\\\">' AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed > 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Account added and removed from privileged groups\",\r\n \"description\": \"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' \",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\r\n \"name\": \"2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 8;\\nCarbonBlackNotifications_CL\\n| where TimeGenerated > timeframe\\n| where threatHunterInfo_score_d >= threshold\\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\\n| project-away count_\\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Critical Threat Detected\",\r\n \"description\": \"This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"VMwareCarbonBlack\",\r\n \"dataTypes\": [\r\n \"CarbonBlackNotifications_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\r\n \"name\": \"26a3b261-b997-4374-94ea-6c37f67f4f39\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where TimeGenerated >= ago(3d)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA1=' SHA1 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where TimeGenerated >= ago(timeframe)\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known GALLIUM domains and hashes\",\r\n \"description\": \"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\r\n \"name\": \"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated > ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name > threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name > threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare client observed with high reverse DNS lookup count\",\r\n \"description\": \"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\r\n \"name\": \"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationName == \\\"Create role assignment\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ >= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated > ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CorrelationId = makelist(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationName, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious granting of permissions to an account\",\r\n \"description\": \"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\r\n \"name\": \"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Exchange AuditLog disabled\",\r\n \"description\": \"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\r\n \"name\": \"ba144bf8-75b8-406f-9420-ed74397f9479\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet suspicious_signins = \\n SigninLogs\\n | where TimeGenerated >= ago(timeframe)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress != \\\"127.0.0.1\\\"\\n | summarize count() by IPAddress\\n | where count_ > signin_threshold\\n | summarize make_list(IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n | where TimeGenerated > ago(timeframe)\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\\\"User name: ([^,]+)\\\", 1, Message) \\n | extend ClientOS = extract(\\\"Client OS version: ([^,\\\\\\\"]+)\\\", 1, Message)\\n | extend Location = extract(\\\"Source region: ([^,]{2})\\\",1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\r\n \"description\": \"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-09-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\r\n \"name\": \"62085097-d113-459f-9ea7-30216f2ee6af\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 2d;\\nlet endtime = 1d;\\nSecurityEvent\\n// include yesterday and not today, so we can confirm a match occurs within the next day\\n| where TimeGenerated >= startofday(ago(starttime)) and TimeGenerated <= startofday(ago(endtime)) \\n// 4722: User Account Enabled\\n| where EventID == 4722 \\n// Removing Machine Accounts\\n| where TargetUserName !endswith \\\"$\\\" \\n| join kind= leftanti (\\n SecurityEvent\\n //verify over the last 2 days\\n | where TimeGenerated >= startofday(ago(starttime))\\n // Attempt made to change password\\n | where EventID == 4723\\n // Removing Machine Accounts\\n | where TargetUserName !endswith \\\"$\\\"\\n) on TargetUserName, TargetDomainName\\n| project StartTimeUtc = TimeGenerated, EventID, Computer, TargetUserName, TargetDomainName, SubjectUserName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P2D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"AD user created password not set within 24-48 hours\",\r\n \"description\": \"Identifies whenever a new account is created with a default password and password is not changed within 24-48 hours.\\nSimple version, can be more precise with Windowing, but not necessary if run as an alert on a daily basis.\\nEffectively, there is an event 4722 indicating a user enabled and no event 4723 indicating a password was changed within in that day or the next day.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\r\n \"name\": \"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount > triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated > ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) > dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri's and/or >=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ > 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated > ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Possible contact with a domain generated by a DGA\",\r\n \"description\": \"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Barracuda\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CheckPoint\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"F5\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\r\n \"name\": \"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet suspicious_signins =\\nSigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress != \\\"127.0.0.1\\\"\\n| summarize count() by IPAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons =\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AzureAD logons but success logon to host\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\r\n \"name\": \"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Microsoft Cloud App Security\",\r\n \"displayName\": \"Create incidents based on Microsoft Cloud App Security alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Microsoft Cloud App Security\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (MCAS)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\r\n \"name\": \"80733eb7-35b2-45b6-b2b8-3c51df258206\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == '200'\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Squid proxy events related to mining pools\",\r\n \"description\": \"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\r\n \"name\": \"04384937-e927-4595-8f3c-89ff58ed231f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let detectionTime = 30d;\\nlet IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where TimeGenerated > ago(detectionTime)\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != 'UserLoggedIn'\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts > 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\r\n \"queryFrequency\": \"P7D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Possible STRONTIUM attempted credential harvesting\",\r\n \"description\": \"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\r\n \"name\": \"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"Unknown\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Fraction of Failed Signins\",\r\n \"(Log10) Number of Failed Signins\",\r\n \"(Log10) Failed Signins to (Log10) Successful Signins Ratio\",\r\n \"(Log10) Number of Signins with Incorrect Passwords\",\r\n \"(Log10) Incorrect Passwords to (Log10) Correct Passwords Ratio\",\r\n \"Fraction of Incorrect Password Signins\",\r\n \"Distinct Number of App Ids\",\r\n \"Distinct Number of Client Apps\",\r\n \"Distinct Number of Ip Addresses\",\r\n \"Distinct Number of Opperating Systems\",\r\n \"Distinct Number of Browsers\",\r\n \"Distinct Number of Cities\",\r\n \"Distinct Number of States\",\r\n \"Distinct Number of Countries\"\r\n ],\r\n \"values\": [\r\n \"Fraction of Failed Signins\",\r\n \"(Log10) Number of Failed Signins\",\r\n \"(Log10) Failed Signins to (Log10) Successful Signins Ratio\",\r\n \"(Log10) Number of Signins with Incorrect Passwords\",\r\n \"(Log10) Incorrect Passwords to (Log10) Correct Passwords Ratio\",\r\n \"Fraction of Incorrect Password Signins\",\r\n \"Distinct Number of App Ids\",\r\n \"Distinct Number of Client Apps\",\r\n \"Distinct Number of Ip Addresses\",\r\n \"Distinct Number of Opperating Systems\",\r\n \"Distinct Number of Browsers\",\r\n \"Distinct Number of Cities\",\r\n \"Distinct Number of States\",\r\n \"Distinct Number of Countries\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Top Reason for High Reconstruction Error\",\r\n \"description\": \"Include only anomalies where the top reason is one of these values.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0.0\",\r\n \"maximum\": \"1.0\",\r\n \"value\": \"0.5\",\r\n \"name\": \"Reconstruction Error Score\",\r\n \"description\": \"Generate an anomaly when the reconstruction error score is greater than or equal to the chosen value.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Anomalous AAD Signin-Logs Sessions\",\r\n \"description\": \"The signin-logs are grouped into sessions on a per-user basis.\\nAn autoencoder is trained on the previous 6 days worth of sessions and is then applied to sessions from the last 1 day.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\r\n \"name\": \"23de46ea-c425-4a77-b456-511ae4855d69\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic(\\n[\\\"List keys\\\", \\\"List Storage Account Keys\\\", \\\"Register Subscription\\\", \\\"Create or Update Snapshot\\\", \\\"Create or Update Network Security Group\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationName in~ (SensitiveOperationList)\\n| where ActivityStatus =~ \\\"Succeeded\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ >= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated >= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationName\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare subscription-level operations in Azure\",\r\n \"description\": \"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\r\n \"name\": \"074ce265-f684-41cd-af07-613c5f3e6d0d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| extend IPAddress = RemoteIp, Host = Computer)\\n)\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known STRONTIUM group domains - July 2019\",\r\n \"description\": \"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\r\n \"name\": \"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe) \\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetUserName), Domain = toupper(TargetDomainName), CreatedUserSid = TargetSid, AccountUsedToCreateUser = SubjectUserName\\n|join (\\nSecurityEvent \\n| where TimeGenerated > ago(timeframe) \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = TargetUserName, \\nDomain = toupper(TargetDomainName), GroupSid = TargetSid, UserAdded = SubjectUserName, UserAddedSid = SubjectUserSid, CreatedUser = tolower(SubjectUserName), \\nCreatedUserSid = MemberSid\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, Domain, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, UserAdded, UserAddedSid \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New user created and added to the built-in administrators group\",\r\n \"description\": \"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798\",\r\n \"name\": \"1fa1528e-f746-4794-8a41-14827f4cb798\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 100;\\nPulseConnectSecure\\n| where TimeGenerated >= timeframe\\n| where Messages startswith \\\"Login failed\\\"\\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\\n| where dcount_User > threshold\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"PulseConnectSecure - Large Number of Distinct Failed User Logins\",\r\n \"description\": \"This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PulseConnectSecure\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\r\n \"name\": \"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to internet facing AWS RDS Database instances\",\r\n \"description\": \"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\r\n \"name\": \"9713e3c0-1410-468d-b79e-383448434b2d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n VMConnection\\n | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to VMConnection\",\r\n \"description\": \"Identifies a match in VMConnection from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\r\n \"name\": \"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet endpointData = \\n(SecurityEvent\\n | where TimeGenerated >= ago(timeframe) \\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n );\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where TimeGenerated >= ago(timeframe)\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Network endpoint to host executable correlation\",\r\n \"description\": \"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"TrendMicro\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\r\n \"name\": \"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet threshold = 3;\\nSigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count(), applicationCount = dcount(AppDisplayName), \\napplicationSet = makeset(AppDisplayName) by UserPrincipalName, IPAddress\\n| where applicationCount >= threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Attempts to sign in to disabled accounts\",\r\n \"description\": \"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\r\n \"name\": \"78422ef2-62bf-48ca-9bab-72c69818a425\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \\nby Account, IpAddress, AccountType, Activity, LogonTypeName\\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\\n) on Account, IpAddress\\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio > threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple RDP connections from Single System\",\r\n \"description\": \"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\r\n \"name\": \"40ba9493-4183-4eee-974f-87fe39c8f267\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Azure Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (AATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\r\n \"name\": \"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes made to AWS CloudTrail logs\",\r\n \"description\": \"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\r\n \"name\": \"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known CERIUM domains and hashes\",\r\n \"description\": \"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\r\n \"name\": \"65c78944-930b-4cae-bd79-c3664ae30ba7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n(union isfuzzy=true\\n(AuditLogs \\n| where TimeGenerated >= ago(timeframe) \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"MFA disabled for a user\",\r\n \"description\": \"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to diable MFA for a user \",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\r\n \"name\": \"fbfbf530-506b-49a4-81ad-4030885a195c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated > ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated > ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malicious web application requests linked with MDATP alerts\",\r\n \"description\": \"Takes MDATP alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-05-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\r\n \"name\": \"2fc5d810-c9cc-491a-b564-841427ae0e50\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\\n //Normalizing the column to lower case for exact match with EmailRecipient column\\n | extend TargetUserName = tolower(TargetUserName)\\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\\n | extend SecurityEvent_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.TargetUserName\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SecurityEvent\",\r\n \"description\": \"Identifies a match in SecurityEvent table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\r\n \"name\": \"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet logonDiff = 10m;\\nSigninLogs \\n| where TimeGenerated >= ago(timeFrame) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1])\\n| join kind= inner (\\n SigninLogs \\n | where TimeGenerated >= ago(timeFrame) \\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription \\n| extend timestamp = SuccessLogonTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SuccessIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Successful logon from IP and failure from a different IP\",\r\n \"description\": \"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\r\n \"name\": \"f845881e-2500-44dc-8ed7-b372af3e1e25\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeFrame = 1d;\\nlet short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n| where TimeGenerated >= ago(timeFrame)\\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount < c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous User Agent connection attempt\",\r\n \"description\": \"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\r\n \"name\": \"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n WireData | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to WireData\",\r\n \"description\": \"Identifies a match in WireData from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(WireData)\",\r\n \"dataTypes\": [\r\n \"WireData\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\r\n \"name\": \"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n W3CIISLog\\n | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nW3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to W3CIISLog\",\r\n \"description\": \"Identifies a match in W3CIISLog from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\r\n \"name\": \"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where TimeGenerated >= ago(3d)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA256=' SHA265 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known ZINC related maldoc hash\",\r\n \"description\": \"Document hash used by ZINC in highly targeted spear phishing campaign.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\r\n \"name\": \"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to OfficeActivity\",\r\n \"description\": \"Identifies a match in OfficeActivity from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\r\n \"name\": \"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"0.0.1\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.07\",\r\n \"name\": \"AnomalyScore\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Suspicious volume of logons to computer\",\r\n \"description\": \"This algorithm is to detect unusually high volume of successful logins per each workspace and computer. Successful logins are events with event id 4624.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\r\n \"name\": \"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let detectionTime = 30d;\\nlet User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where TimeGenerated > ago(detectionTime)\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != 'UserLoggedIn'\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts > 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\r\n \"queryFrequency\": \"P7D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Possible STRONTIUM attempted credential harvesting\",\r\n \"description\": \"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\r\n \"name\": \"06107abb-1b68-4fdc-841b-8a1ff9301467\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"T1030\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.998\",\r\n \"name\": \"Receive_threshold\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n },\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.998\",\r\n \"name\": \"Send_threshold\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Palo Alto Networks - VPN data transfer anomaly\",\r\n \"description\": \"Data transfer anomaly over Palo Alto Globalprotect VPN session\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\r\n \"name\": \"957cb240-f45d-4491-9ba5-93430a3c08be\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\")\\nand not(UserId has_any ('NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)','devilfish-applicationaccount') and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare and potentially high-risk Office operations\",\r\n \"description\": \"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-13T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\r\n \"name\": \"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nCommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco ASA - threat detection message fired\",\r\n \"description\": \"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\r\n \"name\": \"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend DisplayName = tostring(parse_json(modifiedProperties).displayName), GroupName = trim(@'\\\"',tostring(parse_json(modifiedProperties).newValue))\\n| extend AppId = tostring(parse_json(parse_json(InitiatedBy).app).appId), InitiatedByDisplayName = tostring(parse_json(parse_json(InitiatedBy).app).displayName), ServicePrincipalId = tostring(parse_json(parse_json(InitiatedBy).app).servicePrincipalId), ServicePrincipalName = tostring(parse_json(parse_json(InitiatedBy).app).servicePrincipalName)\\n| where DisplayName =~ \\\"Role.WellKnownObjectName\\\"\\n| where GroupName in~ (PrivilegedGroups)\\n// If you want to still alert for operations from PIM, remove below filtering for MS-PIM.\\n| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ServicePrincipalName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User added to Azure Active Directory Privileged Groups\",\r\n \"description\": \"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\r\n \"name\": \"dd0a6029-ecef-4507-89c4-fc355ac52111\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated > ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC's that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, '.')\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CSL_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CSL_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to CommonSecurityLog\",\r\n \"description\": \"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\r\n \"name\": \"157c0cfc-d76d-463b-8755-c781608cdc1a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nlet endtime = 1d;\\nCommonSecurityLog\\n| where TimeGenerated >= ago(endtime) \\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where SourceIPType == \\\"public\\\"\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n SigninLogs\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco - firewall block but success logon to Azure AD\",\r\n \"description\": \"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n }\r\n ]\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVUZW1wbGF0ZXMvODI2YmIyZjgtNzg5NC00Nzg1LTlhNmItYThhODU1ZDgzNjZmP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "8843ffea-ad7a-4552-9c7f-784fc5e1703b"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11998"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "8500fd78-7132-49a6-a180-9fea434bb234"
+ ],
+ "x-ms-correlation-request-id": [
+ "8500fd78-7132-49a6-a180-9fea434bb234"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T214405Z:8500fd78-7132-49a6-a180-9fea434bb234"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:44:04 GMT"
+ ],
+ "Content-Length": [
+ "4346"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"name\": \"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated >= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated >= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Full Admin policy created and then attached to Roles, Users or Groups\",\r\n \"description\": \"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRuleTemplatesTests/List.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRuleTemplatesTests/List.json
new file mode 100644
index 000000000000..cb745bc77630
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRuleTemplatesTests/List.json
@@ -0,0 +1,71 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVUZW1wbGF0ZXM/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "4c510188-5376-478b-97c8-c5a1a3194794"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "22cc4e34-6499-4266-9c76-32b064453700"
+ ],
+ "x-ms-correlation-request-id": [
+ "22cc4e34-6499-4266-9c76-32b064453700"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T214406Z:22cc4e34-6499-4266-9c76-32b064453700"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:44:06 GMT"
+ ],
+ "Content-Length": [
+ "517052"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"name\": \"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated >= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated >= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Full Admin policy created and then attached to Roles, Users or Groups\",\r\n \"description\": \"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\r\n \"name\": \"fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nSymantecProxySG\\n| where TimeGenerated >= timeframe\\n| mv-expand cs_categories\\n| where cs_categories has_any (\\\"Suspicious\\\",\\\"phishing\\\", \\\"hacking\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User Accessed Suspicious URL Categories\",\r\n \"description\": \"Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecProxySG\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"name\": \"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center for IoT\",\r\n \"displayName\": \"Create incidents based on Azure Security Center for IoT alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Security Center for IoT\",\r\n \"lastUpdatedDateUTC\": \"2019-12-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"IoT\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (ASC for IoT)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 2\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\r\n \"name\": \"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName == \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount > threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\\n| where OperationName == \\\"Consent to application\\\"\\n| extend IpAddress = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)), \\ntostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType , CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 3,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare application consent\",\r\n \"description\": \"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"LateralMovement\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\r\n \"name\": \"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\\nTI_ipEntity, CallerIpAddress, Caller, OperationName, ActivityStatus, Category, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AzureActivity\",\r\n \"description\": \"Identifies a match in AzureActivity from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\r\n \"name\": \"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Office 365 Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Office 365 Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Office 365 Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2020-09-01T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OfficeATP\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (OATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 1\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\r\n \"name\": \"106813db-679e-4382-a51b-1bfc463befc3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CSL_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CSL_TimeGenerated, PA_Url, DeviceName\\n| extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to PaloAlto data\",\r\n \"description\": \"Identifies a match in PaloAlto data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\r\n \"name\": \"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated > ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 3 downloads/uploads from a new user agent today\\n| where recentCount > threshold;\\nOfficeActivity \\n| where TimeGenerated > ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SharePointFileOperation via devices with previously unseen user agents\",\r\n \"description\": \"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\r\n \"name\": \"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData = \\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from ago(starttime) to ago(endtime) step timeframe by Process;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total > TotalEventsThreshold;\\nTimeSeriesAlerts\\n| join (\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated \\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score \\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Process execution frequency anomaly\",\r\n \"description\": \"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors. \\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns. \\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\r\n \"name\": \"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (ago(starttime)..ago(endtime))\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds > TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents > TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent > PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Palo Alto - potential beaconing detected\",\r\n \"description\": \"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b\",\r\n \"name\": \"c775a46b-21b1-46d7-afa6-37e3e577a27b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 15;\\nSymantecVIP\\n| where TimeGenerated > timeframe\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\\n| where Total > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Failed Authentication from Invalid Inputs\",\r\n \"description\": \"Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecVIP\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\r\n \"name\": \"69a45b05-71f5-45ca-8944-2e038747fb39\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n) on Account\\n// Make sure that the first connection is after the second connection --> SecondHop > FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --> FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --> FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop > FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop <= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount >= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"RDP Nesting\",\r\n \"description\": \"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \\nto another system with the same account within the 60 minutes. Additionally, if historically daily \\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\r\n \"name\": \"cf3ede88-a429-493b-9108-3e46d3c741f7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated > ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess >= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SecurityEvent - Multiple authentication failures followed by a success\",\r\n \"description\": \"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\r\n \"name\": \"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to AWS Security Group ingress and egress settings\",\r\n \"description\": \"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\r\n \"name\": \"84cf1d59-f620-4fee-b569-68daf7008b7b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 10;\\nQualysHostDetection_CL\\n| where TimeGenerated >= timeframe\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s >= threshold\\n| extend timestamp = StartTime\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"New High Severity Vulnerability Detected Across Multiple Hosts\",\r\n \"description\": \"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"QualysVulnerabilityManagement\",\r\n \"dataTypes\": [\r\n \"QualysHostDetection_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\r\n \"name\": \"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable/remove policy\\n| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"AntiPhish\\\", \\\"SafeAttachment\\\", \\\"SafeLinks\\\", \\\"Dlp\\\", \\\"Audit\\\")\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Office policy tampering\",\r\n \"description\": \"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\r\n \"name\": \"2b701288-b428-4fb8-805e-e4372c574786\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\nlet timeRange = 30d;\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60min; \\n//Get Teams successful signins globally\\nlet signinData =\\n SigninLogs\\n | where TimeGenerated >= ago(timeRange)\\n | where AppDisplayName has \\\"Teams\\\"\\n | where ConditionalAccessStatus =~ \\\"success\\\"\\n | extend country = tostring(LocationDetails['countryOrRegion'])\\n | where isnotempty(country) and isnotempty(IPAddress);\\n// Collect successful signins to teams\\nlet loginEvents = \\n signinData\\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n//Calcualte delta between logins\\nlet loginDelta =\\n loginEvents\\n | summarize max(count_), min(count_) by UserPrincipalName\\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\\n | where delta >= deltaThreshold;\\n//Count number of countries used to sign in\\nlet countryCount =\\n loginEvents\\n | summarize Countries = dcount(country) by UserPrincipalName;\\n//Join delta and sign in counts to successful logins\\nloginDelta\\n| join kind=rightouter (\\n loginEvents\\n) on UserPrincipalName\\n| join kind=rightouter (\\n countryCount\\n) on UserPrincipalName\\n//Check where the record meets the minimum required countries\\n| where Countries >= minimumCountries\\n| join kind=leftouter (\\n signinData\\n | summarize count() by country\\n | join (\\n //Now get the total number of logins from any country and join it to the previous count in a single table\\n signinData\\n | summarize count() by country\\n | summarize sum(count_), make_list(country)\\n | mv-expand list_country\\n | extend country = tostring(list_country)\\n ) on country\\n | summarize by country, count_, sum_count_\\n //Now calculate each countries prevalence within login events\\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\\n | project-away sum_count_\\n | order by prevalence\\n) on country\\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\\n| where prevalence < countryPrevalenceThreshold\\n| where min_count_ == count_\\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\\n| extend EventTimes = list_TimeGenerated\\n| extend SuspiciousIP = IPAddress\\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\\n//Teams join to collect operations the user account has performed within the given time range\\n| join kind=inner( \\n TeamsData \\n | where TimeGenerated >= ago(timeRange)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\\n) on $left.UserPrincipalName == $right.UserId\\n| mv-expand StartTime = EventTimes\\n| extend StartTime = make_datetime(StartTime)\\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\\n//Limit to operations carried out by the user account in the timeframe the IP was active\\n| where OperationTime between (StartTime .. ProjectedEndTime)\\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n//Filter on suspicious actions\\n| extend activitySummary = pack(tostring(StartTime), pack(\\\"Operation\\\",tostring(Operation), \\\"OperationTime\\\", OperationTime))\\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous login followed by Teams action\",\r\n \"description\": \"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\r\n \"name\": \"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// Replace these with the usename or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic(['vip1@email.com','vip2@email.com']);\\nlet timeframe = 1d;\\nLAQueryLogs\\n| where TimeGenerated > ago(timeframe)\\n| where QueryText has_any (vips)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Users searching for VIP user activity\",\r\n \"description\": \"This query monitors for users running Log Analytics queries that contain filters \\nfor specific, defined VIP user accounts. Use this detection to alert for users specifically \\nsearching for activity of sensitive users.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-23T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(Query Audit)\",\r\n \"dataTypes\": [\r\n \"LAQueryLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\r\n \"name\": \"223db5c1-1bf8-47d8-8806-bed401b356a4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet azPortalSignins = materialize(SigninLogs\\n| where TimeGenerated >= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName, Id\\n| where TimeGenerated > TimeGenerated1\\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated >= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend FullLocation = strcat(Location,'|', LocationDetails.state, '|', LocationDetails.city)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation\\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed login attempts to Azure Portal\",\r\n \"description\": \"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\r\n \"name\": \"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Security Event log cleared\",\r\n \"description\": \"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\r\n \"name\": \"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookBack_long = 14d;\\nlet lookBack_med = 7d;\\nlet lookBack = 1d;\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack_long))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope > 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack_med))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n| top 50 by Slope desc\\n| where Slope > 0.3\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n| where Slope > 5\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous sign-in location by user account and authenticating application\",\r\n \"description\": \"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 7-day and 14-day periods.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\r\n \"name\": \"ec21493c-2684-4acd-9bc2-696dbad72426\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated > ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC's that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n | where DeviceVendor =~ 'Palo Alto Networks'\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, '.')\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CSL_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CSL_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to PaloAlto\",\r\n \"description\": \"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\r\n \"name\": \"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet timeRange = 1d;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| where TimeGenerated >= ago(timeRange)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName contains \\\"Azure Portal\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Brute force attack against Azure Portal\",\r\n \"description\": \"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae\",\r\n \"name\": \"a9956d3a-07a9-44a6-a279-081a85020cae\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 15;\\nlet rejectedAccess = SymantecVIP\\n| where TimeGenerated > timeframe\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\\n| where Total > threshold\\n| project ClientIP;\\nSymantecVIP\\n| where TimeGenerated > timeframe\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| join kind=inner rejectedAccess() on ClientIP\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ClientDeniedAccess\",\r\n \"description\": \"Creates an incident in the event a Client has an excessive amounts of denied access requests.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecVIP\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\r\n \"name\": \"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = SecurityEvent \\n| where TimeGenerated > ago(timeframe)\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, \\nGroupAddTargetUserName = TargetUserName, GroupAddTargetDomainName = TargetDomainName, GroupAddTargetSid = TargetSid, \\nGroupAddSubjectUserName = SubjectUserName, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\\nlet GroupCreated = SecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, \\nGroupCreateTargetUserName = TargetUserName, GroupCreateTargetDomainName = TargetDomainName, GroupCreateSubjectUserName = SubjectUserName, \\nGroupCreateSubjectDomainName = SubjectDomainName, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectUserName, HostCustomEntity = GroupCreateComputer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Group added to built in domain local or global group\",\r\n \"description\": \"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\r\n \"name\": \"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| project TimeGenerated, OperationName, Resource, CallerIPAddress \\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(timeframe)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s \\n) on Resource, TimeGenerated \\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure Key Vault access TimeSeries anomaly\",\r\n \"description\": \"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm \\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an \\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\r\n \"name\": \"884c4957-70ea-4f57-80b9-1bca3890315b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where TimeGenerated >= ago(timeFrame)\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"&\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"&\\\")[0]),tostring(split(csUriQuery, \\\"&\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount >= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of failed logons by a user\",\r\n \"description\": \"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8b8aec75-dc5e-4661-bc0c-9e4fff6aad02\",\r\n \"name\": \"8b8aec75-dc5e-4661-bc0c-9e4fff6aad02\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"T1027\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Highly Confidential to Confidential\",\r\n \"Highly Confidential to General\",\r\n \"Highly Confidential to Public\",\r\n \"Highly Confidential to Archive\",\r\n \"Confidential to General\",\r\n \"Confidential to Public\",\r\n \"Confidential to Archive\",\r\n \"General to Public\",\r\n \"General to Archive\",\r\n \"Public to Archive\"\r\n ],\r\n \"values\": [\r\n \"Highly Confidential to General\",\r\n \"Highly Confidential to Public\",\r\n \"Highly Confidential to Archive\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Document sensitivity label change\",\r\n \"description\": \"Sensitivity labels are security settings that have been automatically or manually applied to your files.\\nSometimes it is normal to change the labels of files.\\nChoose which label changes are severe enough to generate anomalies.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n },\r\n {\r\n \"supportedValues\": [\r\n \".doc\",\r\n \".docm\",\r\n \".docx\",\r\n \".dot\",\r\n \".dotm\",\r\n \".dotx\"\r\n ],\r\n \"values\": [\r\n \".doc\",\r\n \".docx\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Document type\",\r\n \"description\": \"Choose which document types to include or exclude from this rule.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n },\r\n {\r\n \"supportedValues\": [\r\n \"Discover, open, remove protection\",\r\n \"Discover, open, remove label\",\r\n \"Discover, open, downgrade label\",\r\n \"Discover, remove protection\",\r\n \"Discover, remove label\",\r\n \"Discover, downgrade label\"\r\n ],\r\n \"values\": [\r\n \"Discover, open, remove protection\",\r\n \"Discover, open, downgrade label\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Document action sequence\",\r\n \"description\": \"Document action sequence is the order of events that occurred while changes were made to these files. Based on the way you normally interact with your files, you may choose which actions are flagged as anomalous.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"singleSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Include\",\r\n \"Exclude\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"value\": \"Include\",\r\n \"name\": \"Private IP\",\r\n \"description\": \"Private IP relates to the status of the IP address where the operation occurred. Choose to either include or exclude operations from Private IPs.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"prioritizeExcludeObservations\": [\r\n {\r\n \"prioritize\": \"[60-100]\",\r\n \"exclude\": \"[200-]\",\r\n \"dataType\": \"number\",\r\n \"name\": \"Document count\",\r\n \"description\": \"Document count is the number of files that were involved in a particular downgrade operation. Choose a number that would indicate an unusual number of files to be edited in one batch.\\nYou may *prioritize* a certain range of numbers and you may *exclude* a certain range of numbers.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n },\r\n {\r\n \"prioritize\": null,\r\n \"exclude\": \"financial, $hr.+$\",\r\n \"dataType\": \"string\",\r\n \"name\": \"Document name\",\r\n \"description\": \"Choose to *prioritize* or *exclude* strings that appear in the names of documents. You may enter plain text and regular expressions separated by commas.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ],\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0.3\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.3\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"PT2H\",\r\n \"displayName\": \"(Preview) Anomalous Document Mass Downgrade\",\r\n \"description\": \"Description for Anomalous mass downgrade of sensitive documents template\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-12T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureInformationProtection\",\r\n \"dataTypes\": [\r\n \"InformationProtectionLogs_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0558155e-4556-447e-9a22-828f2a7de06b\",\r\n \"name\": \"0558155e-4556-447e-9a22-828f2a7de06b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nProofPointTAPMessagesDelivered_CL\\n| where TimeGenerated >= timeframe\\n| mv-expand todynamic(threatsInfoMap_s)\\n| mv-expand todynamic(messageParts_s)\\n| extend threatType = tostring(threatsInfoMap_s.threatType), classification = tostring(threatsInfoMap_s.classification)\\n| extend filename = tostring(messageParts_s.filename)\\n| where threatType =~ \\\"attachment\\\" and classification =~ \\\"malware\\\"\\n| summarize filenames = make_set(filename), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, threatType, classification, Subject = subject_s\\n| extend timestamp = StartTime, AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware attachment delivered\",\r\n \"description\": \"This query identifies a message containing a malware attachment that was delivered.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointTAP\",\r\n \"dataTypes\": [\r\n \"ProofPointTAPMessagesDelivered_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\r\n \"name\": \"32555639-b639-4c2b-afda-c0ae0abefa55\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTimeUtc desc nulls last\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Monitor AWS Credential abuse or hijacking\",\r\n \"description\": \"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce\",\r\n \"name\": \"57e56fc9-417a-4f41-a579-5475aea7b8ce\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet threshold = 1000;\\nInfobloxNIOS\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\\n| where count_ > threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n | where TimeGenerated >= ago(timeframe)\\n ) on ServerIP\\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential DHCP Starvation Attack\",\r\n \"description\": \"This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"InfobloxNIOS\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\r\n \"name\": \"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nDnsEvents\\n| where TimeGenerated > ago(timeframe)\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"DNS events related to mining pools\",\r\n \"description\": \"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\r\n \"name\": \"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n SigninLogs | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailRecipient column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend Region = tostring(LocationDetails[\\\"countryOrRegion\\\"]), State = tostring(LocationDetails[\\\"state\\\"]), City = tostring(LocationDetails[\\\"city\\\"])\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.UserPrincipalName\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SigninLogs\",\r\n \"description\": \"Identifies a match in SigninLogs table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\r\n \"name\": \"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n SecurityAlert\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nAlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to SecurityAlert data\",\r\n \"description\": \"Identifies a match in SecurityAlert data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\r\n \"name\": \"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet threshold = 15;\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount > threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SSH - Potential Brute Force\",\r\n \"description\": \"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\r\n \"name\": \"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| where StartTimeUtc >= ago(timeframe)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Base64 encoded Windows process command-lines\",\r\n \"description\": \"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2018-09-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\r\n \"name\": \"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map File Hash to CommonSecurityLog Event\",\r\n \"description\": \"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\r\n \"name\": \"f948a32f-226c-4116-bddd-d95e91d97eb9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Suspicious application consent similar to O365 Attack Toolkit\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-29T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e\",\r\n \"name\": \"9f86885f-f31f-4e66-a39d-352771ee789e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nCarbonBlackEvents_CL\\n| where TimeGenerated > timeframe\\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\\n| where targetApp_effectiveReputation_s =~ \\\"KNOWN_MALWARE\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Malware Detected\",\r\n \"description\": \"This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"VMwareCarbonBlack\",\r\n \"dataTypes\": [\r\n \"CarbonBlackEvents_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\r\n \"name\": \"a357535e-f722-4afe-b375-cff362b2b376\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let endtime = 1d;\\n(union isfuzzy=true\\n(OfficeActivity | where TimeGenerated >= ago(endtime) | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where TimeGenerated >= ago(endtime)\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation, UserAgent = extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string))),\\n(AzureDiagnostics\\n| where TimeGenerated >= ago(endtime)\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")))\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \\\"\\\\\\\"\\\"\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationNames = makeset(OperationName), UserAgentCount = dcount(UserAgent), \\nUserAgentList = makeset(UserAgent), RecordTypes = makeset(RecordType) by UserId, ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malformed user agent\",\r\n \"description\": \"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CommandAndControl\",\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\r\n \"name\": \"155f40c6-610d-497d-85fc-3cf06ec13256\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName in~ (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) or isnotempty(DNSName)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account )\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Phosphorus group domains/IP\",\r\n \"description\": \"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 1\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\r\n \"name\": \"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to AWS Elastic Load Balancer security groups\",\r\n \"description\": \"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\r\n \"name\": \"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SigninLogs\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = AlternateSignInName\\n| extend IPCustomEntity = IPAddress\\n| extend URLCustomEntity = ClientAppUsed\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Explicit MFA Deny\",\r\n \"description\": \"User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\r\n \"name\": \"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = ago(1d);\\nlet threshold = 1;\\nSigninLogs\\n| where TimeGenerated >= timeRange\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Status = makelist(Status), StatusDetails = makelist(StatusDetails), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress) , CorrelationIds = makelist(CorrelationId) by UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), Location, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name\\n| where IPAddressCount > threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = makeset(IPAddresses), Status = makeset(Status), CorrelationIds = makeset(CorrelationIds) by StartTimeUtc, EndTimeUtc, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), Location, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Attempt to bypass conditional access rule in Azure AD\",\r\n \"description\": \"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\r\n \"name\": \"173f8699-6af5-484a-8b06-8c47ba89b380\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) > max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple Teams deleted by a single user\",\r\n \"description\": \"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Azure Sentinel.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-13T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity (Teams)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\r\n \"name\": \"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nDnsEvents\\n| where TimeGenerated > ago(timeframe)\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"DNS events related to ToR proxies\",\r\n \"description\": \"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\r\n \"name\": \"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n SecurityAlert | where TimeGenerated >= ago(dt_lookBack)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend SecurityAlert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.EntityEmail\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityAlert_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = SecurityAlert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SecurityAlert\",\r\n \"description\": \"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\r\n \"name\": \"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MLBehaviorAnalytics\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Anomalous SSH Login Detection\",\r\n \"description\": \"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Azure Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\r\n \"name\": \"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated > ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld > threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld > threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P10D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential DGA detected\",\r\n \"description\": \"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\r\n \"name\": \"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco ASA - average attack detection rate increase\",\r\n \"description\": \"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\r\n \"name\": \"500415fb-bba7-4227-a08a-9857fb61b6a7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| extend p = parse_json(Parameters)\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\n \\\"Unknown\\\"\\n ) \\n| mvexpand p\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\n| extend RedirectTo = p.Value\\n| extend ClientIPOnly = case( \\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"-\\\")[0]), \\n ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\n ClientIP\\n ) \\n| extend Port = case(\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP,\\\":\\\")[1]),\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP,\\\"-\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"]-\\\")[1]),\\n ClientIP\\n )\\n| extend ClientIP = ClientIPOnly\\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Mail redirect via ExO transport rule\",\r\n \"description\": \"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-05-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\r\n \"name\": \"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where TimeGenerated >= ago(timeframe) \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where TimeGenerated >= ago(timeframe) \\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where TimeGenerated >= ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(WireData \\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(SigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known IRIDIUM IP\",\r\n \"description\": \"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(WireData)\",\r\n \"dataTypes\": [\r\n \"WireData\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\r\n \"name\": \"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, '|', 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\r\n \"description\": \"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureNetworkAnalytics_CL(NSG Flow Logs)\",\r\n \"dataTypes\": [\r\n \"AzureNetworkAnalytics_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\r\n \"name\": \"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.DestinationUserID\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to CommonSecurityLog\",\r\n \"description\": \"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\r\n \"name\": \"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where TimeGenerated > ago(timeframe) \\n| where CommandLine contains \\\".decode('base64')\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Process executed from binary hidden in Base64 encoded file\",\r\n \"description\": \"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\r\n \"name\": \"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Active Directory Identity Protection\",\r\n \"displayName\": \"Create incidents based on Azure Active Directory Identity Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectoryIdentityProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (IPC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\r\n \"name\": \"2391ce61-8c8d-41ac-9723-d945b2e90720\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday >= coalesce(CountPrev7day,0)*threshold and CountToday >= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \\nSubStatus =~ '0xC000006D', 'Bad user name or password',\\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\\nSubStatus =~ '0xC0000071', 'User logon with expired password',\\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \\nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\\nSubStatus =~ '0xC0000193', 'User logon with expired account',\\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\\nSubStatus =~ '0xC0000234', 'User logon with account locked',\\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\\nstrcat('Unknown reason substatus: ', SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Windows logon failures\",\r\n \"description\": \"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\r\n \"name\": \"f2dd4a3a-ebac-4994-9499-1a859938c947\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, 'linefit')\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated \\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score;\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog \\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime))) \\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024) \\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP), DestinationPortList = make_set(DestinationPort), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB\\n| where TotalSentBytesinMB > bytessentperhourthreshold\\n),\\n(\\nVMConnection \\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime))) \\n| extend DeviceVendor = \\\"VMConnection\\\", SourceIP = SourceIp, DestinationIP = DestinationIp\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP), DestinationPortList = make_set(DestinationPort), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DestinationIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB \\n| where TotalSentBytesinMB > bytessentperhourthreshold\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc \\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies \\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP), DestinationIPList = make_set(DestinationIPList) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount \\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Time series anomaly for data size transferred to public internet\",\r\n \"description\": \"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. \\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated. \\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour. \\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\r\n \"name\": \"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"THALLIUM domains included in DCU takedown\",\r\n \"description\": \"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-01-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\r\n \"name\": \"06a9b845-6a95-4432-a78b-83919b28c375\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 25;\\nlet TimeSeriesData = CommonSecurityLog \\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n//Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score;\\n//Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order \\nTimeSeriesAlerts \\n| join (\\n CommonSecurityLog \\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP), DestinationPortlist = make_set(DestinationPort) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor \\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal > percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist), DestinationPortlist = make_set(DestinationPortlist) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 3,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Time series anomaly detection for total volume of traffic\",\r\n \"description\": \"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. \\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. \\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour. \\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Barracuda\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CheckPoint\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"F5\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\r\n \"name\": \"3533f74c-9207-4047-96e2-0eb9383be587\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Suspicious application consent for offline access\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-29T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\r\n \"name\": \"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 10m;\\nlet threshold = 20;\\nSecurityEvent \\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !='0xc0000064' and Account !in ('\\\\\\\\', '-\\\\\\\\-')\\n// SubStatus '0xc0000064' signifies 'Account name does not exist'\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| extend Reason = case(\\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \\nSubStatus =~ '0xC000006D', 'Bad user name or password',\\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\\nSubStatus =~ '0xC0000071', 'User logon with expired password',\\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \\nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\\nSubStatus =~ '0xC0000193', 'User logon with expired account',\\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\\nSubStatus =~ '0xC0000234', 'User logon with account locked',\\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\\nstrcat('Unknown reason substatus: ', SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount >= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed logon attempts by valid accounts within 10 mins\",\r\n \"description\": \"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\r\n \"name\": \"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n| where isnotempty(FileHashValue)\\n| join (\\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map File Hash to Security Event\",\r\n \"description\": \"Identifies a match in Security Event data from any File Hash IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\r\n \"name\": \"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n DnsEvents\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to DnsEvent\",\r\n \"description\": \"Identifies a match in DnsEvent table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\r\n \"name\": \"f110287e-1358-490d-8147-ed804b328514\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AWSCloudTrail | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AWSCloudTrail\",\r\n \"description\": \"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\r\n \"name\": \"ef88eb96-861c-43a0-ab16-f3835a97c928\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\\\$Volume){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nlet decodedPS = ProcessCreationEvents\\n| where TimeGenerated >= ago(timeframe) \\n| where CommandLine contains \\\" -encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, ' ')[0]), CommandLine\\n// Note: currently the base64_decodestring function is limited to supporting UTF8\\n| extend decodedCommand = translate('\\\\0','', base64_decodestring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\\n(decodedPS\\n| union \\n(ProcessCreationEvents\\n| where TimeGenerated >= ago(timeframe)\\n| where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\")\\n| where CommandLine !contains \\\"-encodedcommand\\\")\\n| extend StartTimeUtc = TimeGenerated\\n)\\n| where CommandLine matches regex regexEmpire\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Powershell Empire cmdlets seen in command line\",\r\n \"description\": \"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\r\n \"name\": \"643c2025-9604-47c5-833f-7b4b9378a1f5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet Suspicious_signins = \\nSigninLogs\\n| where TimeGenerated >= ago(1d)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress != \\\"127.0.0.1\\\"\\n| summarize count() by IPAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where TimeGenerated > ago(1d)\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AzureAD logons but success logon to AWS Console\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\r\n \"name\": \"7249500f-3038-4b83-8549-9cd8dfa2d498\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where TimeGenerated >= ago(timeframe) \\n| where ProviderName =~ 'OATP'\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where TimeGenerated >= ago(timeframe) \\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known PHOSPHORUS group domains/IP - October 2020\",\r\n \"description\": \"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Cisco)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (PaloAlto)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Zscaler)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Fortinet)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"OfficeATP\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (OATP)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics (Azure Firewall)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\r\n \"name\": \"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account's password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where OperationName has_any (pWord) and OperationName has_any (action)\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetResourceName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = TargetResourceName, Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type),\\n(SigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where OperationName =~ \\\"Sign-in activity\\\" and ResultType has_any (\\\"50125\\\", \\\"50133\\\")\\n| project TimeGenerated, AccountType = AppDisplayName, Computer = IPAddress, Account = UserPrincipalName, Type\\n)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computer = makeset(Computer), AccountType = makeset(AccountType), Total=count() by Account, Type\\n| where Total > PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computer = makeset(Computer), Account = tostring(makeset(Account)), AccountType = makeset(AccountType), Total=count() by Type\\n| where Total > TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = tostring(Computer)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple Password Reset by user\",\r\n \"description\": \"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-09-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\r\n \"name\": \"327cd4ed-ca42-454b-887c-54e1c91363c6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Microsoft Defender Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Microsoft Defender Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Microsoft Defender Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-10-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (MDATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 1\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\r\n \"name\": \"44a555d8-ecee-4a25-95ce-055879b4b14b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| where TimeGenerated >= ago(timeFrame)\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount >= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of connections by client IP on many ports\",\r\n \"description\": \"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\r\n \"name\": \"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n AuditLogs\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to AuditLogs\",\r\n \"description\": \"Identifies a match in AuditLogs from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\r\n \"name\": \"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let szOperationNames = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatus), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationName, Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope > 0.2\\n| join kind=leftsemi (\\n// Last day's activity is anomalous\\nAzureActivity\\n| where TimeGenerated >= startofday(ago(endtime))\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatus), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationName, Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope > 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatus), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious number of resource creation or deployment activities\",\r\n \"description\": \"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-18T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\r\n \"name\": \"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 10;\\nQualysHostDetection_CL\\n| where TimeGenerated >= timeframe\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ >= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High Number of Urgent Vulnerabilities Detected\",\r\n \"description\": \"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"QualysVulnerabilityManagement\",\r\n \"dataTypes\": [\r\n \"QualysHostDetection_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\r\n \"name\": \"39198934-62a0-4781-8416-a81265c03fd6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Suspicious application consent similar to PwnAuth\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-29T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"name\": \"f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Fusion\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"displayName\": \"Advanced Multistage Attack Detection\",\r\n \"description\": \"Using Fusion technology based on machine learning, Azure Sentinel automatically detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nThere are a total of 70 Fusion incident types detected by Azure Sentinel.\\n- 65 of these show the combination of suspicious Azure Active Directory sign-in events followed by anomalous Office 365 activity. Out of these 65, 30 are in public preview. \\n- The remaining five incident types show the combination of anomalous signals from Microsoft Defender Advanced Threat Protection and from Palo Alto Networks firewalls. These five types are all in public preview.\\n\\nTo detect these multistage attacks, the following data connectors must be configured:\\n- Azure Active Directory Identity Protection.\\n- Microsoft Cloud App Security.\\n- Microsoft Defender Advanced Threat Protection.\\n- Palo Alto Networks.\\n\\nFor a full list and description of each scenario that is supported for these multistage attacks, go to https://aka.ms/SentinelFusion.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"CommandAndControl\",\r\n \"DefenseEvasion\",\r\n \"Discovery\",\r\n \"Execution\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"InitialAccess\",\r\n \"LateralMovement\",\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-09T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\r\n \"name\": \"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated > ago(2*timeframe) \\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectUserName, TargetSid, SubjectUserSid \\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated > ago(timeframe) \\n // A user account was disabled \\n | where EventID == 4725\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid \\n) on Computer, TargetUserName\\n| where deletionTime - creationTime < spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) >= threshold\\n| project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate, \\ndeletionTime, DeleteEventID, AccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account enabled and disabled within 10 mins\",\r\n \"description\": \"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\r\n \"name\": \"75bf9902-0789-47c1-a5d8-f57046aa72df\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]);\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents \\n| where TimeGenerated >= ago(timeframe)\\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware in the recycle bin\",\r\n \"description\": \"Identifies malware that has been hidden in the recycle bin.\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2018-09-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\r\n \"name\": \"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nAzureActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where OperationName in (operationList)\\n| where ActivityStatus == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationName, ActivityStatus, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Creation of expensive computes in Azure\",\r\n \"description\": \"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\r\n \"name\": \"aac495a9-feb1-446d-b08e-a1164a539452\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"ThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(24h)\\n| where Action == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | where TimeGenerated >= ago(24h)\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"TI map IP entity to GitHub_CL\",\r\n \"description\": \"Identifies a match in GitHub_CL table from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44\",\r\n \"name\": \"34663177-8abf-4db1-b0a4-5683ab273f44\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 20;\\nPulseConnectSecure\\n| where TimeGenerated >= timeframe\\n| where Messages contains \\\"Login failed\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\\n| where count_ > threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"PulseConnectSecure - Potential Brute Force Attempts\",\r\n \"description\": \"This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PulseConnectSecure\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\r\n \"name\": \"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to Amazon VPC settings\",\r\n \"description\": \"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\",\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\r\n \"name\": \"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let szOperationNames = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationName, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated > ago(endtime)\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatus = makeset(ActivityStatus), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious Resource deployment\",\r\n \"description\": \"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\r\n \"name\": \"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = 'FileUploaded';\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic(['exe', 'inf', 'gzip', 'cmd', 'bat']);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated >= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount > threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\\n| extend UserIdUserFolderFormat = tolower(replace('@|\\\\\\\\.', '_',UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"New executable via Office FileUploaded Operation\",\r\n \"description\": \"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-03-02T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\r\n \"name\": \"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated > ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount > threshold;\\nOfficeActivity \\n| where TimeGenerated >= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SharePointFileOperation via previously unseen IPs\",\r\n \"description\": \"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\r\n \"name\": \"871ba14c-88ef-48aa-ad38-810f26760ca3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 7d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has ':', tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP has '-', tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has ':', tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP has '-', tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has ']-', tostring(split(ClientIP,\\\"]-\\\")[1]), \\nClientIP has ']:', tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has ']-', tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) and ClientIP_ has ']:', tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount > 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple users email forwarded to same destination\",\r\n \"description\": \"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38\",\r\n \"name\": \"427e4c9e-8cf4-4094-a684-a2d060dbca38\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 50;\\nSophosXGFirewall\\n| where TimeGenerated >= timeframe\\n| where Log_Type =~ \\\"Firewall\\\"\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\\n| where dcount_Dst_Port > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Port Scan Detected\",\r\n \"description\": \"This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SophosXGFirewall\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\r\n \"name\": \"4b93c5af-d20b-4236-b696-a28b8c51407f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated > ago(2*timeframe) \\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectUserName, TargetSid, SubjectUserSid \\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated > ago(timeframe) \\n // A user account was deleted \\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid \\n) on Computer, TargetUserName\\n| where deletionTime - creationTime < spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) >= threshold\\n| project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate, \\ndeletionTime, DeleteEventID, AccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account created and deleted within 10 mins\",\r\n \"description\": \"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\r\n \"name\": \"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nlet PrivateIPregex = @\\\"^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\\\"; // exclude destinations that fall into this category\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated > ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n// sort into source->destination 'sessions'\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds > TimeDeltaThresholdInSeconds\\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// summarize the deltas by source->destination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers > 1.5 or outliers < -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes > 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity >= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Fortinet - Beacon pattern detected\",\r\n \"description\": \"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-31T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\r\n \"name\": \"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet FailureThreshold = 15;\\nlet FailedEvents = Okta_CL\\n| where TimeGenerated > timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where dcount_actor_alternateId_s > FailureThreshold\\n| project client_ipAddress_s, TimeGenerated;\\nOkta_CL\\n| where TimeGenerated > timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\\n| sort by TimeGenerated desc\\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Password Spray Attack\",\r\n \"description\": \"This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\r\n \"name\": \"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeRange = 1d;\\nlet s_threshold = 30;\\nlet l_threshold = 3;\\nSigninLogs\\n| where TimeGenerated >= ago(timeRange)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser \\n| extend LocationString= strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated),LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount > s_threshold and LocationCount >= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Distributed Password cracking attempts in AzureAD\",\r\n \"description\": \"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\r\n \"name\": \"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n OfficeActivity\\n | where TimeGenerated >= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, ';')[0])\\n | extend Office_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Office_TimeGenerated, Url, User\\n| extend timestamp = Office_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to OfficeActivity data\",\r\n \"description\": \"Identifies a match in OfficeActivity data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\r\n \"name\": \"a35f2c18-1b97-458f-ad26-e033af18eb99\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\n// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nSecurityEvent \\n| where TimeGenerated > ago(timeframe)\\n// When MemberName contains '-' this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = tostring(split(tostring(split(MemberName, \\\",\\\")[0]),\\\"CN=\\\")[1])\\n| project StartTimeUtc = TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account added to built in domain local or global group\",\r\n \"description\": \"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\r\n \"name\": \"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n SecurityAlert\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\", 1, tolower(Entities))\\n | where isnotempty(domain)\\n | extend parts = split(domain, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column extract hostname and IP address\\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\\n | extend HostName = iif(EntityType == 'host', EntityHostName, '')\\n | extend IP_addr = iif(EntityType == 'ip', EntityAddress, '')\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to SecurityAlert\",\r\n \"description\": \"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\r\n \"name\": \"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Squid proxy events for ToR proxies\",\r\n \"description\": \"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\r\n \"name\": \"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod; \\nlet GitHubFailedSSOLogins = (SigninLogs \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType == 50056); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime) \\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, tostring(set_IPAddress)\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity \\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime > LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Brute Force Attack against GitHub Account\",\r\n \"description\": \"Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\r\n \"name\": \"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"ThreatIntelligence\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Microsoft Threat Intelligence Analytics\",\r\n \"description\": \"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity and are turned ON by default. \\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-15T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\r\n \"name\": \"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where TimeGenerated > ago(timeframe)\\n| where Facility contains 'auth' and ProcessName != 'sudo'\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ > signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nSigninLogs\\n| where TimeGenerated > ago(timeframe)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed host logons but success logon to AzureAD\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\r\n \"name\": \"45b903c5-6f56-4969-af10-ae62ac709718\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare RDP Connections\",\r\n \"description\": \"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-01-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\r\n \"name\": \"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent =\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * 'TicketEncryptionType\\\">' TicketEncryptionType \\\"<\\\" *\\n| where TicketEncryptionType == '0x17'\\n| parse EventData with * 'TicketOptions\\\">' TicketOptions \\\"<\\\" *\\n| where TicketOptions == '0x40810000'\\n| parse EventData with * 'Status\\\">' Status \\\"<\\\" *\\n| where Status == '0x0'\\n| parse EventData with * 'ServiceName\\\">' ServiceName \\\"<\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * 'TargetUserName\\\">' TargetUserName \\\"<\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * 'IpAddress\\\">::ffff:' ClientIPAddress \\\"<\\\" *;\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h < prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated >= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h > prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Kerberoasting\",\r\n \"description\": \"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\r\n \"name\": \"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n Syslog\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to Syslog\",\r\n \"description\": \"Identifies a match in Syslog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\r\n \"name\": \"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1h;\\nCommonSecurityLog \\n| where TimeGenerated > ago(timeframe) \\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where AdditionalExtensions !has \\\"reason=aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where AdditionalExtensions !has \\\"reason=tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ >= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Palo Alto - possible internal to external port scanning\",\r\n \"description\": \"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\r\n \"name\": \"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe =1d;\\nlet EventCountThreshold = 25;\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ > EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Mass secret retrieval from Azure Key Vault\",\r\n \"description\": \"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\r\n \"name\": \"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.Caller\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, Category, OperationName,\\nOperationNameValue, ActivityStatus, ResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to AzureActivity\",\r\n \"description\": \"Identifies a match in AzureActivity table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\r\n \"name\": \"910124df-913c-47e3-a7cd-29e1643fa55e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where TimeGenerated >= ago(1d)\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ > signin_threshold\\n| summarize make_list(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where TimeGenerated >= ago(1d)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AWS Console logons but success logon to AzureAD\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\r\n \"name\": \"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.UserId\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to OfficeActivity\",\r\n \"description\": \"Identifies a match in OfficeActivity table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\r\n \"name\": \"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" \\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords '}'*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords '}'*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords '}'*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\\\\\')[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malicious Inbox Rule\",\r\n \"description\": \"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\r\n \"name\": \"f2eb15bd-8a88-4b24-9281-e133edfba315\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n SigninLogs | where TimeGenerated >= ago(dt_lookBack)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend Region = tostring(LocationDetails[\\\"countryOrRegion\\\"]), State = tostring(LocationDetails[\\\"state\\\"]), City = tostring(LocationDetails[\\\"city\\\"])\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to SigninLogs\",\r\n \"description\": \"Identifies a match in SigninLogs from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\r\n \"name\": \"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n Syslog\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to Syslog data\",\r\n \"description\": \"Identifies a match in Syslog data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\r\n \"name\": \"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let startdate = 1d;\\nlet threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nlet authfail = Syslog\\n| where TimeGenerated >= ago(startdate) \\n| where Facility =~ \\\"authpriv\\\" // looks at authpriv messages\\n| where SyslogMessage contains \\\"authentication failure\\\" and SyslogMessage contains \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" ExternalIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \\n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\nlet userfail = Syslog \\n| where TimeGenerated >= ago(startdate)\\n| where Facility =~ \\\"authpriv\\\" \\n| where SyslogMessage contains \\\"user unknown\\\"\\n| project TimeGenerated, Computer, HostIP, ProcessID;\\n// Join the two log messages above\\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\\n// Extract the EventTime of the first logon attempt\\nlet firstfail = userauthfail\\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\\n// Extract the EventTime of the last logon attempt\\nlet lastfail = userauthfail\\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\\n// Count the number of failed logon attempts by External IP and internal machine\\nlet totalfails = userauthfail\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\\n// Combine total attempts with timing data from above\\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\\n| order by DestinationHost asc nulls last;\\nfinalfails \\n| where TotalLogonAttempts >= threshold\\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed logon attempts in authpriv\",\r\n \"description\": \"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79\",\r\n \"name\": \"3d645a88-2724-41a7-adea-db74c439cf79\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 5000;\\nSophosXGFirewall\\n| where TimeGenerated >= timeframe\\n| where Log_Type =~ \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\\n| where count_ > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Amount of Denied Connections from a Single Source\",\r\n \"description\": \"This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SophosXGFirewall\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346\",\r\n \"name\": \"7a58b253-0ef2-4248-b4e5-c350f15a8346\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 100;\\nSymantecProxySG \\n| where TimeGenerated >= timeframe\\n| where sc_filter_result =~ \\\"DENIED\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\\n| where count_ > threshold\\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Denied Proxy Traffic\",\r\n \"description\": \"This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecProxySG\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5\",\r\n \"name\": \"2954d424-f786-4677-9ffc-c24c44c6e7d5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = ago(3h);\\nlet threshold = 2;\\nOkta_CL\\n| where published_t >= timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"\\n| where outcome_result_s =~ \\\"SUCCESS\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\\n| where NumOfCountries >= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User Login from Different Countries within 3 hours\",\r\n \"description\": \"This query searches for successful user logins to the Okta Console from different countries within 3 hours\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\r\n \"name\": \"19e01883-15d8-4eb6-a7a5-3276cd668388\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where TimeGenerated >= ago(timeFrame)\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount >= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of failed attempts from same client IP\",\r\n \"description\": \"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\r\n \"name\": \"4915c713-ab38-432e-800b-8e2d46933de6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.'; \\nlet avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet startime = 7d;\\nlet ssh_logins = Syslog\\n| where TimeGenerated >= ago(startime)\\n| where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) \\n| where isnotempty(SourceIP)\\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\");\\nssh_logins \\n| summarize privatecount=countif(ipType==\\\"private\\\"), publiccount=countif(ipType==\\\"public\\\") by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory = make_list(pack('IPCount', publiccount, 'logon_time', EventTime)),\\nprivateIPLoginHistory = make_list(pack('IPCount', privatecount, 'logon_time', EventTime)) by HostName, HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n order by todatetime(publicIPLoginHistory['logon_time']) asc\\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory['IPCount'])), publicAverage=avg(toint(publicIPLoginHistory['IPCount'])), publicStd=stdev(toint(publicIPLoginHistory['IPCount'])), maxPublicLoginCount=max(toint(publicIPLoginHistory['IPCount']))\\n)\\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory['logon_time']) asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory['IPCount'])), privateAverage=avg(toint(privateIPLoginHistory['IPCount'])), privateStd=stdev(toint(privateIPLoginHistory['IPCount']))\\n)\\n// Some logins from private IPs\\n| where privateAverage > avgthreshold\\n// There is a non-zero number of logins from public IPs\\n| where publicAverage > avgthreshold\\n// Approximate probability of seeing login from a public IP is < 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\\n| where probabilityPublic < probabilityLimit\\n// Today has the highest number of logins from public IPs that we've seen in the last week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where publicLoginCountToday >= maxPublicLoginCount\\n| extend HostCustomEntity = HostName\\n// Optionally retrieve the original raw data for those logins that we've identified as potentially suspect\\n// | join kind=rightsemi (\\n// ssh_logins\\n// | where ipType == \\\"public\\\"\\n// ) on HostName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New internet-exposed SSH endpoints\",\r\n \"description\": \"Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\r\n \"name\": \"500c103a-0319-4d56-8e99-3cec8d860757\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookBack = 1d;\\nSigninLogs \\n| where TimeGenerated >= ago(lookBack)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = makeset(UserPrincipalName), \\napplicationSet = makeset(AppDisplayName) by IPAddress\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs\\n | where TimeGenerated >= ago(lookBack)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = makeset(UserPrincipalName, 15) by IPAddress\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount < 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where successfulAccountSigninCount != 0\\n| project StartTimeUtc, EndTimeUtc, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\r\n \"description\": \"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\r\n \"name\": \"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll = \\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime >= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime < ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New UserAgent observed in last 24 hours\",\r\n \"description\": \"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection \\nextracts words from user agents to build the baseline and determine rareity rather than perform a \\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CommandAndControl\",\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\r\n \"name\": \"d3980830-dd9d-40a5-911f-76b44dfdce16\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let RunTime = 1h;\\nSigninLogs\\n| where TimeGenerated > ago(RunTime)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName\\n| where CountOfLocations > 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"GitHub Signin Burst from Multiple Locations\",\r\n \"description\": \"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8675dd7a-795e-4d56-a79c-fc848c5ee61c\",\r\n \"name\": \"8675dd7a-795e-4d56-a79c-fc848c5ee61c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nProofPointTAPClicksPermitted_CL\\n| where TimeGenerated >= timeframe\\n| where classification_s =~ \\\"malware\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s\\n| extend timestamp = StartTime, AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress, URLCustomEntity = URLClicked\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware Link Clicked\",\r\n \"description\": \"This query identifies a user clicking on an email link whose threat category is classified as a malware\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointTAP\",\r\n \"dataTypes\": [\r\n \"ProofPointTAPClicksPermitted_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\r\n \"name\": \"2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"eset_CL\\n| where event_type_s == \\\"Threat_Event\\\"\\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\",\r\n \"queryFrequency\": \"PT5M\",\r\n \"queryPeriod\": \"PT5M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Threats detected by Eset\",\r\n \"description\": \"Escalates threats detected by Eset.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"CredentialAccess\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-09T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"EsetSMC\",\r\n \"dataTypes\": [\r\n \"eset_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\r\n \"name\": \"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center\",\r\n \"displayName\": \"Create incidents based on Azure Security Center alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Security Center\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (ASC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\r\n \"name\": \"69b7723c-2889-469f-8b55-a2d355ed9c87\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to DnsEvents\",\r\n \"description\": \"Identifies a match in DnsEvents from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\r\n \"name\": \"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\\n| project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Microsoft COVID-19 file hash indicator matches\",\r\n \"description\": \"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde\",\r\n \"name\": \"884be6e7-e568-418e-9c12-89229865ffde\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet FailureThreshold = 15;\\nlet FailedLogins = Okta_CL\\n| where TimeGenerated > timeframe\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where count_ > FailureThreshold\\n| project client_ipAddress_s, actor_alternateId_s;\\nOkta_CL\\n| where TimeGenerated > timeframe\\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, published_t\\n| sort by published_t desc\\n| extend timestamp = published_t, IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed Logins from Unknown or Invalid User\",\r\n \"description\": \"This query searches for numerous login attempts to the management console with an unknown or invalid user name\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\r\n \"name\": \"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"eset_CL\\n| where event_type_s == 'FilteredWebsites_Event'\\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\",\r\n \"queryFrequency\": \"PT5M\",\r\n \"queryPeriod\": \"PT5M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Web sites blocked by Eset\",\r\n \"description\": \"Create alert on web sites blocked by Eset.\",\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"CommandAndControl\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-09T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"EsetSMC\",\r\n \"dataTypes\": [\r\n \"eset_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\r\n \"name\": \"a04cf847-a832-4c60-b687-b0b6147da219\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where TimeGenerated >= ago(1d) \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where TimeGenerated >= ago(1d) \\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Manganese IP and UserAgent activity\",\r\n \"description\": \"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\r\n \"name\": \"4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 1d;\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n//The number of URI's seen to be suspicious, higher = less likely to be suspicious\\nlet uriThreshold = 1;\\nCommonSecurityLog\\n| where TimeGenerated >= ago(timeRange)\\n// Only look at connections that were allowed through the web proxy\\n| where DeviceVendor =~ \\\"Zscaler\\\" and DeviceAction =~ \\\"Allowed\\\"\\n// Only look where some data was exchanged.\\n| where SentBytes > 0 and ReceivedBytes > 0\\n// Extract the Domain\\n| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName)\\n| extend GetData=iff(RequestURL == \\\"?\\\", 1, 0)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\\n// Determine the number of URIs that have been visited for the domain\\n| extend destinationURI = arraylength(list_RequestURL)\\n| where destinationURI <= uriThreshold\\n| where tostring(list_RequestURL) has_any(scriptExtensions)\\n//Remove matches with referer\\n| where max_RequestContext == \\\"\\\"\\n//Keep requests where data was trasferred either in a GET with parameters or a POST\\n| where set_RequestMethod in~ (\\\"POST\\\") or max_GetData == 1\\n//Defeat email click tracking, may increase FN's while decreasing FP's\\n| where list_RequestURL !has \\\"click\\\" and set_RequestMethod !has \\\"GET\\\"\\n| mvexpand list_RequestURL, list_DestinationIP\\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\\n//Extend custom entitites for incidents\\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Request for single resource on domain\",\r\n \"description\": \"This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\r\n \"name\": \"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Sensitive Azure Key Vault operations\",\r\n \"description\": \"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, KeyDecrypt, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\r\n \"name\": \"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MLBehaviorAnalytics\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Anomalous RDP Login Detections\",\r\n \"description\": \"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Azure Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73\",\r\n \"name\": \"b8266f81-2715-41a6-9062-42486cbc9c73\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet threshold = 200;\\nInfobloxNIOS\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n| where isnotempty(ResponseCode)\\n| where ResponseCode =~ \\\"NXDOMAIN\\\"\\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\\n| where count_ > threshold\\n| join kind=inner (InfobloxNIOS\\n | where TimeGenerated >= ago(timeframe)\\n | where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n | where isnotempty(ResponseCode)\\n | where ResponseCode =~ \\\"NXDOMAIN\\\"\\n ) on Client_IP\\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive NXDOMAIN DNS Queries\",\r\n \"description\": \"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"InfobloxNIOS\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\r\n \"name\": \"48607a29-a26a-4abf-8078-a06dbdd174a4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = SigninLogs\\n| where TimeGenerated >= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// collect window threshold breaches\\nSigninLogs\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName\\n| where FailedPrincipalCount >= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\n SigninLogs\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend FullLocation = strcat(Location,'|', LocationDetails.state, '|', LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches\\n| join kind= inner (\\nSigninLogs // get data on success vs. failure history for each IP\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress\\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Password spray attack against Azure AD application\",\r\n \"description\": \"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\r\n \"name\": \"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let TimeFrame = ago(1d);\\nlet Alert1 = \\nSecurityAlert\\n| where TimeGenerated > TimeFrame\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where TimeGenerated > TimeFrame\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff('minute', Alert1Time, Alert2Time)) <=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\r\n \"description\": \"When a user has both an Unfamiliar sign-in properties alert and an Atypical travel alert within 20 minutes, the alert should be handled with a higher severity\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectoryIdentityProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (IPC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\r\n \"name\": \"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 1;\\nAzureDiagnostics\\n | where TimeGenerated >= timeframe\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ >= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Several deny actions registered\",\r\n \"description\": \"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"LateralMovement\",\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\r\n \"name\": \"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Login to AWS Management Console without MFA\",\r\n \"description\": \"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\",\r\n \"PrivilegeEscalation\",\r\n \"Persistence\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\r\n \"name\": \"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe) \\n| where EventID == 4738\\n// 2089 value indicates the Don't Expire Password value has been set\\n| where UserAccountControl has \\\"%%2089\\\" \\n| extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"'Don't Expire Password' - Disabled\\\", \\\"Not Changed\\\")\\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n| extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"'Password Not Required' - Disabled\\\", \\\"Not Changed\\\")\\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n| extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"'Password Not Required' - Enabled\\\", \\\"Not Changed\\\")\\n| project StartTimeUtc = TimeGenerated, EventID, Computer, TargetUserName, TargetDomainName, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"AD account with don't expire password - disabled\",\r\n \"description\": \"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089 \\n%%2089 resolves to \\\"Don't Expire Password - Disabled\\\".\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\r\n \"name\": \"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * '\\\"MemberName\\\">' AccountAdded \\\",OU\\\" * \\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\\nlet AC_Remove = \\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * '\\\"MemberName\\\">' AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed > 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Account added and removed from privileged groups\",\r\n \"description\": \"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' \",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\r\n \"name\": \"2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 8;\\nCarbonBlackNotifications_CL\\n| where TimeGenerated > timeframe\\n| where threatHunterInfo_score_d >= threshold\\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\\n| project-away count_\\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Critical Threat Detected\",\r\n \"description\": \"This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"VMwareCarbonBlack\",\r\n \"dataTypes\": [\r\n \"CarbonBlackNotifications_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\r\n \"name\": \"26a3b261-b997-4374-94ea-6c37f67f4f39\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where TimeGenerated >= ago(3d)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA1=' SHA1 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where TimeGenerated >= ago(timeframe)\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known GALLIUM domains and hashes\",\r\n \"description\": \"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\r\n \"name\": \"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated > ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name > threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name > threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare client observed with high reverse DNS lookup count\",\r\n \"description\": \"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\r\n \"name\": \"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationName == \\\"Create role assignment\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ >= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated > ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CorrelationId = makelist(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationName, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious granting of permissions to an account\",\r\n \"description\": \"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\r\n \"name\": \"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Exchange AuditLog disabled\",\r\n \"description\": \"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\r\n \"name\": \"ba144bf8-75b8-406f-9420-ed74397f9479\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet suspicious_signins = \\n SigninLogs\\n | where TimeGenerated >= ago(timeframe)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress != \\\"127.0.0.1\\\"\\n | summarize count() by IPAddress\\n | where count_ > signin_threshold\\n | summarize make_list(IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n | where TimeGenerated > ago(timeframe)\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\\\"User name: ([^,]+)\\\", 1, Message) \\n | extend ClientOS = extract(\\\"Client OS version: ([^,\\\\\\\"]+)\\\", 1, Message)\\n | extend Location = extract(\\\"Source region: ([^,]{2})\\\",1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\r\n \"description\": \"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-09-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\r\n \"name\": \"62085097-d113-459f-9ea7-30216f2ee6af\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 2d;\\nlet endtime = 1d;\\nSecurityEvent\\n// include yesterday and not today, so we can confirm a match occurs within the next day\\n| where TimeGenerated >= startofday(ago(starttime)) and TimeGenerated <= startofday(ago(endtime)) \\n// 4722: User Account Enabled\\n| where EventID == 4722 \\n// Removing Machine Accounts\\n| where TargetUserName !endswith \\\"$\\\" \\n| join kind= leftanti (\\n SecurityEvent\\n //verify over the last 2 days\\n | where TimeGenerated >= startofday(ago(starttime))\\n // Attempt made to change password\\n | where EventID == 4723\\n // Removing Machine Accounts\\n | where TargetUserName !endswith \\\"$\\\"\\n) on TargetUserName, TargetDomainName\\n| project StartTimeUtc = TimeGenerated, EventID, Computer, TargetUserName, TargetDomainName, SubjectUserName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P2D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"AD user created password not set within 24-48 hours\",\r\n \"description\": \"Identifies whenever a new account is created with a default password and password is not changed within 24-48 hours.\\nSimple version, can be more precise with Windowing, but not necessary if run as an alert on a daily basis.\\nEffectively, there is an event 4722 indicating a user enabled and no event 4723 indicating a password was changed within in that day or the next day.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\r\n \"name\": \"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount > triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated > ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) > dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri's and/or >=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ > 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated > ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Possible contact with a domain generated by a DGA\",\r\n \"description\": \"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Barracuda\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CheckPoint\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"F5\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\r\n \"name\": \"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet suspicious_signins =\\nSigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress != \\\"127.0.0.1\\\"\\n| summarize count() by IPAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons =\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AzureAD logons but success logon to host\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\r\n \"name\": \"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Microsoft Cloud App Security\",\r\n \"displayName\": \"Create incidents based on Microsoft Cloud App Security alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Microsoft Cloud App Security\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (MCAS)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\r\n \"name\": \"80733eb7-35b2-45b6-b2b8-3c51df258206\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == '200'\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Squid proxy events related to mining pools\",\r\n \"description\": \"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\r\n \"name\": \"04384937-e927-4595-8f3c-89ff58ed231f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let detectionTime = 30d;\\nlet IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where TimeGenerated > ago(detectionTime)\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != 'UserLoggedIn'\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts > 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\r\n \"queryFrequency\": \"P7D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Possible STRONTIUM attempted credential harvesting\",\r\n \"description\": \"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\r\n \"name\": \"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"Unknown\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Fraction of Failed Signins\",\r\n \"(Log10) Number of Failed Signins\",\r\n \"(Log10) Failed Signins to (Log10) Successful Signins Ratio\",\r\n \"(Log10) Number of Signins with Incorrect Passwords\",\r\n \"(Log10) Incorrect Passwords to (Log10) Correct Passwords Ratio\",\r\n \"Fraction of Incorrect Password Signins\",\r\n \"Distinct Number of App Ids\",\r\n \"Distinct Number of Client Apps\",\r\n \"Distinct Number of Ip Addresses\",\r\n \"Distinct Number of Opperating Systems\",\r\n \"Distinct Number of Browsers\",\r\n \"Distinct Number of Cities\",\r\n \"Distinct Number of States\",\r\n \"Distinct Number of Countries\"\r\n ],\r\n \"values\": [\r\n \"Fraction of Failed Signins\",\r\n \"(Log10) Number of Failed Signins\",\r\n \"(Log10) Failed Signins to (Log10) Successful Signins Ratio\",\r\n \"(Log10) Number of Signins with Incorrect Passwords\",\r\n \"(Log10) Incorrect Passwords to (Log10) Correct Passwords Ratio\",\r\n \"Fraction of Incorrect Password Signins\",\r\n \"Distinct Number of App Ids\",\r\n \"Distinct Number of Client Apps\",\r\n \"Distinct Number of Ip Addresses\",\r\n \"Distinct Number of Opperating Systems\",\r\n \"Distinct Number of Browsers\",\r\n \"Distinct Number of Cities\",\r\n \"Distinct Number of States\",\r\n \"Distinct Number of Countries\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Top Reason for High Reconstruction Error\",\r\n \"description\": \"Include only anomalies where the top reason is one of these values.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0.0\",\r\n \"maximum\": \"1.0\",\r\n \"value\": \"0.5\",\r\n \"name\": \"Reconstruction Error Score\",\r\n \"description\": \"Generate an anomaly when the reconstruction error score is greater than or equal to the chosen value.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Anomalous AAD Signin-Logs Sessions\",\r\n \"description\": \"The signin-logs are grouped into sessions on a per-user basis.\\nAn autoencoder is trained on the previous 6 days worth of sessions and is then applied to sessions from the last 1 day.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\r\n \"name\": \"23de46ea-c425-4a77-b456-511ae4855d69\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic(\\n[\\\"List keys\\\", \\\"List Storage Account Keys\\\", \\\"Register Subscription\\\", \\\"Create or Update Snapshot\\\", \\\"Create or Update Network Security Group\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationName in~ (SensitiveOperationList)\\n| where ActivityStatus =~ \\\"Succeeded\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ >= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated >= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationName\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare subscription-level operations in Azure\",\r\n \"description\": \"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\r\n \"name\": \"074ce265-f684-41cd-af07-613c5f3e6d0d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| extend IPAddress = RemoteIp, Host = Computer)\\n)\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known STRONTIUM group domains - July 2019\",\r\n \"description\": \"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\r\n \"name\": \"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe) \\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetUserName), Domain = toupper(TargetDomainName), CreatedUserSid = TargetSid, AccountUsedToCreateUser = SubjectUserName\\n|join (\\nSecurityEvent \\n| where TimeGenerated > ago(timeframe) \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = TargetUserName, \\nDomain = toupper(TargetDomainName), GroupSid = TargetSid, UserAdded = SubjectUserName, UserAddedSid = SubjectUserSid, CreatedUser = tolower(SubjectUserName), \\nCreatedUserSid = MemberSid\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, Domain, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, UserAdded, UserAddedSid \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New user created and added to the built-in administrators group\",\r\n \"description\": \"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798\",\r\n \"name\": \"1fa1528e-f746-4794-8a41-14827f4cb798\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 100;\\nPulseConnectSecure\\n| where TimeGenerated >= timeframe\\n| where Messages startswith \\\"Login failed\\\"\\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\\n| where dcount_User > threshold\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"PulseConnectSecure - Large Number of Distinct Failed User Logins\",\r\n \"description\": \"This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PulseConnectSecure\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\r\n \"name\": \"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to internet facing AWS RDS Database instances\",\r\n \"description\": \"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\r\n \"name\": \"9713e3c0-1410-468d-b79e-383448434b2d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n VMConnection\\n | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to VMConnection\",\r\n \"description\": \"Identifies a match in VMConnection from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\r\n \"name\": \"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet endpointData = \\n(SecurityEvent\\n | where TimeGenerated >= ago(timeframe) \\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n );\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where TimeGenerated >= ago(timeframe)\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Network endpoint to host executable correlation\",\r\n \"description\": \"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"TrendMicro\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\r\n \"name\": \"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet threshold = 3;\\nSigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count(), applicationCount = dcount(AppDisplayName), \\napplicationSet = makeset(AppDisplayName) by UserPrincipalName, IPAddress\\n| where applicationCount >= threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Attempts to sign in to disabled accounts\",\r\n \"description\": \"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\r\n \"name\": \"78422ef2-62bf-48ca-9bab-72c69818a425\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \\nby Account, IpAddress, AccountType, Activity, LogonTypeName\\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\\n) on Account, IpAddress\\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio > threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple RDP connections from Single System\",\r\n \"description\": \"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\r\n \"name\": \"40ba9493-4183-4eee-974f-87fe39c8f267\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Azure Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (AATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\r\n \"name\": \"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes made to AWS CloudTrail logs\",\r\n \"description\": \"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\r\n \"name\": \"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known CERIUM domains and hashes\",\r\n \"description\": \"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\r\n \"name\": \"65c78944-930b-4cae-bd79-c3664ae30ba7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n(union isfuzzy=true\\n(AuditLogs \\n| where TimeGenerated >= ago(timeframe) \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"MFA disabled for a user\",\r\n \"description\": \"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to diable MFA for a user \",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\r\n \"name\": \"fbfbf530-506b-49a4-81ad-4030885a195c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated > ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated > ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malicious web application requests linked with MDATP alerts\",\r\n \"description\": \"Takes MDATP alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-05-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\r\n \"name\": \"2fc5d810-c9cc-491a-b564-841427ae0e50\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\\n //Normalizing the column to lower case for exact match with EmailRecipient column\\n | extend TargetUserName = tolower(TargetUserName)\\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\\n | extend SecurityEvent_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.TargetUserName\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SecurityEvent\",\r\n \"description\": \"Identifies a match in SecurityEvent table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\r\n \"name\": \"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet logonDiff = 10m;\\nSigninLogs \\n| where TimeGenerated >= ago(timeFrame) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1])\\n| join kind= inner (\\n SigninLogs \\n | where TimeGenerated >= ago(timeFrame) \\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription \\n| extend timestamp = SuccessLogonTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SuccessIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Successful logon from IP and failure from a different IP\",\r\n \"description\": \"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\r\n \"name\": \"f845881e-2500-44dc-8ed7-b372af3e1e25\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeFrame = 1d;\\nlet short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n| where TimeGenerated >= ago(timeFrame)\\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount < c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous User Agent connection attempt\",\r\n \"description\": \"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\r\n \"name\": \"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n WireData | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to WireData\",\r\n \"description\": \"Identifies a match in WireData from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(WireData)\",\r\n \"dataTypes\": [\r\n \"WireData\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\r\n \"name\": \"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n W3CIISLog\\n | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nW3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to W3CIISLog\",\r\n \"description\": \"Identifies a match in W3CIISLog from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\r\n \"name\": \"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where TimeGenerated >= ago(3d)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA256=' SHA265 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known ZINC related maldoc hash\",\r\n \"description\": \"Document hash used by ZINC in highly targeted spear phishing campaign.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\r\n \"name\": \"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to OfficeActivity\",\r\n \"description\": \"Identifies a match in OfficeActivity from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\r\n \"name\": \"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"0.0.1\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.07\",\r\n \"name\": \"AnomalyScore\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Suspicious volume of logons to computer\",\r\n \"description\": \"This algorithm is to detect unusually high volume of successful logins per each workspace and computer. Successful logins are events with event id 4624.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\r\n \"name\": \"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let detectionTime = 30d;\\nlet User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where TimeGenerated > ago(detectionTime)\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != 'UserLoggedIn'\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts > 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\r\n \"queryFrequency\": \"P7D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Possible STRONTIUM attempted credential harvesting\",\r\n \"description\": \"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\r\n \"name\": \"06107abb-1b68-4fdc-841b-8a1ff9301467\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"T1030\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.998\",\r\n \"name\": \"Receive_threshold\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n },\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.998\",\r\n \"name\": \"Send_threshold\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Palo Alto Networks - VPN data transfer anomaly\",\r\n \"description\": \"Data transfer anomaly over Palo Alto Globalprotect VPN session\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\r\n \"name\": \"957cb240-f45d-4491-9ba5-93430a3c08be\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\")\\nand not(UserId has_any ('NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)','devilfish-applicationaccount') and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare and potentially high-risk Office operations\",\r\n \"description\": \"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-13T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\r\n \"name\": \"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nCommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco ASA - threat detection message fired\",\r\n \"description\": \"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\r\n \"name\": \"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend DisplayName = tostring(parse_json(modifiedProperties).displayName), GroupName = trim(@'\\\"',tostring(parse_json(modifiedProperties).newValue))\\n| extend AppId = tostring(parse_json(parse_json(InitiatedBy).app).appId), InitiatedByDisplayName = tostring(parse_json(parse_json(InitiatedBy).app).displayName), ServicePrincipalId = tostring(parse_json(parse_json(InitiatedBy).app).servicePrincipalId), ServicePrincipalName = tostring(parse_json(parse_json(InitiatedBy).app).servicePrincipalName)\\n| where DisplayName =~ \\\"Role.WellKnownObjectName\\\"\\n| where GroupName in~ (PrivilegedGroups)\\n// If you want to still alert for operations from PIM, remove below filtering for MS-PIM.\\n| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ServicePrincipalName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User added to Azure Active Directory Privileged Groups\",\r\n \"description\": \"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\r\n \"name\": \"dd0a6029-ecef-4507-89c4-fc355ac52111\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated > ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC's that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, '.')\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CSL_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CSL_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to CommonSecurityLog\",\r\n \"description\": \"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\r\n \"name\": \"157c0cfc-d76d-463b-8755-c781608cdc1a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nlet endtime = 1d;\\nCommonSecurityLog\\n| where TimeGenerated >= ago(endtime) \\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where SourceIPType == \\\"public\\\"\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n SigninLogs\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco - firewall block but success logon to Azure AD\",\r\n \"description\": \"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n }\r\n ]\r\n}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleFusion.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleFusion.json
new file mode 100644
index 000000000000..4f63501330d2
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleFusion.json
@@ -0,0 +1,146 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/db5ded90-76a4-4c59-8581-1c8b7601b375?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzL2RiNWRlZDkwLTc2YTQtNGM1OS04NTgxLTFjOGI3NjAxYjM3NT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"Fusion\",\r\n \"properties\": {\r\n \"alertRuleTemplateName\": \"f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"enabled\": true\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "b7fa7f2c-314e-44c9-acc1-b941919e0fd4"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "140"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1195"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "d91029a8-4b70-43ba-a43d-71d463ef5971"
+ ],
+ "x-ms-correlation-request-id": [
+ "d91029a8-4b70-43ba-a43d-71d463ef5971"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T212212Z:d91029a8-4b70-43ba-a43d-71d463ef5971"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:22:11 GMT"
+ ],
+ "Content-Length": [
+ "2126"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/db5ded90-76a4-4c59-8581-1c8b7601b375\",\r\n \"name\": \"db5ded90-76a4-4c59-8581-1c8b7601b375\",\r\n \"etag\": \"\\\"c20083e9-0000-0100-0000-5fd291840000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Fusion\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced Multistage Attack Detection\",\r\n \"description\": \"Using Fusion technology based on machine learning, Azure Sentinel automatically detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nThere are a total of 70 Fusion incident types detected by Azure Sentinel.\\n- 65 of these show the combination of suspicious Azure Active Directory sign-in events followed by anomalous Office 365 activity. Out of these 65, 30 are in public preview. \\n- The remaining five incident types show the combination of anomalous signals from Microsoft Defender Advanced Threat Protection and from Palo Alto Networks firewalls. These five types are all in public preview.\\n\\nTo detect these multistage attacks, the following data connectors must be configured:\\n- Azure Active Directory Identity Protection.\\n- Microsoft Cloud App Security.\\n- Microsoft Defender Advanced Threat Protection.\\n- Palo Alto Networks.\\n\\nFor a full list and description of each scenario that is supported for these multistage attacks, go to https://aka.ms/SentinelFusion.\",\r\n \"alertRuleTemplateName\": \"f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"CommandAndControl\",\r\n \"DefenseEvasion\",\r\n \"Discovery\",\r\n \"Execution\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"InitialAccess\",\r\n \"LateralMovement\",\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"severity\": \"High\",\r\n \"enabled\": true,\r\n \"lastModifiedUtc\": \"2020-12-10T21:22:12.0573555Z\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/db5ded90-76a4-4c59-8581-1c8b7601b375?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzL2RiNWRlZDkwLTc2YTQtNGM1OS04NTgxLTFjOGI3NjAxYjM3NT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "97738b72-5133-4d4f-9788-1a73315fb340"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "2e134737-b114-4712-8430-19d51bd09959"
+ ],
+ "x-ms-correlation-request-id": [
+ "2e134737-b114-4712-8430-19d51bd09959"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T212212Z:2e134737-b114-4712-8430-19d51bd09959"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:22:11 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleMSIC.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleMSIC.json
new file mode 100644
index 000000000000..7fb7f2aa79ce
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleMSIC.json
@@ -0,0 +1,146 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/b3ccc517-c3ba-4134-abd1-43256d0d9f4e?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzL2IzY2NjNTE3LWMzYmEtNDEzNC1hYmQxLTQzMjU2ZDBkOWY0ZT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center for IoT\",\r\n \"alertRuleTemplateName\": \"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"displayName\": \"MSICposhTest\",\r\n \"enabled\": true\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "a11bbc4a-5368-4799-b9d4-03649dabdf76"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "258"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1197"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "c84accd1-6c56-47e7-80d4-835719229e53"
+ ],
+ "x-ms-correlation-request-id": [
+ "c84accd1-6c56-47e7-80d4-835719229e53"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T212029Z:c84accd1-6c56-47e7-80d4-835719229e53"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:20:29 GMT"
+ ],
+ "Content-Length": [
+ "757"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/b3ccc517-c3ba-4134-abd1-43256d0d9f4e\",\r\n \"name\": \"b3ccc517-c3ba-4134-abd1-43256d0d9f4e\",\r\n \"etag\": \"\\\"c20049e0-0000-0100-0000-5fd2911d0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center for IoT\",\r\n \"severitiesFilter\": null,\r\n \"displayNamesFilter\": null,\r\n \"displayNamesExcludeFilter\": null,\r\n \"displayName\": \"MSICposhTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": \"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"lastModifiedUtc\": \"2020-12-10T21:20:29.6469805Z\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/b3ccc517-c3ba-4134-abd1-43256d0d9f4e?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzL2IzY2NjNTE3LWMzYmEtNDEzNC1hYmQxLTQzMjU2ZDBkOWY0ZT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "5e76a682-4ca5-48ae-887a-afcad59cd62c"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "e5acae25-57ec-4a94-b924-daa3f3d5c799"
+ ],
+ "x-ms-correlation-request-id": [
+ "e5acae25-57ec-4a94-b924-daa3f3d5c799"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T212029Z:e5acae25-57ec-4a94-b924-daa3f3d5c799"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:20:29 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleScheduled.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleScheduled.json
new file mode 100644
index 000000000000..18faa7fdea8e
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleScheduled.json
@@ -0,0 +1,146 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/103818ba-9f48-41af-bf1b-101f797ab82e?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzEwMzgxOGJhLTlmNDgtNDFhZi1iZjFiLTEwMWY3OTdhYjgyZT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "51b59801-26b2-4f49-b4f3-3a8bdf8c626d"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "372"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "8ceda48f-1764-4226-b524-8ba37d6135d1"
+ ],
+ "x-ms-correlation-request-id": [
+ "8ceda48f-1764-4226-b524-8ba37d6135d1"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213617Z:8ceda48f-1764-4226-b524-8ba37d6135d1"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:36:17 GMT"
+ ],
+ "Content-Length": [
+ "972"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/103818ba-9f48-41af-bf1b-101f797ab82e\",\r\n \"name\": \"103818ba-9f48-41af-bf1b-101f797ab82e\",\r\n \"etag\": \"\\\"c300383c-0000-0100-0000-5fd294d10000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:36:17.4458574Z\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/103818ba-9f48-41af-bf1b-101f797ab82e?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzEwMzgxOGJhLTlmNDgtNDFhZi1iZjFiLTEwMWY3OTdhYjgyZT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "425c1e88-893c-47af-8de0-ab04d2e06b3b"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "98efe29f-3a45-4966-b769-a2d69b7fa1bb"
+ ],
+ "x-ms-correlation-request-id": [
+ "98efe29f-3a45-4966-b769-a2d69b7fa1bb"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213618Z:98efe29f-3a45-4966-b769-a2d69b7fa1bb"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:36:18 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/GetAction.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/GetAction.json
new file mode 100644
index 000000000000..bf259fb1e679
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/GetAction.json
@@ -0,0 +1,212 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4324441a-de38-42c2-83dd-bb93db929e7c?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzQzMjQ0NDFhLWRlMzgtNDJjMi04M2RkLWJiOTNkYjkyOWU3Yz9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "2bb8aa7c-d6f8-4ad9-939c-93a6fb8c123e"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "372"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "0d40ac26-b97c-4884-81ae-91201d2d683f"
+ ],
+ "x-ms-correlation-request-id": [
+ "0d40ac26-b97c-4884-81ae-91201d2d683f"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213228Z:0d40ac26-b97c-4884-81ae-91201d2d683f"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:32:28 GMT"
+ ],
+ "Content-Length": [
+ "972"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"name\": \"4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"etag\": \"\\\"c300a725-0000-0100-0000-5fd293ec0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:32:10.8008143Z\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4324441a-de38-42c2-83dd-bb93db929e7c?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzQzMjQ0NDFhLWRlMzgtNDJjMi04M2RkLWJiOTNkYjkyOWU3Yz9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "d64ebe11-cf4e-46de-b9be-1bb9b283022b"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "39538e6a-8c01-46e8-b7c0-6f7ef9fd66a2"
+ ],
+ "x-ms-correlation-request-id": [
+ "39538e6a-8c01-46e8-b7c0-6f7ef9fd66a2"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213228Z:39538e6a-8c01-46e8-b7c0-6f7ef9fd66a2"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:32:28 GMT"
+ ],
+ "Content-Length": [
+ "972"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"name\": \"4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"etag\": \"\\\"c300a725-0000-0100-0000-5fd293ec0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:32:10.8008143Z\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4324441a-de38-42c2-83dd-bb93db929e7c?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzQzMjQ0NDFhLWRlMzgtNDJjMi04M2RkLWJiOTNkYjkyOWU3Yz9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "91eed691-d48a-4cd5-8587-0efe1307581a"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "452d495c-e7ee-4967-917c-b895c1ad2707"
+ ],
+ "x-ms-correlation-request-id": [
+ "452d495c-e7ee-4967-917c-b895c1ad2707"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213229Z:452d495c-e7ee-4967-917c-b895c1ad2707"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:32:29 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/InputObject.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/InputObject.json
new file mode 100644
index 000000000000..7b2acf804baa
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/InputObject.json
@@ -0,0 +1,350 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzQwMzcwNzZlLTQ3OWEtNGQxOC05M2Y5LWJjZGI3MmYwYzg1Nj9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "6cb051fd-56b2-46b9-8847-bb29e6604968"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "372"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "3ba19f94-ffb1-4ae4-ab84-7214f72a8e88"
+ ],
+ "x-ms-correlation-request-id": [
+ "3ba19f94-ffb1-4ae4-ab84-7214f72a8e88"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213316Z:3ba19f94-ffb1-4ae4-ab84-7214f72a8e88"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:33:15 GMT"
+ ],
+ "Content-Length": [
+ "971"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"name\": \"4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"etag\": \"\\\"c300402a-0000-0100-0000-5fd2941c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:33:14.669933Z\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzQwMzcwNzZlLTQ3OWEtNGQxOC05M2Y5LWJjZGI3MmYwYzg1Nj9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": false,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n },\r\n \"etag\": \"\\\"c300402a-0000-0100-0000-5fd2941c0000\\\"\"\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "9c260320-b5ce-4b18-a2a1-c4fdf2eac736"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "428"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "db11fb80-b76a-4be7-b1f7-91ed900bd97f"
+ ],
+ "x-ms-correlation-request-id": [
+ "db11fb80-b76a-4be7-b1f7-91ed900bd97f"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213323Z:db11fb80-b76a-4be7-b1f7-91ed900bd97f"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:33:22 GMT"
+ ],
+ "Content-Length": [
+ "973"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"name\": \"4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"etag\": \"\\\"c300b02a-0000-0100-0000-5fd294200000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": false,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:33:20.0280526Z\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzQwMzcwNzZlLTQ3OWEtNGQxOC05M2Y5LWJjZGI3MmYwYzg1Nj9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "9cade664-1c68-4dba-9bd4-dd811d66a273"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "4d31a7a0-0684-43ce-a913-20ca2317e5c2"
+ ],
+ "x-ms-correlation-request-id": [
+ "4d31a7a0-0684-43ce-a913-20ca2317e5c2"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213317Z:4d31a7a0-0684-43ce-a913-20ca2317e5c2"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:33:16 GMT"
+ ],
+ "Content-Length": [
+ "971"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"name\": \"4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"etag\": \"\\\"c300402a-0000-0100-0000-5fd2941c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:33:14.669933Z\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzQwMzcwNzZlLTQ3OWEtNGQxOC05M2Y5LWJjZGI3MmYwYzg1Nj9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "e1717ab4-11bd-4e84-bc24-9d4db7c9feac"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11998"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "19535b78-8da5-4541-be75-5d701427c106"
+ ],
+ "x-ms-correlation-request-id": [
+ "19535b78-8da5-4541-be75-5d701427c106"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213324Z:19535b78-8da5-4541-be75-5d701427c106"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:33:23 GMT"
+ ],
+ "Content-Length": [
+ "973"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"name\": \"4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"etag\": \"\\\"c300b02a-0000-0100-0000-5fd294200000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": false,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:33:20.0280526Z\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzQwMzcwNzZlLTQ3OWEtNGQxOC05M2Y5LWJjZGI3MmYwYzg1Nj9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "15a35733-2cf0-439c-8973-618462789351"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "4ae8cac1-4dfd-458c-8cf9-2bd22df187fd"
+ ],
+ "x-ms-correlation-request-id": [
+ "4ae8cac1-4dfd-458c-8cf9-2bd22df187fd"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213325Z:4ae8cac1-4dfd-458c-8cf9-2bd22df187fd"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:33:24 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/ListAlertRules.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/ListAlertRules.json
new file mode 100644
index 000000000000..16b3bf31e33a
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/ListAlertRules.json
@@ -0,0 +1,350 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3fefb3df-b5af-4bae-b3b9-2b32e7bb9fa9?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzNmZWZiM2RmLWI1YWYtNGJhZS1iM2I5LTJiMzJlN2JiOWZhOT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "0c51c1eb-6bed-4304-a29f-315d136ac4ca"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "372"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "0abf4adf-85b3-4c83-9cf4-88511a3b5d65"
+ ],
+ "x-ms-correlation-request-id": [
+ "0abf4adf-85b3-4c83-9cf4-88511a3b5d65"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213447Z:0abf4adf-85b3-4c83-9cf4-88511a3b5d65"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:34:46 GMT"
+ ],
+ "Content-Length": [
+ "972"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3fefb3df-b5af-4bae-b3b9-2b32e7bb9fa9\",\r\n \"name\": \"3fefb3df-b5af-4bae-b3b9-2b32e7bb9fa9\",\r\n \"etag\": \"\\\"c3000b33-0000-0100-0000-5fd294770000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:33:47.0448304Z\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3a516217-ec98-4bbf-8d00-c6d7d60095ff?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzNhNTE2MjE3LWVjOTgtNGJiZi04ZDAwLWM2ZDdkNjAwOTVmZj9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "2bfccad2-6ff1-4090-aa92-4b43d1c840f6"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "373"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "cdedfd38-1979-4b02-a2ea-84abdc70ced2"
+ ],
+ "x-ms-correlation-request-id": [
+ "cdedfd38-1979-4b02-a2ea-84abdc70ced2"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213452Z:cdedfd38-1979-4b02-a2ea-84abdc70ced2"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:34:52 GMT"
+ ],
+ "Content-Length": [
+ "973"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3a516217-ec98-4bbf-8d00-c6d7d60095ff\",\r\n \"name\": \"3a516217-ec98-4bbf-8d00-c6d7d60095ff\",\r\n \"etag\": \"\\\"c3009c33-0000-0100-0000-5fd2947c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:34:47.6156001Z\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "bb86b5bc-186d-4978-bd1e-fb889a91d326"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "767b7257-6146-429d-851f-d392da81cad3"
+ ],
+ "x-ms-correlation-request-id": [
+ "767b7257-6146-429d-851f-d392da81cad3"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213453Z:767b7257-6146-429d-851f-d392da81cad3"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:34:52 GMT"
+ ],
+ "Content-Length": [
+ "12974"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/ae10bc30-f038-4774-969b-432ba97ac3dd\",\r\n \"name\": \"ae10bc30-f038-4774-969b-432ba97ac3dd\",\r\n \"etag\": \"\\\"ab002965-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center for IoT\",\r\n \"severitiesFilter\": null,\r\n \"displayNamesFilter\": null,\r\n \"displayNamesExcludeFilter\": null,\r\n \"displayName\": \"MSICposhTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": \"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"lastModifiedUtc\": \"2020-11-21T00:56:12.8145141Z\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/e1a91c5e-a4e8-466a-b801-585ca8d6f4d8\",\r\n \"name\": \"e1a91c5e-a4e8-466a-b801-585ca8d6f4d8\",\r\n \"etag\": \"\\\"ab002a65-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName in~ (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) or isnotempty(DNSName)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account )\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"suppressionDuration\": \"PT5H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5H\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"eventGroupingSettings\": {\r\n \"aggregationKind\": \"SingleAlert\"\r\n },\r\n \"displayName\": \"Known Phosphorus group domains/IP\",\r\n \"enabled\": true,\r\n \"description\": \"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"alertRuleTemplateName\": \"155f40c6-610d-497d-85fc-3cf06ec13256\",\r\n \"lastModifiedUtc\": \"2020-11-19T21:10:56.4078943Z\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\",\r\n \"name\": \"209ed12a-e19a-4a05-9d81-e11d2be3cafa\",\r\n \"etag\": \"\\\"ab002b65-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Microsoft Defender Advanced Threat Protection\",\r\n \"severitiesFilter\": null,\r\n \"displayNamesFilter\": null,\r\n \"displayNamesExcludeFilter\": null,\r\n \"displayName\": \"Create incidents based on Microsoft Defender Advanced Threat Protection alerts\",\r\n \"enabled\": true,\r\n \"description\": \"Create incidents based on all alerts generated in Microsoft Defender Advanced Threat Protection\",\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": \"327cd4ed-ca42-454b-887c-54e1c91363c6\",\r\n \"lastModifiedUtc\": \"2020-11-14T05:52:58.9321595Z\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/e39e7c39-ae96-4a10-8382-94f8180d69c1\",\r\n \"name\": \"e39e7c39-ae96-4a10-8382-94f8180d69c1\",\r\n \"etag\": \"\\\"ab002e65-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Office 365 Advanced Threat Protection\",\r\n \"severitiesFilter\": [\r\n \"High\"\r\n ],\r\n \"displayNamesFilter\": [\r\n \"test\"\r\n ],\r\n \"displayNamesExcludeFilter\": null,\r\n \"displayName\": \"Create incidents based on Office 365 Advanced Threat Protection alerts\",\r\n \"enabled\": true,\r\n \"description\": \"Create incidents based on all alerts generated in Office 365 Advanced Threat Protection\",\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": \"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\r\n \"lastModifiedUtc\": \"2020-11-13T23:54:01.8367488Z\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/a42eb7d9-4a86-403d-8343-742e769da87e\",\r\n \"name\": \"a42eb7d9-4a86-403d-8343-742e769da87e\",\r\n \"etag\": \"\\\"0100ec68-0000-0100-0000-5fc7e2c80000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center for IoT\",\r\n \"severitiesFilter\": null,\r\n \"displayNamesFilter\": null,\r\n \"displayNamesExcludeFilter\": null,\r\n \"displayName\": \"Create Incidents for Azure Security Center for IoT\",\r\n \"enabled\": true,\r\n \"description\": \"\",\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": \"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"lastModifiedUtc\": \"2020-12-02T18:54:00.9631204Z\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/cf892586-4ed2-4efd-9a04-81f43bddb6ed\",\r\n \"name\": \"cf892586-4ed2-4efd-9a04-81f43bddb6ed\",\r\n \"etag\": \"\\\"c200c7d1-0000-0100-0000-5fd2907f0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:17:00.8574308Z\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3fefb3df-b5af-4bae-b3b9-2b32e7bb9fa9\",\r\n \"name\": \"3fefb3df-b5af-4bae-b3b9-2b32e7bb9fa9\",\r\n \"etag\": \"\\\"c3000b33-0000-0100-0000-5fd294770000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:33:47.0448304Z\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3a516217-ec98-4bbf-8d00-c6d7d60095ff\",\r\n \"name\": \"3a516217-ec98-4bbf-8d00-c6d7d60095ff\",\r\n \"etag\": \"\\\"c3009c33-0000-0100-0000-5fd2947c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:34:47.6156001Z\"\r\n }\r\n }\r\n ]\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3fefb3df-b5af-4bae-b3b9-2b32e7bb9fa9?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzNmZWZiM2RmLWI1YWYtNGJhZS1iM2I5LTJiMzJlN2JiOWZhOT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "c7973a5b-76af-4c10-b802-a0d7df57186c"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "0b66391e-e59e-4ae8-90f5-a6a924f8d9c1"
+ ],
+ "x-ms-correlation-request-id": [
+ "0b66391e-e59e-4ae8-90f5-a6a924f8d9c1"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213453Z:0b66391e-e59e-4ae8-90f5-a6a924f8d9c1"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:34:52 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3a516217-ec98-4bbf-8d00-c6d7d60095ff?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzNhNTE2MjE3LWVjOTgtNGJiZi04ZDAwLWM2ZDdkNjAwOTVmZj9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "5c2f7656-683f-4b60-9240-a137aba17098"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "74421bf5-5ce0-4f9c-8276-d0565bbf2d3a"
+ ],
+ "x-ms-correlation-request-id": [
+ "74421bf5-5ce0-4f9c-8276-d0565bbf2d3a"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213453Z:74421bf5-5ce0-4f9c-8276-d0565bbf2d3a"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:34:52 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/RemoveAlertRule.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/RemoveAlertRule.json
new file mode 100644
index 000000000000..215cda8f5259
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/RemoveAlertRule.json
@@ -0,0 +1,146 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/c0a45694-5077-4fd0-a81c-95de70659378?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzL2MwYTQ1Njk0LTUwNzctNGZkMC1hODFjLTk1ZGU3MDY1OTM3OD9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "4e1cf31e-1395-4ea7-bc81-f03dd5e3e7bb"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "372"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "e2f54302-4014-451f-94cc-2a71b56eb2e5"
+ ],
+ "x-ms-correlation-request-id": [
+ "e2f54302-4014-451f-94cc-2a71b56eb2e5"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211659Z:e2f54302-4014-451f-94cc-2a71b56eb2e5"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:16:58 GMT"
+ ],
+ "Content-Length": [
+ "971"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/c0a45694-5077-4fd0-a81c-95de70659378\",\r\n \"name\": \"c0a45694-5077-4fd0-a81c-95de70659378\",\r\n \"etag\": \"\\\"c20003cd-0000-0100-0000-5fd2904b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:16:13.186102Z\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/c0a45694-5077-4fd0-a81c-95de70659378?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzL2MwYTQ1Njk0LTUwNzctNGZkMC1hODFjLTk1ZGU3MDY1OTM3OD9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "15231051-459e-4181-bbdd-22dd90ff4e7c"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "650f086f-2bde-42b5-97ae-711976b56288"
+ ],
+ "x-ms-correlation-request-id": [
+ "650f086f-2bde-42b5-97ae-711976b56288"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211659Z:650f086f-2bde-42b5-97ae-711976b56288"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:16:58 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/UpdateAlertRule.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/UpdateAlertRule.json
new file mode 100644
index 000000000000..4108392e10fe
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/UpdateAlertRule.json
@@ -0,0 +1,284 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/51d3e29d-5e17-48f3-ab1f-68c0dcd010f4?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzUxZDNlMjlkLTVlMTctNDhmMy1hYjFmLTY4YzBkY2QwMTBmND9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "412d12b7-a2f8-4703-9ea3-99ce9ebf5a00"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "372"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "1c19c5ce-eee3-4c0d-9ae1-78706737ea31"
+ ],
+ "x-ms-correlation-request-id": [
+ "1c19c5ce-eee3-4c0d-9ae1-78706737ea31"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T212027Z:1c19c5ce-eee3-4c0d-9ae1-78706737ea31"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:20:27 GMT"
+ ],
+ "Content-Length": [
+ "971"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"name\": \"51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"etag\": \"\\\"c2000ee0-0000-0100-0000-5fd2911b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:19:33.400946Z\"\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/51d3e29d-5e17-48f3-ab1f-68c0dcd010f4?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzUxZDNlMjlkLTVlMTctNDhmMy1hYjFmLTY4YzBkY2QwMTBmND9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": false,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n },\r\n \"etag\": \"\\\"c2000ee0-0000-0100-0000-5fd2911b0000\\\"\"\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "90d61734-5ae9-438a-91c8-df6fd08a1c17"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "428"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "b75acf2d-4d43-4d0f-8a35-9520ccd82b50"
+ ],
+ "x-ms-correlation-request-id": [
+ "b75acf2d-4d43-4d0f-8a35-9520ccd82b50"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T212028Z:b75acf2d-4d43-4d0f-8a35-9520ccd82b50"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:20:27 GMT"
+ ],
+ "Content-Length": [
+ "973"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"name\": \"51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"etag\": \"\\\"c2001ee0-0000-0100-0000-5fd2911c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": false,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:20:28.1710289Z\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/51d3e29d-5e17-48f3-ab1f-68c0dcd010f4?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzUxZDNlMjlkLTVlMTctNDhmMy1hYjFmLTY4YzBkY2QwMTBmND9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "1d8f6db3-16d7-4081-a56f-c58778d44bb4"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "69cd6d8f-6131-4a43-9ba5-9b6c3e80f575"
+ ],
+ "x-ms-correlation-request-id": [
+ "69cd6d8f-6131-4a43-9ba5-9b6c3e80f575"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T212028Z:69cd6d8f-6131-4a43-9ba5-9b6c3e80f575"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:20:27 GMT"
+ ],
+ "Content-Length": [
+ "971"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"name\": \"51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"etag\": \"\\\"c2000ee0-0000-0100-0000-5fd2911b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:19:33.400946Z\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/51d3e29d-5e17-48f3-ab1f-68c0dcd010f4?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzUxZDNlMjlkLTVlMTctNDhmMy1hYjFmLTY4YzBkY2QwMTBmND9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "44dabf1e-8f58-40b6-92ce-a008f35abbb0"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01-preview"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "3cab1b85-c4d6-4dd5-a1cb-97c460e54436"
+ ],
+ "x-ms-correlation-request-id": [
+ "3cab1b85-c4d6-4dd5-a1cb-97c460e54436"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T212028Z:3cab1b85-c4d6-4dd5-a1cb-97c460e54436"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:20:27 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Create.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Create.json
new file mode 100644
index 000000000000..b6c81cbd1f51
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Create.json
@@ -0,0 +1,146 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/3a1bd654-9986-4fb9-8584-36f9aba00356?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvM2ExYmQ2NTQtOTk4Ni00ZmI5LTg1ODQtMzZmOWFiYTAwMzU2P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2020-12-10T21:13:18.6069112Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "2a941b16-0e14-4470-ada8-a0c0ad18a3b4"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "153"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "e55a0bd4-e580-406c-8655-fa4e39cb9b0a"
+ ],
+ "x-ms-correlation-request-id": [
+ "e55a0bd4-e580-406c-8655-fa4e39cb9b0a"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211319Z:e55a0bd4-e580-406c-8655-fa4e39cb9b0a"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:19 GMT"
+ ],
+ "Content-Length": [
+ "935"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/3a1bd654-9986-4fb9-8584-36f9aba00356\",\r\n \"name\": \"3a1bd654-9986-4fb9-8584-36f9aba00356\",\r\n \"etag\": \"\\\"240092d7-0000-0100-0000-5fd28f6f0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:13:19.1440058+00:00\",\r\n \"updated\": \"2020-12-10T21:13:19+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:19.1440058+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/3a1bd654-9986-4fb9-8584-36f9aba00356?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvM2ExYmQ2NTQtOTk4Ni00ZmI5LTg1ODQtMzZmOWFiYTAwMzU2P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "fc6c0c8a-978a-4229-b550-57ee1e83aed9"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "6d181d77-7fb0-4c25-810f-2ebbd74dfa2a"
+ ],
+ "x-ms-correlation-request-id": [
+ "6d181d77-7fb0-4c25-810f-2ebbd74dfa2a"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211320Z:6d181d77-7fb0-4c25-810f-2ebbd74dfa2a"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:20 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Get.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Get.json
new file mode 100644
index 000000000000..89156d0d3415
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Get.json
@@ -0,0 +1,212 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/2032256f-9912-476d-805b-ea3f60243ac8?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvMjAzMjI1NmYtOTkxMi00NzZkLTgwNWItZWEzZjYwMjQzYWM4P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2020-12-10T21:13:33.936393Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "3a31a54b-ac78-4f5c-a811-35a2d5ce6e2b"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "152"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "1908d559-0608-43de-afc7-86ef311a1f64"
+ ],
+ "x-ms-correlation-request-id": [
+ "1908d559-0608-43de-afc7-86ef311a1f64"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211335Z:1908d559-0608-43de-afc7-86ef311a1f64"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:35 GMT"
+ ],
+ "Content-Length": [
+ "933"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/2032256f-9912-476d-805b-ea3f60243ac8\",\r\n \"name\": \"2032256f-9912-476d-805b-ea3f60243ac8\",\r\n \"etag\": \"\\\"2400dbd7-0000-0100-0000-5fd28f7e0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:13:34.478141+00:00\",\r\n \"updated\": \"2020-12-10T21:13:34+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:34.478141+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/2032256f-9912-476d-805b-ea3f60243ac8?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvMjAzMjI1NmYtOTkxMi00NzZkLTgwNWItZWEzZjYwMjQzYWM4P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "dcd74500-efd0-460f-8d23-66bbfa9d8505"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "7bff831b-e366-4a8b-bcf3-b770986515a6"
+ ],
+ "x-ms-correlation-request-id": [
+ "7bff831b-e366-4a8b-bcf3-b770986515a6"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211335Z:7bff831b-e366-4a8b-bcf3-b770986515a6"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:35 GMT"
+ ],
+ "Content-Length": [
+ "940"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/2032256f-9912-476d-805b-ea3f60243ac8\",\r\n \"name\": \"2032256f-9912-476d-805b-ea3f60243ac8\",\r\n \"etag\": \"\\\"2400dbd7-0000-0100-0000-5fd28f7e0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:13:34.478141+00:00\",\r\n \"updated\": \"2020-12-10T21:13:34.478141+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:34.478141+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/2032256f-9912-476d-805b-ea3f60243ac8?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvMjAzMjI1NmYtOTkxMi00NzZkLTgwNWItZWEzZjYwMjQzYWM4P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "d7245575-ceee-4253-9d45-61815c0c8b0b"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "f3385ebf-0b51-4f76-ad8d-8a6fc6705b3a"
+ ],
+ "x-ms-correlation-request-id": [
+ "f3385ebf-0b51-4f76-ad8d-8a6fc6705b3a"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211336Z:f3385ebf-0b51-4f76-ad8d-8a6fc6705b3a"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:36 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/InputObject.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/InputObject.json
new file mode 100644
index 000000000000..8770e421734c
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/InputObject.json
@@ -0,0 +1,284 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/4324441a-de38-42c2-83dd-bb93db929e7c?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvNDMyNDQ0MWEtZGUzOC00MmMyLTgzZGQtYmI5M2RiOTI5ZTdjP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2020-12-10T21:37:53.5616847Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "51552ad0-8288-4bb0-9ab8-4d123071a673"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "153"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "a7701286-8704-4796-a4e6-e1477e080b5a"
+ ],
+ "x-ms-correlation-request-id": [
+ "a7701286-8704-4796-a4e6-e1477e080b5a"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213754Z:a7701286-8704-4796-a4e6-e1477e080b5a"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:37:54 GMT"
+ ],
+ "Content-Length": [
+ "935"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"name\": \"4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"etag\": \"\\\"24005cec-0000-0100-0000-5fd295310000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:37:53.9789403+00:00\",\r\n \"updated\": \"2020-12-10T21:37:53+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:37:53.9789403+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/4324441a-de38-42c2-83dd-bb93db929e7c?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvNDMyNDQ0MWEtZGUzOC00MmMyLTgzZGQtYmI5M2RiOTI5ZTdjP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"labels\": [],\r\n \"notes\": \"testnotes\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n },\r\n \"etag\": \"\\\"24005cec-0000-0100-0000-5fd295310000\\\"\"\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "6ee42e2c-d97b-48bb-9a77-0c6e70a8c387"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "206"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "e15af874-a7d9-4365-9ded-53fb52efabad"
+ ],
+ "x-ms-correlation-request-id": [
+ "e15af874-a7d9-4365-9ded-53fb52efabad"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213755Z:e15af874-a7d9-4365-9ded-53fb52efabad"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:37:55 GMT"
+ ],
+ "Content-Length": [
+ "955"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"name\": \"4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"etag\": \"\\\"24005dec-0000-0100-0000-5fd295330000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:37:53.9789403+00:00\",\r\n \"updated\": \"2020-12-10T21:37:55+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:37:55.2600476+00:00\",\r\n \"notes\": \"testnotes\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/4324441a-de38-42c2-83dd-bb93db929e7c?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvNDMyNDQ0MWEtZGUzOC00MmMyLTgzZGQtYmI5M2RiOTI5ZTdjP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "177719f6-2405-43fd-a488-ffdc4e965df7"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "74c4c48d-35e1-4dec-be0c-d2187f6c9f3b"
+ ],
+ "x-ms-correlation-request-id": [
+ "74c4c48d-35e1-4dec-be0c-d2187f6c9f3b"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213755Z:74c4c48d-35e1-4dec-be0c-d2187f6c9f3b"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:37:54 GMT"
+ ],
+ "Content-Length": [
+ "943"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"name\": \"4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"etag\": \"\\\"24005cec-0000-0100-0000-5fd295310000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:37:53.9789403+00:00\",\r\n \"updated\": \"2020-12-10T21:37:53.9789403+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:37:53.9789403+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/4324441a-de38-42c2-83dd-bb93db929e7c?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvNDMyNDQ0MWEtZGUzOC00MmMyLTgzZGQtYmI5M2RiOTI5ZTdjP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "19a9c6a1-bfa7-41d4-9281-079bdd5ad7e9"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "082677e0-758d-4e75-89ba-cdc535d0938b"
+ ],
+ "x-ms-correlation-request-id": [
+ "082677e0-758d-4e75-89ba-cdc535d0938b"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213756Z:082677e0-758d-4e75-89ba-cdc535d0938b"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:37:56 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/List.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/List.json
new file mode 100644
index 000000000000..ea1b36fe22a0
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/List.json
@@ -0,0 +1,350 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvYTg1ZTNiM2ItYzk1ZS00ZjhkLWI1ZDYtMGU5YmNiZDJlNjY0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2020-12-10T21:13:24.551321Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "4efd54fd-3b13-4188-85b2-972a19c35536"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "152"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "53e9f54b-7f49-4450-bc46-b968bd59b5ad"
+ ],
+ "x-ms-correlation-request-id": [
+ "53e9f54b-7f49-4450-bc46-b968bd59b5ad"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211325Z:53e9f54b-7f49-4450-bc46-b968bd59b5ad"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:25 GMT"
+ ],
+ "Content-Length": [
+ "935"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664\",\r\n \"name\": \"a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664\",\r\n \"etag\": \"\\\"2400add7-0000-0100-0000-5fd28f750000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:13:25.1499316+00:00\",\r\n \"updated\": \"2020-12-10T21:13:25+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:25.1499316+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/91c29052-8ec9-4395-ad6c-e5c6cf562eec?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvOTFjMjkwNTItOGVjOS00Mzk1LWFkNmMtZTVjNmNmNTYyZWVjP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2020-12-10T21:13:25.9049574Z\",\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "22cae724-713b-4b04-86ab-0062e002dab1"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "154"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "2034e179-d2cd-4950-b2a6-210a99618680"
+ ],
+ "x-ms-correlation-request-id": [
+ "2034e179-d2cd-4950-b2a6-210a99618680"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211326Z:2034e179-d2cd-4950-b2a6-210a99618680"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:26 GMT"
+ ],
+ "Content-Length": [
+ "934"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/91c29052-8ec9-4395-ad6c-e5c6cf562eec\",\r\n \"name\": \"91c29052-8ec9-4395-ad6c-e5c6cf562eec\",\r\n \"etag\": \"\\\"2400b4d7-0000-0100-0000-5fd28f760000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"created\": \"2020-12-10T21:13:26.054093+00:00\",\r\n \"updated\": \"2020-12-10T21:13:26+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:26.054093+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3M/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "41059472-2156-4d2c-a45c-052c3f366318"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "5fd815a1-281f-4f00-87f8-f73f2958de85"
+ ],
+ "x-ms-correlation-request-id": [
+ "5fd815a1-281f-4f00-87f8-f73f2958de85"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211327Z:5fd815a1-281f-4f00-87f8-f73f2958de85"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:26 GMT"
+ ],
+ "Content-Length": [
+ "43151"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/802ebf0f-b9e2-4709-8cf9-2cad46d41596\",\r\n \"name\": \"802ebf0f-b9e2-4709-8cf9-2cad46d41596\",\r\n \"etag\": \"\\\"7900bf62-0000-0100-0000-5fc433650000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-21T00:48:26.3295499+00:00\",\r\n \"updated\": \"2020-11-29T23:48:53.377526+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-21T00:48:26.3295499+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/f67b4895-0a57-4840-a325-40aad9e7956e\",\r\n \"name\": \"f67b4895-0a57-4840-a325-40aad9e7956e\",\r\n \"etag\": \"\\\"2a009d97-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"created\": \"2020-11-21T00:48:27.3713316+00:00\",\r\n \"updated\": \"2020-11-21T00:48:27.3713316+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-21T00:48:27.3713316+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/128f0300-48d8-4d47-8c38-f592c44fde8a\",\r\n \"name\": \"128f0300-48d8-4d47-8c38-f592c44fde8a\",\r\n \"etag\": \"\\\"2a009f97-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-21T00:47:38.2998322+00:00\",\r\n \"updated\": \"2020-11-21T00:47:38.2998322+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-21T00:47:38.2998322+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/4ecfb467-df14-408c-a412-5cf1e356e453\",\r\n \"name\": \"4ecfb467-df14-408c-a412-5cf1e356e453\",\r\n \"etag\": \"\\\"2a009e97-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-21T01:13:53.8513708+00:00\",\r\n \"updated\": \"2020-11-21T01:13:53.8513708+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-21T01:13:53.8513708+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/a006f83b-4cf9-4288-8c8b-9265cf9dce06\",\r\n \"name\": \"a006f83b-4cf9-4288-8c8b-9265cf9dce06\",\r\n \"etag\": \"\\\"2a00a097-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-21T01:13:12.9332935+00:00\",\r\n \"updated\": \"2020-11-21T01:13:12.9332935+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-21T01:13:12.9332935+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/28da9a9c-df57-4cff-9edb-dbfdbb40d612\",\r\n \"name\": \"28da9a9c-df57-4cff-9edb-dbfdbb40d612\",\r\n \"etag\": \"\\\"2a00a197-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"created\": \"2020-11-21T00:47:39.6301262+00:00\",\r\n \"updated\": \"2020-11-21T00:47:39.6301262+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-21T00:47:39.6301262+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/53307567-1c0f-4477-9bac-bc1bccc9e5a3\",\r\n \"name\": \"53307567-1c0f-4477-9bac-bc1bccc9e5a3\",\r\n \"etag\": \"\\\"2a00a297-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-21T00:46:29.8471652+00:00\",\r\n \"updated\": \"2020-11-21T00:46:29.8471652+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-21T00:46:29.8471652+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/9311e1d4-8142-4da0-977e-a4931bd73d6f\",\r\n \"name\": \"9311e1d4-8142-4da0-977e-a4931bd73d6f\",\r\n \"etag\": \"\\\"2a00a397-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"SigninLogs - a4931bd73d6f\",\r\n \"created\": \"2020-11-19T00:01:16.0096502+00:00\",\r\n \"updated\": \"2020-11-19T00:01:16.0096502+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-19T00:01:16.0096502+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SigninLogs\\n\",\r\n \"queryResult\": \"{\\\"TenantId\\\":\\\"581abdd1-9710-484b-867d-a69495aab7f5\\\",\\\"SourceSystem\\\":\\\"Azure AD\\\",\\\"TimeGenerated\\\":\\\"2020-11-18T22:33:03.473Z\\\",\\\"ResourceId\\\":\\\"/tenants/5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1.0\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"8ea7b7c1-e974-4a4e-b9ee-80712edb1bee\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity\\\":\\\"On-Premises Directory Synchronization Service Account\\\",\\\"Level\\\":\\\"4\\\",\\\"Location\\\":\\\"US\\\",\\\"AlternateSignInName\\\":\\\"Sync_ContosoDc_a8016d9ed6f4@buildseccxpninja.onmicrosoft.com\\\",\\\"AppDisplayName\\\":\\\"Microsoft Azure Active Directory Connect\\\",\\\"AppId\\\":\\\"cb1056e2-e479-49de-ae31-7812af012ed8\\\",\\\"AuthenticationDetails\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2020-11-18T22:33:03.4737768+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"PHS\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethodDetail\\\\\\\": \\\\\\\"\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary Authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed\\\":\\\"\\\",\\\"AuthenticationProcessingDetails\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies\\\":\\\"[]\\\",\\\"ClientAppUsed\\\":\\\"Mobile Apps and Desktop clients\\\",\\\"ConditionalAccessPolicies\\\":\\\"[{\\\\\\\"id\\\\\\\":\\\\\\\"009a2a41-4712-4d63-be23-f9f67ad382b9\\\\\\\",\\\\\\\"displayName\\\\\\\":\\\\\\\"Sarahzin: Airlift Test MCAS CAAC\\\\\\\",\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"enforcedSessionControls\\\\\\\":[\\\\\\\"CloudAppSecurity\\\\\\\"],\\\\\\\"result\\\\\\\":\\\\\\\"notApplied\\\\\\\",\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"conditionsNotSatisfied\\\\\\\":1},{\\\\\\\"id\\\\\\\":\\\\\\\"3142390b-7ec6-485a-b070-bb5cfc93005d\\\\\\\",\\\\\\\"displayName\\\\\\\":\\\\\\\"MFA\\\\\\\",\\\\\\\"enforcedGrantControls\\\\\\\":[\\\\\\\"Mfa\\\\\\\"],\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"result\\\\\\\":\\\\\\\"reportOnlyInterrupted\\\\\\\",\\\\\\\"conditionsSatisfied\\\\\\\":3,\\\\\\\"conditionsNotSatisfied\\\\\\\":0}]\\\",\\\"ConditionalAccessStatus\\\":\\\"notApplied\\\",\\\"CreatedDateTime\\\":\\\"2020-11-18T22:33:03Z\\\",\\\"DeviceDetail\\\":\\\"{\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 8\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Rich Client 5.2.2.0\\\\\\\"}\\\",\\\"IsInteractive\\\":\\\"false\\\",\\\"Id\\\":\\\"82d5951c-62e7-4007-b838-0af159402c00\\\",\\\"IPAddress\\\":\\\"13.68.147.150\\\",\\\"IsRisky\\\":\\\"\\\",\\\"LocationDetails\\\":\\\"{\\\\\\\"city\\\\\\\":\\\\\\\"Washington\\\\\\\",\\\\\\\"state\\\\\\\":\\\\\\\"Virginia\\\\\\\",\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"US\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"latitude\\\\\\\":38.7130012512207,\\\\\\\"longitude\\\\\\\":-78.15899658203125}}\\\",\\\"MfaDetail\\\":\\\"\\\",\\\"NetworkLocationDetails\\\":\\\"[]\\\",\\\"OriginalRequestId\\\":\\\"82d5951c-62e7-4007-b838-0af159402c00\\\",\\\"ProcessingTimeInMilliseconds\\\":\\\"143\\\",\\\"RiskDetail\\\":\\\"none\\\",\\\"RiskEventTypes\\\":\\\"[]\\\",\\\"RiskEventTypes_V2\\\":\\\"[]\\\",\\\"RiskLevelAggregated\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn\\\":\\\"none\\\",\\\"RiskState\\\":\\\"none\\\",\\\"ResourceDisplayName\\\":\\\"Windows Azure Active Directory\\\",\\\"ResourceIdentity\\\":\\\"00000002-0000-0000-c000-000000000000\\\",\\\"ServicePrincipalId\\\":\\\"\\\",\\\"ServicePrincipalName\\\":\\\"\\\",\\\"Status\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"TokenIssuerName\\\":\\\"\\\",\\\"TokenIssuerType\\\":\\\"AzureAD\\\",\\\"UserAgent\\\":\\\"\\\",\\\"UserDisplayName\\\":\\\"On-Premises Directory Synchronization Service Account\\\",\\\"UserId\\\":\\\"a82ec49c-dbb3-4398-baec-b45e9cd487a8\\\",\\\"UserPrincipalName\\\":\\\"sync_contosodc_a8016d9ed6f4@buildseccxpninja.onmicrosoft.com\\\",\\\"AADTenantId\\\":\\\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\\\",\\\"Type\\\":\\\"SigninLogs\\\",\\\"__entityMapping\\\":{\\\"sync_contosodc_a8016d9ed6f4@buildseccxpninja.onmicrosoft.com\\\":\\\"Account\\\"}}\",\r\n \"queryStartTime\": \"2020-11-18T00:01:06.048+00:00\",\r\n \"queryEndTime\": \"2020-11-19T00:01:06.048+00:00\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/a9686dc8-295e-4f38-b814-46a1fc3fae20\",\r\n \"name\": \"a9686dc8-295e-4f38-b814-46a1fc3fae20\",\r\n \"etag\": \"\\\"4000b114-0000-0100-0000-5fbc17d70000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-23T20:13:11.6679003+00:00\",\r\n \"updated\": \"2020-11-23T20:13:11.6679003+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-23T20:13:11.6679003+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/f30ed335-9611-4ce7-9580-6477621d6146\",\r\n \"name\": \"f30ed335-9611-4ce7-9580-6477621d6146\",\r\n \"etag\": \"\\\"4000201f-0000-0100-0000-5fbc18ce0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-23T20:17:18.5956906+00:00\",\r\n \"updated\": \"2020-11-23T20:17:18.5956906+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-23T20:17:18.5956906+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/76e19170-5585-46de-8b05-94b168011fde\",\r\n \"name\": \"76e19170-5585-46de-8b05-94b168011fde\",\r\n \"etag\": \"\\\"4000cd22-0000-0100-0000-5fbc19510000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-23T20:19:28.9516191+00:00\",\r\n \"updated\": \"2020-11-23T20:19:28.9516191+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-23T20:19:28.9516191+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/d3bb9fea-601e-4d22-8e17-261a9c2e0c70\",\r\n \"name\": \"d3bb9fea-601e-4d22-8e17-261a9c2e0c70\",\r\n \"etag\": \"\\\"4000c128-0000-0100-0000-5fbc19bc0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-23T20:21:16.0553845+00:00\",\r\n \"updated\": \"2020-11-23T20:21:16.0553845+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-23T20:21:16.0553845+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/c3384ba3-5239-4efb-aac7-059a68cf4468\",\r\n \"name\": \"c3384ba3-5239-4efb-aac7-059a68cf4468\",\r\n \"etag\": \"\\\"7900f15d-0000-0100-0000-5fc432dc0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-23T20:23:07.460191+00:00\",\r\n \"updated\": \"2020-11-29T23:46:36.7976088+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-23T20:23:07.460191+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/133104c7-b9a1-43a1-ab23-9f9f6852e5f0\",\r\n \"name\": \"133104c7-b9a1-43a1-ab23-9f9f6852e5f0\",\r\n \"etag\": \"\\\"4000a92e-0000-0100-0000-5fbc1a740000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-23T20:24:19.2949869+00:00\",\r\n \"updated\": \"2020-11-23T20:24:20.6389456+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-23T20:24:20.6389456+00:00\",\r\n \"notes\": \"PoshModuleTest\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/cff8db73-5750-4336-bd85-f315b87c2a8b\",\r\n \"name\": \"cff8db73-5750-4336-bd85-f315b87c2a8b\",\r\n \"etag\": \"\\\"6e00b017-0000-0100-0000-5fc2b93e0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-28T20:55:26.9889304+00:00\",\r\n \"updated\": \"2020-11-28T20:55:26.9889304+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-28T20:55:26.9889304+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/44088825-793c-426c-88dc-12988abb89b7\",\r\n \"name\": \"44088825-793c-426c-88dc-12988abb89b7\",\r\n \"etag\": \"\\\"6e006618-0000-0100-0000-5fc2b95b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-28T20:55:55.9839747+00:00\",\r\n \"updated\": \"2020-11-28T20:55:55.9839747+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-28T20:55:55.9839747+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/cf37bcfe-52b2-4546-a5c6-cbf2ba5e1891\",\r\n \"name\": \"cf37bcfe-52b2-4546-a5c6-cbf2ba5e1891\",\r\n \"etag\": \"\\\"6e001519-0000-0100-0000-5fc2b9730000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-28T20:56:19.5925757+00:00\",\r\n \"updated\": \"2020-11-28T20:56:19.5925757+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-28T20:56:19.5925757+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/4d48845a-3be9-47bb-83e5-29b7d0693552\",\r\n \"name\": \"4d48845a-3be9-47bb-83e5-29b7d0693552\",\r\n \"etag\": \"\\\"6e00ab21-0000-0100-0000-5fc2ba6a0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-28T21:00:26.7187476+00:00\",\r\n \"updated\": \"2020-11-28T21:00:26.7187476+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-28T21:00:26.7187476+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/1bdf91bd-f0ad-4e32-8d2e-9468624424e3\",\r\n \"name\": \"1bdf91bd-f0ad-4e32-8d2e-9468624424e3\",\r\n \"etag\": \"\\\"6e006222-0000-0100-0000-5fc2ba7f0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-28T21:00:47.6388329+00:00\",\r\n \"updated\": \"2020-11-28T21:00:47.6388329+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-28T21:00:47.6388329+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/c474ed12-3c06-4360-ac9a-709b106bb8c2\",\r\n \"name\": \"c474ed12-3c06-4360-ac9a-709b106bb8c2\",\r\n \"etag\": \"\\\"7900cd64-0000-0100-0000-5fc433a90000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-28T21:04:53.8526734+00:00\",\r\n \"updated\": \"2020-11-29T23:42:05.3933077+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-28T21:05:53.4671603+00:00\",\r\n \"notes\": \"testnotes\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": \"24a9d0ef-a43c-43a6-a96e-fb0a5bf2ac86\",\r\n \"title\": \"PoshModuleTest\",\r\n \"relationName\": \"76d05727-32c2-4da3-ad4d-07cd2c02a441\",\r\n \"severity\": \"Low\"\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/3ad87ae4-4e0e-46f1-9f2e-662466b4ff1b\",\r\n \"name\": \"3ad87ae4-4e0e-46f1-9f2e-662466b4ff1b\",\r\n \"etag\": \"\\\"7900e74c-0000-0100-0000-5fc430b10000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-28T21:06:29.8257871+00:00\",\r\n \"updated\": \"2020-11-28T21:06:31.660384+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-28T21:06:31.660384+00:00\",\r\n \"notes\": \"testnotes\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": \"9ad4e331-42c9-4629-a77d-6067d823c537\",\r\n \"title\": \"PoshModuleTest\",\r\n \"relationName\": \"e4f5a064-8cfe-4f76-9076-413c068bfc1f\",\r\n \"severity\": \"Medium\"\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/21e60cdb-6f45-4974-8e1a-31c4742c5fbb\",\r\n \"name\": \"21e60cdb-6f45-4974-8e1a-31c4742c5fbb\",\r\n \"etag\": \"\\\"0000e0ac-0000-0100-0000-5fca66fb0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"testposh\",\r\n \"created\": \"2020-12-04T16:42:35.8794779+00:00\",\r\n \"updated\": \"2020-12-04T16:42:35.8794779+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-12-04T16:42:35.8794779+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityEvent | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/76d5683f-3354-418e-8e9e-2c8d2ef8249f\",\r\n \"name\": \"76d5683f-3354-418e-8e9e-2c8d2ef8249f\",\r\n \"etag\": \"\\\"0d00b521-0000-0100-0000-5fceef090000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:12:09.7101737+00:00\",\r\n \"updated\": \"2020-12-08T03:12:09.7101737+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:12:09.7101737+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/8b7c4b29-ed79-4aa5-958f-030711910940\",\r\n \"name\": \"8b7c4b29-ed79-4aa5-958f-030711910940\",\r\n \"etag\": \"\\\"0d00b821-0000-0100-0000-5fceef0c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:12:12.0334714+00:00\",\r\n \"updated\": \"2020-12-08T03:12:12.0334714+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:12:12.0334714+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/e66b9b59-e412-4e13-b357-f59143808bb6\",\r\n \"name\": \"e66b9b59-e412-4e13-b357-f59143808bb6\",\r\n \"etag\": \"\\\"0d000423-0000-0100-0000-5fceef660000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:13:42.321484+00:00\",\r\n \"updated\": \"2020-12-08T03:13:42.321484+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:13:42.321484+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/c2540532-d3dd-4c7a-8e44-b4ec08d9f60a\",\r\n \"name\": \"c2540532-d3dd-4c7a-8e44-b4ec08d9f60a\",\r\n \"etag\": \"\\\"0d001023-0000-0100-0000-5fceef680000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:13:44.5562983+00:00\",\r\n \"updated\": \"2020-12-08T03:13:44.5562983+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:13:44.5562983+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/51a81255-6f72-4b16-8112-9c3ba75d5a6c\",\r\n \"name\": \"51a81255-6f72-4b16-8112-9c3ba75d5a6c\",\r\n \"etag\": \"\\\"0d00b44b-0000-0100-0000-5fcef7170000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:46:31.5438983+00:00\",\r\n \"updated\": \"2020-12-08T03:46:31.5438983+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:46:31.5438983+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/4db01edb-f069-47a0-b11e-23f14100dc6c\",\r\n \"name\": \"4db01edb-f069-47a0-b11e-23f14100dc6c\",\r\n \"etag\": \"\\\"0d007b4e-0000-0100-0000-5fcef7b30000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:49:07.3026686+00:00\",\r\n \"updated\": \"2020-12-08T03:49:07.3026686+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:49:07.3026686+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/159318ca-f504-4a8e-972b-8dac2f679870\",\r\n \"name\": \"159318ca-f504-4a8e-972b-8dac2f679870\",\r\n \"etag\": \"\\\"0d00ef4e-0000-0100-0000-5fcef7e80000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:50:00.8850512+00:00\",\r\n \"updated\": \"2020-12-08T03:50:00.8850512+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:50:00.8850512+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/196d69f7-472f-42ab-a3a1-7743202ea539\",\r\n \"name\": \"196d69f7-472f-42ab-a3a1-7743202ea539\",\r\n \"etag\": \"\\\"0d003d4f-0000-0100-0000-5fcef8280000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:51:04.5000651+00:00\",\r\n \"updated\": \"2020-12-08T03:51:04.5000651+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:51:04.5000651+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/a38f7395-e3b4-4b64-bf09-ec0848ece893\",\r\n \"name\": \"a38f7395-e3b4-4b64-bf09-ec0848ece893\",\r\n \"etag\": \"\\\"0d008f4f-0000-0100-0000-5fcef8410000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:51:29.8640501+00:00\",\r\n \"updated\": \"2020-12-08T03:51:29.8640501+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:51:29.8640501+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/628846a5-6218-4185-84a7-2e9e1784bd71\",\r\n \"name\": \"628846a5-6218-4185-84a7-2e9e1784bd71\",\r\n \"etag\": \"\\\"0d003e50-0000-0100-0000-5fcef8740000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:52:20.4519573+00:00\",\r\n \"updated\": \"2020-12-08T03:52:20.4519573+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:52:20.4519573+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/41fc8778-9b2b-424c-aa91-84ceaeccceb3\",\r\n \"name\": \"41fc8778-9b2b-424c-aa91-84ceaeccceb3\",\r\n \"etag\": \"\\\"0d00c350-0000-0100-0000-5fcef88f0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:52:47.3531488+00:00\",\r\n \"updated\": \"2020-12-08T03:52:47.3531488+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:52:47.3531488+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/9af382e0-e2cc-4515-bc69-ceebe67a6458\",\r\n \"name\": \"9af382e0-e2cc-4515-bc69-ceebe67a6458\",\r\n \"etag\": \"\\\"0d005951-0000-0100-0000-5fcef8b90000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:53:29.6581833+00:00\",\r\n \"updated\": \"2020-12-08T03:53:29.6581833+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:53:29.6581833+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/e6a68660-0015-4a20-8e46-5e57f890b528\",\r\n \"name\": \"e6a68660-0015-4a20-8e46-5e57f890b528\",\r\n \"etag\": \"\\\"0d00fa51-0000-0100-0000-5fcef8de0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:54:06.0961248+00:00\",\r\n \"updated\": \"2020-12-08T03:54:06.0961248+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:54:06.0961248+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/c65fd41e-a5ae-490d-a436-10ac4d891a47\",\r\n \"name\": \"c65fd41e-a5ae-490d-a436-10ac4d891a47\",\r\n \"etag\": \"\\\"0d009556-0000-0100-0000-5fcef9be0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:57:50.7132333+00:00\",\r\n \"updated\": \"2020-12-08T03:57:50.7132333+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:57:50.7132333+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/1b6e404c-45b2-4625-bc6b-760f30b807be\",\r\n \"name\": \"1b6e404c-45b2-4625-bc6b-760f30b807be\",\r\n \"etag\": \"\\\"0d003960-0000-0100-0000-5fcefc980000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T04:10:00.8121752+00:00\",\r\n \"updated\": \"2020-12-08T04:10:00.8121752+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T04:10:00.8121752+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/7f9c53fa-ae8d-4b64-9363-cca827829664\",\r\n \"name\": \"7f9c53fa-ae8d-4b64-9363-cca827829664\",\r\n \"etag\": \"\\\"0d000761-0000-0100-0000-5fcefcb80000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T04:10:32.2608425+00:00\",\r\n \"updated\": \"2020-12-08T04:10:32.2608425+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T04:10:32.2608425+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/f8c96971-3a56-4be3-b08f-4c1d0534e824\",\r\n \"name\": \"f8c96971-3a56-4be3-b08f-4c1d0534e824\",\r\n \"etag\": \"\\\"0d007763-0000-0100-0000-5fcefd1f0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T04:12:15.2755981+00:00\",\r\n \"updated\": \"2020-12-08T04:12:15.2755981+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T04:12:15.2755981+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664\",\r\n \"name\": \"a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664\",\r\n \"etag\": \"\\\"2400add7-0000-0100-0000-5fd28f750000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:13:25.1499316+00:00\",\r\n \"updated\": \"2020-12-10T21:13:25.1499316+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:25.1499316+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/91c29052-8ec9-4395-ad6c-e5c6cf562eec\",\r\n \"name\": \"91c29052-8ec9-4395-ad6c-e5c6cf562eec\",\r\n \"etag\": \"\\\"2400b4d7-0000-0100-0000-5fd28f760000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"created\": \"2020-12-10T21:13:26.054093+00:00\",\r\n \"updated\": \"2020-12-10T21:13:26.054093+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:26.054093+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n }\r\n ]\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvYTg1ZTNiM2ItYzk1ZS00ZjhkLWI1ZDYtMGU5YmNiZDJlNjY0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "e536877c-b530-4b8a-a2b2-76fb6d986b1e"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "73644497-9e9f-4cd1-a9d3-a108c631c312"
+ ],
+ "x-ms-correlation-request-id": [
+ "73644497-9e9f-4cd1-a9d3-a108c631c312"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211327Z:73644497-9e9f-4cd1-a9d3-a108c631c312"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:27 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/91c29052-8ec9-4395-ad6c-e5c6cf562eec?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvOTFjMjkwNTItOGVjOS00Mzk1LWFkNmMtZTVjNmNmNTYyZWVjP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "c141935a-e2c0-433c-9e2c-8293bd6929b0"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "3678343d-3c6b-4f85-a296-0602df52f691"
+ ],
+ "x-ms-correlation-request-id": [
+ "3678343d-3c6b-4f85-a296-0602df52f691"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211328Z:3678343d-3c6b-4f85-a296-0602df52f691"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:28 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Remove.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Remove.json
new file mode 100644
index 000000000000..321d999c89d0
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Remove.json
@@ -0,0 +1,146 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/a18251f2-1a0f-45f2-bb0d-ad4121911fce?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvYTE4MjUxZjItMWEwZi00NWYyLWJiMGQtYWQ0MTIxOTExZmNlP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2020-12-10T21:13:21.8456035Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "a5beac69-7073-4d68-b573-c522d4f222ff"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "153"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "d601e04a-7269-446f-a1f5-3f28dd137c8f"
+ ],
+ "x-ms-correlation-request-id": [
+ "d601e04a-7269-446f-a1f5-3f28dd137c8f"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211322Z:d601e04a-7269-446f-a1f5-3f28dd137c8f"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:22 GMT"
+ ],
+ "Content-Length": [
+ "935"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/a18251f2-1a0f-45f2-bb0d-ad4121911fce\",\r\n \"name\": \"a18251f2-1a0f-45f2-bb0d-ad4121911fce\",\r\n \"etag\": \"\\\"240095d7-0000-0100-0000-5fd28f720000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:13:22.0659618+00:00\",\r\n \"updated\": \"2020-12-10T21:13:22+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:22.0659618+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/a18251f2-1a0f-45f2-bb0d-ad4121911fce?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvYTE4MjUxZjItMWEwZi00NWYyLWJiMGQtYWQ0MTIxOTExZmNlP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "17be64e7-80d5-48a1-997c-5672678eee56"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "9644cf5f-8dbf-4564-9f6e-1ddf55c3cf9b"
+ ],
+ "x-ms-correlation-request-id": [
+ "9644cf5f-8dbf-4564-9f6e-1ddf55c3cf9b"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211323Z:9644cf5f-8dbf-4564-9f6e-1ddf55c3cf9b"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:23 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Update.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Update.json
new file mode 100644
index 000000000000..ef0e1432198b
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Update.json
@@ -0,0 +1,284 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/e1606ca5-cd05-42ba-ac77-cdf0da4b719f?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvZTE2MDZjYTUtY2QwNS00MmJhLWFjNzctY2RmMGRhNGI3MTlmP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2020-12-10T21:39:02.754166Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "ab65b944-4954-4387-bbe0-8b2e751ba8d7"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "152"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "57fa9c0b-4619-4ff6-9cb9-e30b081f91e9"
+ ],
+ "x-ms-correlation-request-id": [
+ "57fa9c0b-4619-4ff6-9cb9-e30b081f91e9"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213904Z:57fa9c0b-4619-4ff6-9cb9-e30b081f91e9"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:39:03 GMT"
+ ],
+ "Content-Length": [
+ "935"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"name\": \"e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"etag\": \"\\\"2400eaec-0000-0100-0000-5fd295770000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:39:03.3622705+00:00\",\r\n \"updated\": \"2020-12-10T21:39:03+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:39:03.3622705+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/e1606ca5-cd05-42ba-ac77-cdf0da4b719f?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvZTE2MDZjYTUtY2QwNS00MmJhLWFjNzctY2RmMGRhNGI3MTlmP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"labels\": [],\r\n \"notes\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n },\r\n \"etag\": \"\\\"2400eaec-0000-0100-0000-5fd295770000\\\"\"\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "94a33125-6f46-488d-8f42-f30ad17435d1"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "211"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1197"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "42b26e96-f302-428a-a03a-d60bf7f290a8"
+ ],
+ "x-ms-correlation-request-id": [
+ "42b26e96-f302-428a-a03a-d60bf7f290a8"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213905Z:42b26e96-f302-428a-a03a-d60bf7f290a8"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:39:05 GMT"
+ ],
+ "Content-Length": [
+ "960"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"name\": \"e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"etag\": \"\\\"2400ecec-0000-0100-0000-5fd295780000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:39:03.3622705+00:00\",\r\n \"updated\": \"2020-12-10T21:39:04+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:39:04.9605018+00:00\",\r\n \"notes\": \"PoshModuleTest\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/e1606ca5-cd05-42ba-ac77-cdf0da4b719f?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvZTE2MDZjYTUtY2QwNS00MmJhLWFjNzctY2RmMGRhNGI3MTlmP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "f45c5f50-8f7d-4edd-acbc-074568e1c229"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "7830789d-46b1-4080-b381-39e0d2fa1994"
+ ],
+ "x-ms-correlation-request-id": [
+ "7830789d-46b1-4080-b381-39e0d2fa1994"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213904Z:7830789d-46b1-4080-b381-39e0d2fa1994"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:39:03 GMT"
+ ],
+ "Content-Length": [
+ "943"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"name\": \"e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"etag\": \"\\\"2400eaec-0000-0100-0000-5fd295770000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:39:03.3622705+00:00\",\r\n \"updated\": \"2020-12-10T21:39:03.3622705+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:39:03.3622705+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/e1606ca5-cd05-42ba-ac77-cdf0da4b719f?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvZTE2MDZjYTUtY2QwNS00MmJhLWFjNzctY2RmMGRhNGI3MTlmP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "40dc0657-6f44-4eac-93be-01501a7174a7"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "api-supported-versions": [
+ "2019-01-01"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "5f2f5b93-b644-4912-9665-6f5b89207fab"
+ ],
+ "x-ms-correlation-request-id": [
+ "5f2f5b93-b644-4912-9665-6f5b89207fab"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T213906Z:5f2f5b93-b644-4912-9665-6f5b89207fab"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:39:06 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Create.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Create.json
new file mode 100644
index 000000000000..dd868b23243b
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Create.json
@@ -0,0 +1,140 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/cd2f31a6-98db-4834-8696-36a184436387?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy9jZDJmMzFhNi05OGRiLTQ4MzQtODY5Ni0zNmExODQ0MzYzODc/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "b8bb998b-f78e-4898-b35e-6bcd8d15c2c4"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "208"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "141bfb56-e19c-4709-9fbe-1d10e8cabdbd"
+ ],
+ "x-ms-correlation-request-id": [
+ "141bfb56-e19c-4709-9fbe-1d10e8cabdbd"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211242Z:141bfb56-e19c-4709-9fbe-1d10e8cabdbd"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:42 GMT"
+ ],
+ "Content-Length": [
+ "525"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/cd2f31a6-98db-4834-8696-36a184436387\",\r\n \"name\": \"cd2f31a6-98db-4834-8696-36a184436387\",\r\n \"etag\": \"84bdd504-71fa-4a44-9934-bfb79210d0bb\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/cd2f31a6-98db-4834-8696-36a184436387?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy9jZDJmMzFhNi05OGRiLTQ4MzQtODY5Ni0zNmExODQ0MzYzODc/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "f74210b6-2d5a-43a3-9115-faeb2c33c98b"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "9e7fd461-3ef6-4a43-9df4-82dfa6aaa246"
+ ],
+ "x-ms-correlation-request-id": [
+ "9e7fd461-3ef6-4a43-9df4-82dfa6aaa246"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211242Z:9e7fd461-3ef6-4a43-9df4-82dfa6aaa246"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:42 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Delete.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Delete.json
new file mode 100644
index 000000000000..51cabb712a3c
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Delete.json
@@ -0,0 +1,140 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f2bc6c20-6785-4b98-8dd3-26767b7de5b4?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy9mMmJjNmMyMC02Nzg1LTRiOTgtOGRkMy0yNjc2N2I3ZGU1YjQ/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "1ba4fa82-516d-4789-bcd3-3536cc5fbf08"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "208"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "49d5244a-adeb-4197-9de8-845ca0c19fcc"
+ ],
+ "x-ms-correlation-request-id": [
+ "49d5244a-adeb-4197-9de8-845ca0c19fcc"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211302Z:49d5244a-adeb-4197-9de8-845ca0c19fcc"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:02 GMT"
+ ],
+ "Content-Length": [
+ "525"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f2bc6c20-6785-4b98-8dd3-26767b7de5b4\",\r\n \"name\": \"f2bc6c20-6785-4b98-8dd3-26767b7de5b4\",\r\n \"etag\": \"771bd1c0-1de6-40ee-bae4-f7674d78efa6\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f2bc6c20-6785-4b98-8dd3-26767b7de5b4?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy9mMmJjNmMyMC02Nzg1LTRiOTgtOGRkMy0yNjc2N2I3ZGU1YjQ/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "41bee657-3a07-441b-82eb-e5568cbd405f"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "1519748c-70c1-4ef0-b412-efc5ed6d502e"
+ ],
+ "x-ms-correlation-request-id": [
+ "1519748c-70c1-4ef0-b412-efc5ed6d502e"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211303Z:1519748c-70c1-4ef0-b412-efc5ed6d502e"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:02 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Get.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Get.json
new file mode 100644
index 000000000000..e2f6fe83aa85
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Get.json
@@ -0,0 +1,203 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/3da7055e-fcd4-4715-b2ab-72170ee57612?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy8zZGE3MDU1ZS1mY2Q0LTQ3MTUtYjJhYi03MjE3MGVlNTc2MTI/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "6c8274a5-d08f-402c-aee8-589c464d2960"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "208"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "833f3110-7ece-4311-ad45-01bb40b58567"
+ ],
+ "x-ms-correlation-request-id": [
+ "833f3110-7ece-4311-ad45-01bb40b58567"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211236Z:833f3110-7ece-4311-ad45-01bb40b58567"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:35 GMT"
+ ],
+ "Content-Length": [
+ "525"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/3da7055e-fcd4-4715-b2ab-72170ee57612\",\r\n \"name\": \"3da7055e-fcd4-4715-b2ab-72170ee57612\",\r\n \"etag\": \"c34dd8f1-681e-45c7-93f6-45a268c84773\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/3da7055e-fcd4-4715-b2ab-72170ee57612?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy8zZGE3MDU1ZS1mY2Q0LTQ3MTUtYjJhYi03MjE3MGVlNTc2MTI/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "1cef53ec-5203-41b3-8f33-0d480492d8e3"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "547806d6-18a7-49a8-8a68-71c1fe49f591"
+ ],
+ "x-ms-correlation-request-id": [
+ "547806d6-18a7-49a8-8a68-71c1fe49f591"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211236Z:547806d6-18a7-49a8-8a68-71c1fe49f591"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:35 GMT"
+ ],
+ "Content-Length": [
+ "525"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/3da7055e-fcd4-4715-b2ab-72170ee57612\",\r\n \"name\": \"3da7055e-fcd4-4715-b2ab-72170ee57612\",\r\n \"etag\": \"c34dd8f1-681e-45c7-93f6-45a268c84773\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/3da7055e-fcd4-4715-b2ab-72170ee57612?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy8zZGE3MDU1ZS1mY2Q0LTQ3MTUtYjJhYi03MjE3MGVlNTc2MTI/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "5e4b0b7e-a988-4983-a324-70b232dbe888"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "60ea52d4-d73a-4b9c-abf2-845cfdabd69b"
+ ],
+ "x-ms-correlation-request-id": [
+ "60ea52d4-d73a-4b9c-abf2-845cfdabd69b"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211236Z:60ea52d4-d73a-4b9c-abf2-845cfdabd69b"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:35 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/InputObject.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/InputObject.json
new file mode 100644
index 000000000000..48ef1c0936e4
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/InputObject.json
@@ -0,0 +1,266 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/44c3bfc6-5361-41af-a50d-65232c3f9b13?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy80NGMzYmZjNi01MzYxLTQxYWYtYTUwZC02NTIzMmMzZjliMTM/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "6784fd32-d26d-47b2-adbd-094f684b9b68"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "208"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "d20124f9-29a1-4899-b43c-a34dc6382c6a"
+ ],
+ "x-ms-correlation-request-id": [
+ "d20124f9-29a1-4899-b43c-a34dc6382c6a"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211305Z:d20124f9-29a1-4899-b43c-a34dc6382c6a"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:04 GMT"
+ ],
+ "Content-Length": [
+ "525"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"name\": \"44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"etag\": \"3233739a-d2d8-40fd-ab13-5ff6524ab613\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/44c3bfc6-5361-41af-a50d-65232c3f9b13?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy80NGMzYmZjNi01MzYxLTQxYWYtYTUwZC02NTIzMmMzZjliMTM/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"Disabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n },\r\n \"etag\": \"3233739a-d2d8-40fd-ab13-5ff6524ab613\"\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "f6fa52d4-2eb7-473c-80c0-93abdc2585a8"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "260"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "cd442551-71fe-42a1-9393-f507f1b82bc6"
+ ],
+ "x-ms-correlation-request-id": [
+ "cd442551-71fe-42a1-9393-f507f1b82bc6"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211306Z:cd442551-71fe-42a1-9393-f507f1b82bc6"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:05 GMT"
+ ],
+ "Content-Length": [
+ "492"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"name\": \"44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"etag\": \"3233739a-d2d8-40fd-ab13-5ff6524ab613\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": null,\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"disabled\"\r\n }\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/44c3bfc6-5361-41af-a50d-65232c3f9b13?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy80NGMzYmZjNi01MzYxLTQxYWYtYTUwZC02NTIzMmMzZjliMTM/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "9c7fc857-3e92-461c-b3e2-2b4949ca623a"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "867aecbe-ba63-4200-823d-b431225ee6b8"
+ ],
+ "x-ms-correlation-request-id": [
+ "867aecbe-ba63-4200-823d-b431225ee6b8"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211305Z:867aecbe-ba63-4200-823d-b431225ee6b8"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:05 GMT"
+ ],
+ "Content-Length": [
+ "525"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"name\": \"44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"etag\": \"3233739a-d2d8-40fd-ab13-5ff6524ab613\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/44c3bfc6-5361-41af-a50d-65232c3f9b13?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy80NGMzYmZjNi01MzYxLTQxYWYtYTUwZC02NTIzMmMzZjliMTM/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "1747149c-fb0a-4123-80bc-db2fc5003505"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "x-ms-request-id": [
+ "346548b0-ec05-43f9-af14-10117de94f8c"
+ ],
+ "x-ms-correlation-request-id": [
+ "346548b0-ec05-43f9-af14-10117de94f8c"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211306Z:346548b0-ec05-43f9-af14-10117de94f8c"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:05 GMT"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "",
+ "StatusCode": 204
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/List.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/List.json
new file mode 100644
index 000000000000..f4742ec44886
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/List.json
@@ -0,0 +1,203 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/934ce201-63c5-4911-9e04-50b348020378?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy85MzRjZTIwMS02M2M1LTQ5MTEtOWUwNC01MGIzNDgwMjAzNzg/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "5f0b3c13-7ec7-4576-9fc9-9a259d2d4fae"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "208"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "3549617d-7d32-4179-a2db-18b4281f79d7"
+ ],
+ "x-ms-correlation-request-id": [
+ "3549617d-7d32-4179-a2db-18b4281f79d7"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211245Z:3549617d-7d32-4179-a2db-18b4281f79d7"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:45 GMT"
+ ],
+ "Content-Length": [
+ "525"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/934ce201-63c5-4911-9e04-50b348020378\",\r\n \"name\": \"934ce201-63c5-4911-9e04-50b348020378\",\r\n \"etag\": \"fbe67e88-04f6-4d77-8db7-d24774c0b7d2\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycz9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "dca94e59-2c94-4bdd-a9a3-4db00e2ebb27"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "5e4dd3c6-a460-4eea-9c8f-08186409b515"
+ ],
+ "x-ms-correlation-request-id": [
+ "5e4dd3c6-a460-4eea-9c8f-08186409b515"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211245Z:5e4dd3c6-a460-4eea-9c8f-08186409b515"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:45 GMT"
+ ],
+ "Content-Length": [
+ "1600"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/52f62672-8098-46d4-bb56-534bc4b931ad\",\r\n \"name\": \"52f62672-8098-46d4-bb56-534bc4b931ad\",\r\n \"etag\": \"70ee4475-c32a-45c6-a940-afebd2d10be4\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureActiveDirectory\",\r\n \"properties\": {\r\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/74df4924-4c7b-465d-af37-017c72c08681\",\r\n \"name\": \"74df4924-4c7b-465d-af37-017c72c08681\",\r\n \"etag\": \"c50e1390-f6a2-4f68-842a-e8fd9fde0f07\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"properties\": {\r\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/934ce201-63c5-4911-9e04-50b348020378\",\r\n \"name\": \"934ce201-63c5-4911-9e04-50b348020378\",\r\n \"etag\": \"fbe67e88-04f6-4d77-8db7-d24774c0b7d2\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/934ce201-63c5-4911-9e04-50b348020378?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy85MzRjZTIwMS02M2M1LTQ5MTEtOWUwNC01MGIzNDgwMjAzNzg/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "02e04982-f259-4ec5-84ab-66af7453ffe2"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "764edf99-a36e-45b1-9ecd-330ba8e784ab"
+ ],
+ "x-ms-correlation-request-id": [
+ "764edf99-a36e-45b1-9ecd-330ba8e784ab"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211300Z:764edf99-a36e-45b1-9ecd-330ba8e784ab"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:13:00 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Update.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Update.json
new file mode 100644
index 000000000000..0bb42a6e4828
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Update.json
@@ -0,0 +1,266 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f3abb0bf-9f8b-4f03-8865-8e71e2889ba2?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy9mM2FiYjBiZi05ZjhiLTRmMDMtODg2NS04ZTcxZTI4ODliYTI/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "c00e83cf-289d-41e4-9164-49373713fc99"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "208"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "52aff9e4-76f2-4355-ab7b-ac002d298baa"
+ ],
+ "x-ms-correlation-request-id": [
+ "52aff9e4-76f2-4355-ab7b-ac002d298baa"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211238Z:52aff9e4-76f2-4355-ab7b-ac002d298baa"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:38 GMT"
+ ],
+ "Content-Length": [
+ "525"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"name\": \"f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"etag\": \"049178d0-a381-4138-9560-58fc927435cc\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f3abb0bf-9f8b-4f03-8865-8e71e2889ba2?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy9mM2FiYjBiZi05ZjhiLTRmMDMtODg2NS04ZTcxZTI4ODliYTI/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"Disabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n },\r\n \"etag\": \"049178d0-a381-4138-9560-58fc927435cc\"\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "55879b55-6c2c-4007-8bf4-cf16358d9f14"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "260"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "73109ed3-dcc8-4ef4-bf10-947b8ad1ccdf"
+ ],
+ "x-ms-correlation-request-id": [
+ "73109ed3-dcc8-4ef4-bf10-947b8ad1ccdf"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211239Z:73109ed3-dcc8-4ef4-bf10-947b8ad1ccdf"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:39 GMT"
+ ],
+ "Content-Length": [
+ "492"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"name\": \"f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"etag\": \"049178d0-a381-4138-9560-58fc927435cc\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": null,\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"disabled\"\r\n }\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f3abb0bf-9f8b-4f03-8865-8e71e2889ba2?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy9mM2FiYjBiZi05ZjhiLTRmMDMtODg2NS04ZTcxZTI4ODliYTI/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "141c04b0-e63a-4fc3-9387-cf9ff0751c62"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "c236430a-06ff-47ef-94d6-a78ba2e4dcaf"
+ ],
+ "x-ms-correlation-request-id": [
+ "c236430a-06ff-47ef-94d6-a78ba2e4dcaf"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211239Z:c236430a-06ff-47ef-94d6-a78ba2e4dcaf"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:38 GMT"
+ ],
+ "Content-Length": [
+ "525"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"name\": \"f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"etag\": \"049178d0-a381-4138-9560-58fc927435cc\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f3abb0bf-9f8b-4f03-8865-8e71e2889ba2?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy9mM2FiYjBiZi05ZjhiLTRmMDMtODg2NS04ZTcxZTI4ODliYTI/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "f0f45f9a-15f3-493a-bc7c-ba50e2ae6f3b"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "x-ms-request-id": [
+ "b9f0bbb8-514d-423a-b486-19a3c1d10da2"
+ ],
+ "x-ms-correlation-request-id": [
+ "b9f0bbb8-514d-423a-b486-19a3c1d10da2"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211240Z:b9f0bbb8-514d-423a-b486-19a3c1d10da2"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:39 GMT"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "",
+ "StatusCode": 204
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/Create.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/Create.json
new file mode 100644
index 000000000000..da9294adf50f
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/Create.json
@@ -0,0 +1,209 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/055ddb69-f086-4765-89f2-dafe0b9c8e74?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvMDU1ZGRiNjktZjA4Ni00NzY1LTg5ZjItZGFmZTBiOWM4ZTc0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "73890494-454b-452f-909d-e82d932ef527"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "105"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "ce5bc405-ee05-4a86-bc81-ea808eb0abfa"
+ ],
+ "x-ms-correlation-request-id": [
+ "ce5bc405-ee05-4a86-bc81-ea808eb0abfa"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211207Z:ce5bc405-ee05-4a86-bc81-ea808eb0abfa"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:07 GMT"
+ ],
+ "Content-Length": [
+ "1115"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/055ddb69-f086-4765-89f2-dafe0b9c8e74\",\r\n \"name\": \"055ddb69-f086-4765-89f2-dafe0b9c8e74\",\r\n \"etag\": \"\\\"bd008fa3-0000-0100-0000-5fd28f270000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:07.8475167Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:07.8475167Z\",\r\n \"incidentNumber\": 96,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/055ddb69-f086-4765-89f2-dafe0b9c8e74\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/055ddb69-f086-4765-89f2-dafe0b9c8e74/comments/3d67df3d-2b58-430b-9eb4-da652bf59c4a?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvMDU1ZGRiNjktZjA4Ni00NzY1LTg5ZjItZGFmZTBiOWM4ZTc0L2NvbW1lbnRzLzNkNjdkZjNkLTJiNTgtNDMwYi05ZWI0LWRhNjUyYmY1OWM0YT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "5511c935-87f5-46b7-8c52-5cd628b08d42"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "61"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "e4cf44e3-7504-41fe-9821-c0801fff108a"
+ ],
+ "x-ms-correlation-request-id": [
+ "e4cf44e3-7504-41fe-9821-c0801fff108a"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211208Z:e4cf44e3-7504-41fe-9821-c0801fff108a"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:07 GMT"
+ ],
+ "Content-Length": [
+ "734"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/055ddb69-f086-4765-89f2-dafe0b9c8e74/Comments/3d67df3d-2b58-430b-9eb4-da652bf59c4a\",\r\n \"name\": \"3d67df3d-2b58-430b-9eb4-da652bf59c4a\",\r\n \"etag\": \"\\\"bd0093a3-0000-0100-0000-5fd28f280000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:08.3469792Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:08.3469792Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/055ddb69-f086-4765-89f2-dafe0b9c8e74?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvMDU1ZGRiNjktZjA4Ni00NzY1LTg5ZjItZGFmZTBiOWM4ZTc0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "2a8559f3-0325-4f3b-a3a6-5ded21682d9a"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "f5e7bece-aa42-49c0-9812-5d9eef84fe04"
+ ],
+ "x-ms-correlation-request-id": [
+ "f5e7bece-aa42-49c0-9812-5d9eef84fe04"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211208Z:f5e7bece-aa42-49c0-9812-5d9eef84fe04"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:07 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/Get.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/Get.json
new file mode 100644
index 000000000000..320048ac1553
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/Get.json
@@ -0,0 +1,272 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvODVmNWNlZWItZTVhZS00N2U1LTk5MWYtY2JjYmIwODA2NDRjP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "66810179-3f93-47b9-bf77-eac26a8f90d1"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "105"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "6b6480f1-7236-4092-9cb2-8191b3651fc2"
+ ],
+ "x-ms-correlation-request-id": [
+ "6b6480f1-7236-4092-9cb2-8191b3651fc2"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211210Z:6b6480f1-7236-4092-9cb2-8191b3651fc2"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:09 GMT"
+ ],
+ "Content-Length": [
+ "1113"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c\",\r\n \"name\": \"85f5ceeb-e5ae-47e5-991f-cbcbb080644c\",\r\n \"etag\": \"\\\"bd009ca3-0000-0100-0000-5fd28f290000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:09.884083Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:09.884083Z\",\r\n \"incidentNumber\": 97,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c/comments/5fb3ef3e-cdf9-4699-ae87-4da1af12a9a7?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvODVmNWNlZWItZTVhZS00N2U1LTk5MWYtY2JjYmIwODA2NDRjL2NvbW1lbnRzLzVmYjNlZjNlLWNkZjktNDY5OS1hZTg3LTRkYTFhZjEyYTlhNz9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "402fa58e-a7ec-4952-b1ad-d5d2d9da799d"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "61"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "096f6781-77bf-4f85-baf0-7fdfbe610be9"
+ ],
+ "x-ms-correlation-request-id": [
+ "096f6781-77bf-4f85-baf0-7fdfbe610be9"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211210Z:096f6781-77bf-4f85-baf0-7fdfbe610be9"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:09 GMT"
+ ],
+ "Content-Length": [
+ "734"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c/Comments/5fb3ef3e-cdf9-4699-ae87-4da1af12a9a7\",\r\n \"name\": \"5fb3ef3e-cdf9-4699-ae87-4da1af12a9a7\",\r\n \"etag\": \"\\\"bd009da3-0000-0100-0000-5fd28f2a0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:10.1830084Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:10.1830084Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c/comments/5fb3ef3e-cdf9-4699-ae87-4da1af12a9a7?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvODVmNWNlZWItZTVhZS00N2U1LTk5MWYtY2JjYmIwODA2NDRjL2NvbW1lbnRzLzVmYjNlZjNlLWNkZjktNDY5OS1hZTg3LTRkYTFhZjEyYTlhNz9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "be917529-206a-4e20-be3e-b9db6efb3a63"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "b5469503-61b2-45e8-a105-4be0336ab50e"
+ ],
+ "x-ms-correlation-request-id": [
+ "b5469503-61b2-45e8-a105-4be0336ab50e"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211210Z:b5469503-61b2-45e8-a105-4be0336ab50e"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:09 GMT"
+ ],
+ "Content-Length": [
+ "734"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c/Comments/5fb3ef3e-cdf9-4699-ae87-4da1af12a9a7\",\r\n \"name\": \"5fb3ef3e-cdf9-4699-ae87-4da1af12a9a7\",\r\n \"etag\": \"\\\"bd009da3-0000-0100-0000-5fd28f2a0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:10.1830084Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:10.1830084Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvODVmNWNlZWItZTVhZS00N2U1LTk5MWYtY2JjYmIwODA2NDRjP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "08f0babc-bd65-48cf-8bd0-10fb497471f0"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "d92e87cc-cfb6-4c90-bd36-d2b926f5fe02"
+ ],
+ "x-ms-correlation-request-id": [
+ "d92e87cc-cfb6-4c90-bd36-d2b926f5fe02"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211210Z:d92e87cc-cfb6-4c90-bd36-d2b926f5fe02"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:09 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/List.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/List.json
new file mode 100644
index 000000000000..7f4b90e8d9df
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/List.json
@@ -0,0 +1,341 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/9d9782b4-8896-414b-b22a-68618548ba5b?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvOWQ5NzgyYjQtODg5Ni00MTRiLWIyMmEtNjg2MTg1NDhiYTViP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "3f51c4b3-b62d-4131-b1e3-230c5f7b2a11"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "105"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "7cc64fed-2afc-4879-9fed-4b7e76d3cd43"
+ ],
+ "x-ms-correlation-request-id": [
+ "7cc64fed-2afc-4879-9fed-4b7e76d3cd43"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211211Z:7cc64fed-2afc-4879-9fed-4b7e76d3cd43"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:10 GMT"
+ ],
+ "Content-Length": [
+ "1115"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b\",\r\n \"name\": \"9d9782b4-8896-414b-b22a-68618548ba5b\",\r\n \"etag\": \"\\\"bd00a1a3-0000-0100-0000-5fd28f2b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:11.5730203Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:11.5730203Z\",\r\n \"incidentNumber\": 98,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/9d9782b4-8896-414b-b22a-68618548ba5b/comments/9d639724-938d-4551-b7d6-ab89c9d8b7df?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvOWQ5NzgyYjQtODg5Ni00MTRiLWIyMmEtNjg2MTg1NDhiYTViL2NvbW1lbnRzLzlkNjM5NzI0LTkzOGQtNDU1MS1iN2Q2LWFiODljOWQ4YjdkZj9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "9e5d79bb-0227-4122-87e0-68ad2d9a44c4"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "61"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "3f59d907-0f7e-40e3-9858-59de72244dae"
+ ],
+ "x-ms-correlation-request-id": [
+ "3f59d907-0f7e-40e3-9858-59de72244dae"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211211Z:3f59d907-0f7e-40e3-9858-59de72244dae"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:11 GMT"
+ ],
+ "Content-Length": [
+ "734"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b/Comments/9d639724-938d-4551-b7d6-ab89c9d8b7df\",\r\n \"name\": \"9d639724-938d-4551-b7d6-ab89c9d8b7df\",\r\n \"etag\": \"\\\"bd00a2a3-0000-0100-0000-5fd28f2b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:11.8336762Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:11.8336762Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/9d9782b4-8896-414b-b22a-68618548ba5b/comments/1dc74bd0-7b2b-4ff6-b4b8-d809193c36c1?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvOWQ5NzgyYjQtODg5Ni00MTRiLWIyMmEtNjg2MTg1NDhiYTViL2NvbW1lbnRzLzFkYzc0YmQwLTdiMmItNGZmNi1iNGI4LWQ4MDkxOTNjMzZjMT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest2\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "1326e442-df23-4fa5-a6ca-1020a651b8be"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "62"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1197"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "0232af53-5521-428c-acaf-3b9d20883fe8"
+ ],
+ "x-ms-correlation-request-id": [
+ "0232af53-5521-428c-acaf-3b9d20883fe8"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211212Z:0232af53-5521-428c-acaf-3b9d20883fe8"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:11 GMT"
+ ],
+ "Content-Length": [
+ "733"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b/Comments/1dc74bd0-7b2b-4ff6-b4b8-d809193c36c1\",\r\n \"name\": \"1dc74bd0-7b2b-4ff6-b4b8-d809193c36c1\",\r\n \"etag\": \"\\\"bd00a6a3-0000-0100-0000-5fd28f2c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest2\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:12.076223Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:12.076223Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n}",
+ "StatusCode": 201
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/9d9782b4-8896-414b-b22a-68618548ba5b/comments?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvOWQ5NzgyYjQtODg5Ni00MTRiLWIyMmEtNjg2MTg1NDhiYTViL2NvbW1lbnRzP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "87fe4d3f-0fbc-473a-a703-9e5d69d19fc1"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "12785170-6321-4ced-bd59-015994f5dc07"
+ ],
+ "x-ms-correlation-request-id": [
+ "12785170-6321-4ced-bd59-015994f5dc07"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211212Z:12785170-6321-4ced-bd59-015994f5dc07"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:11 GMT"
+ ],
+ "Content-Length": [
+ "1480"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b/Comments/1dc74bd0-7b2b-4ff6-b4b8-d809193c36c1\",\r\n \"name\": \"1dc74bd0-7b2b-4ff6-b4b8-d809193c36c1\",\r\n \"etag\": \"\\\"bd00a6a3-0000-0100-0000-5fd28f2c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest2\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:12.076223Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:12.076223Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b/Comments/9d639724-938d-4551-b7d6-ab89c9d8b7df\",\r\n \"name\": \"9d639724-938d-4551-b7d6-ab89c9d8b7df\",\r\n \"etag\": \"\\\"bd00a2a3-0000-0100-0000-5fd28f2b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:11.8336762Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:11.8336762Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n }\r\n ]\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/9d9782b4-8896-414b-b22a-68618548ba5b?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvOWQ5NzgyYjQtODg5Ni00MTRiLWIyMmEtNjg2MTg1NDhiYTViP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "62eaf465-92ad-4b75-9df8-df3d62a4a945"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "b36d044d-dc72-42bd-8418-9d95c262005e"
+ ],
+ "x-ms-correlation-request-id": [
+ "b36d044d-dc72-42bd-8418-9d95c262005e"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211212Z:b36d044d-dc72-42bd-8418-9d95c262005e"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:12:11 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Create.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Create.json
new file mode 100644
index 000000000000..0106fde71583
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Create.json
@@ -0,0 +1,140 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/1877f91c-570c-46aa-8a2e-b2c6c3fd4a37?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvMTg3N2Y5MWMtNTcwYy00NmFhLThhMmUtYjJjNmMzZmQ0YTM3P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "ab277141-db44-4c40-be55-0ce17f47b694"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "105"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "d2b821e0-c48e-4b5f-bfcf-0c7047711bf2"
+ ],
+ "x-ms-correlation-request-id": [
+ "d2b821e0-c48e-4b5f-bfcf-0c7047711bf2"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211151Z:d2b821e0-c48e-4b5f-bfcf-0c7047711bf2"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:50 GMT"
+ ],
+ "Content-Length": [
+ "1115"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1877f91c-570c-46aa-8a2e-b2c6c3fd4a37\",\r\n \"name\": \"1877f91c-570c-46aa-8a2e-b2c6c3fd4a37\",\r\n \"etag\": \"\\\"bd005aa3-0000-0100-0000-5fd28f170000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:51.0583812Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:51.0583812Z\",\r\n \"incidentNumber\": 92,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1877f91c-570c-46aa-8a2e-b2c6c3fd4a37\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/1877f91c-570c-46aa-8a2e-b2c6c3fd4a37?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvMTg3N2Y5MWMtNTcwYy00NmFhLThhMmUtYjJjNmMzZmQ0YTM3P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "063056bc-b99b-49b4-ab8f-54a375d824dd"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "c2703436-aa4f-4ab5-baa5-a165244ef5c5"
+ ],
+ "x-ms-correlation-request-id": [
+ "c2703436-aa4f-4ab5-baa5-a165244ef5c5"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211151Z:c2703436-aa4f-4ab5-baa5-a165244ef5c5"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:50 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Get.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Get.json
new file mode 100644
index 000000000000..76218f4bb54e
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Get.json
@@ -0,0 +1,203 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/a45dd647-301b-427b-ac4c-6455f65d3081?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvYTQ1ZGQ2NDctMzAxYi00MjdiLWFjNGMtNjQ1NWY2NWQzMDgxP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "74141ac9-7e75-472f-b56e-dfa8d55894cd"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "105"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "6e50e084-debd-48c2-9f08-1d2726a5792d"
+ ],
+ "x-ms-correlation-request-id": [
+ "6e50e084-debd-48c2-9f08-1d2726a5792d"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211152Z:6e50e084-debd-48c2-9f08-1d2726a5792d"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:51 GMT"
+ ],
+ "Content-Length": [
+ "1113"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a45dd647-301b-427b-ac4c-6455f65d3081\",\r\n \"name\": \"a45dd647-301b-427b-ac4c-6455f65d3081\",\r\n \"etag\": \"\\\"bd005ca3-0000-0100-0000-5fd28f180000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:52.358693Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:52.358693Z\",\r\n \"incidentNumber\": 93,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a45dd647-301b-427b-ac4c-6455f65d3081\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/a45dd647-301b-427b-ac4c-6455f65d3081?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvYTQ1ZGQ2NDctMzAxYi00MjdiLWFjNGMtNjQ1NWY2NWQzMDgxP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "7ed643ab-60e1-49d7-a521-484d3578121a"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "05687e94-2fae-4248-92e2-80446a1425f0"
+ ],
+ "x-ms-correlation-request-id": [
+ "05687e94-2fae-4248-92e2-80446a1425f0"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211152Z:05687e94-2fae-4248-92e2-80446a1425f0"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:51 GMT"
+ ],
+ "Content-Length": [
+ "1113"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a45dd647-301b-427b-ac4c-6455f65d3081\",\r\n \"name\": \"a45dd647-301b-427b-ac4c-6455f65d3081\",\r\n \"etag\": \"\\\"bd005ca3-0000-0100-0000-5fd28f180000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:52.358693Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:52.358693Z\",\r\n \"incidentNumber\": 93,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a45dd647-301b-427b-ac4c-6455f65d3081\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/a45dd647-301b-427b-ac4c-6455f65d3081?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvYTQ1ZGQ2NDctMzAxYi00MjdiLWFjNGMtNjQ1NWY2NWQzMDgxP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "bad10ed4-92a2-4b6a-8329-643c06e3eda2"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "5063a41a-f543-4aad-9895-384eebc3c6af"
+ ],
+ "x-ms-correlation-request-id": [
+ "5063a41a-f543-4aad-9895-384eebc3c6af"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211152Z:5063a41a-f543-4aad-9895-384eebc3c6af"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:52 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/InputObject.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/InputObject.json
new file mode 100644
index 000000000000..b0c2918eede9
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/InputObject.json
@@ -0,0 +1,272 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/1624cb38-732b-4775-9aef-6206344b3b92?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvMTYyNGNiMzgtNzMyYi00Nzc1LTlhZWYtNjIwNjM0NGIzYjkyP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "88a71185-87b2-4ed7-84c1-8f5d1c4a030f"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "105"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "bc44be46-5f3e-474a-8a29-90598186c358"
+ ],
+ "x-ms-correlation-request-id": [
+ "bc44be46-5f3e-474a-8a29-90598186c358"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211155Z:bc44be46-5f3e-474a-8a29-90598186c358"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:55 GMT"
+ ],
+ "Content-Length": [
+ "1115"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"name\": \"1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"etag\": \"\\\"bd0068a3-0000-0100-0000-5fd28f1b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:55.5504153Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:55.5504153Z\",\r\n \"incidentNumber\": 95,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/1624cb38-732b-4775-9aef-6206344b3b92?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvMTYyNGNiMzgtNzMyYi00Nzc1LTlhZWYtNjIwNjM0NGIzYjkyP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"labels\": [],\r\n \"owner\": {},\r\n \"severity\": \"Medium\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n },\r\n \"etag\": \"\\\"bd0068a3-0000-0100-0000-5fd28f1b0000\\\"\"\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "885ff512-9927-4189-abdb-6159cd14e9c3"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "200"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "b075f175-4cce-4275-acf8-4c0792f17479"
+ ],
+ "x-ms-correlation-request-id": [
+ "b075f175-4cce-4275-acf8-4c0792f17479"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211156Z:b075f175-4cce-4275-acf8-4c0792f17479"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:55 GMT"
+ ],
+ "Content-Length": [
+ "1118"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"name\": \"1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"etag\": \"\\\"bd0069a3-0000-0100-0000-5fd28f1b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Medium\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:55.9824847Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:55.5504153Z\",\r\n \"incidentNumber\": 95,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/1624cb38-732b-4775-9aef-6206344b3b92?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvMTYyNGNiMzgtNzMyYi00Nzc1LTlhZWYtNjIwNjM0NGIzYjkyP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "a4fe7bb9-ced7-43c7-8411-4f8d48cbc9dd"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "9c2ccd12-2d04-48b8-bcad-6524b28af693"
+ ],
+ "x-ms-correlation-request-id": [
+ "9c2ccd12-2d04-48b8-bcad-6524b28af693"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211155Z:9c2ccd12-2d04-48b8-bcad-6524b28af693"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:55 GMT"
+ ],
+ "Content-Length": [
+ "1115"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"name\": \"1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"etag\": \"\\\"bd0068a3-0000-0100-0000-5fd28f1b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:55.5504153Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:55.5504153Z\",\r\n \"incidentNumber\": 95,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/1624cb38-732b-4775-9aef-6206344b3b92?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvMTYyNGNiMzgtNzMyYi00Nzc1LTlhZWYtNjIwNjM0NGIzYjkyP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "96ae8cfb-e9d6-428c-b897-7adc7218b0d5"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "1f1a3b78-ba18-4879-908a-58da94591bf9"
+ ],
+ "x-ms-correlation-request-id": [
+ "1f1a3b78-ba18-4879-908a-58da94591bf9"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211156Z:1f1a3b78-ba18-4879-908a-58da94591bf9"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:55 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/List.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/List.json
new file mode 100644
index 000000000000..3943ee36f619
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/List.json
@@ -0,0 +1,335 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/9948fe0a-433c-4230-ab18-41ba430d68bc?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvOTk0OGZlMGEtNDMzYy00MjMwLWFiMTgtNDFiYTQzMGQ2OGJjP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "ed4700bf-3504-4232-860d-60cf9f540458"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "105"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "1a1a6abf-0626-4f65-94a1-bb9ff966203c"
+ ],
+ "x-ms-correlation-request-id": [
+ "1a1a6abf-0626-4f65-94a1-bb9ff966203c"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211146Z:1a1a6abf-0626-4f65-94a1-bb9ff966203c"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:45 GMT"
+ ],
+ "Content-Length": [
+ "1115"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9948fe0a-433c-4230-ab18-41ba430d68bc\",\r\n \"name\": \"9948fe0a-433c-4230-ab18-41ba430d68bc\",\r\n \"etag\": \"\\\"bd004da3-0000-0100-0000-5fd28f120000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:46.6741544Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:46.6741544Z\",\r\n \"incidentNumber\": 89,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9948fe0a-433c-4230-ab18-41ba430d68bc\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/93a8577f-b4e6-4225-9240-57bd52238502?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvOTNhODU3N2YtYjRlNi00MjI1LTkyNDAtNTdiZDUyMjM4NTAyP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest2\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "a9569612-657a-4625-a695-567470301222"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "106"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "7f194bb1-1e39-4305-b96f-2a44b14a0d6c"
+ ],
+ "x-ms-correlation-request-id": [
+ "7f194bb1-1e39-4305-b96f-2a44b14a0d6c"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211147Z:7f194bb1-1e39-4305-b96f-2a44b14a0d6c"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:46 GMT"
+ ],
+ "Content-Length": [
+ "1116"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/93a8577f-b4e6-4225-9240-57bd52238502\",\r\n \"name\": \"93a8577f-b4e6-4225-9240-57bd52238502\",\r\n \"etag\": \"\\\"bd004ea3-0000-0100-0000-5fd28f120000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest2\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:46.9390899Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:46.9390899Z\",\r\n \"incidentNumber\": 90,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/93a8577f-b4e6-4225-9240-57bd52238502\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHM/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "1e28d23f-e683-45f7-8eb3-70a9deea9d30"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "1477309a-ad9f-421a-bc27-46c8a4394f82"
+ ],
+ "x-ms-correlation-request-id": [
+ "1477309a-ad9f-421a-bc27-46c8a4394f82"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211147Z:1477309a-ad9f-421a-bc27-46c8a4394f82"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:46 GMT"
+ ],
+ "Content-Length": [
+ "51001"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/93a8577f-b4e6-4225-9240-57bd52238502\",\r\n \"name\": \"93a8577f-b4e6-4225-9240-57bd52238502\",\r\n \"etag\": \"\\\"bd004ea3-0000-0100-0000-5fd28f120000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest2\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:46.9390899Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:46.9390899Z\",\r\n \"incidentNumber\": 90,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/93a8577f-b4e6-4225-9240-57bd52238502\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9948fe0a-433c-4230-ab18-41ba430d68bc\",\r\n \"name\": \"9948fe0a-433c-4230-ab18-41ba430d68bc\",\r\n \"etag\": \"\\\"bd004da3-0000-0100-0000-5fd28f120000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:46.6741544Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:46.6741544Z\",\r\n \"incidentNumber\": 89,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9948fe0a-433c-4230-ab18-41ba430d68bc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/98fcdc48-02d3-40b3-830d-956cfb36cca0\",\r\n \"name\": \"98fcdc48-02d3-40b3-830d-956cfb36cca0\",\r\n \"etag\": \"\\\"af003351-0000-0100-0000-5fd0165f0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"MTP File activity alert\",\r\n \"description\": \"MTP File activity alert\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T23:42:57.4748629Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T23:42:57.4748629Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-09T00:12:15.0675603Z\",\r\n \"createdTimeUtc\": \"2020-12-09T00:02:01.4689098Z\",\r\n \"incidentNumber\": 78,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": []\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-09T00:02:01.3520357Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-09T00:02:01.3520357Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/98fcdc48-02d3-40b3-830d-956cfb36cca0\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/fbd6d4a7-ca9c-4305-a465-ab99f342b2b5\",\r\n \"name\": \"fbd6d4a7-ca9c-4305-a465-ab99f342b2b5\",\r\n \"etag\": \"\\\"a700d02c-0000-0100-0000-5fcffedb0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"CEE Azure Sentinel Rock!!! 10:22\",\r\n \"description\": \"CEE Azure Sentinel Rock!!! 10:22\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T22:13:20.7043059Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T22:13:20.7043059Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-08T22:31:55.7121156Z\",\r\n \"createdTimeUtc\": \"2020-12-08T22:31:55.7121156Z\",\r\n \"incidentNumber\": 77,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ]\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-08T22:31:55.6563304Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-08T22:31:55.6563304Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/fbd6d4a7-ca9c-4305-a465-ab99f342b2b5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e7171545-cbb7-410a-8e20-f75f527907de\",\r\n \"name\": \"e7171545-cbb7-410a-8e20-f75f527907de\",\r\n \"etag\": \"\\\"a200191b-0000-0100-0000-5fcff5640000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"MTP File activity alert\",\r\n \"description\": \"MTP File activity alert\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T21:38:30.7987903Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T21:38:30.7987903Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-08T21:51:32.263406Z\",\r\n \"createdTimeUtc\": \"2020-12-08T21:51:32.263406Z\",\r\n \"incidentNumber\": 76,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": []\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-08T21:51:32.2119971Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-08T21:51:32.2119971Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e7171545-cbb7-410a-8e20-f75f527907de\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e7f03f88-68f4-40d9-b05e-8700cfdbc43e\",\r\n \"name\": \"e7f03f88-68f4-40d9-b05e-8700cfdbc43e\",\r\n \"etag\": \"\\\"7f00a1fc-0000-0100-0000-5fcf954c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"MTP Sync - Yanivsh\",\r\n \"description\": \"MTP Sync - Yanivsh\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T14:34:17.084673Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T14:34:17.084673Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-08T15:01:32.4334481Z\",\r\n \"createdTimeUtc\": \"2020-12-08T15:01:32.4334481Z\",\r\n \"incidentNumber\": 75,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ]\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-08T15:01:32.3621186Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-08T15:01:32.3621186Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e7f03f88-68f4-40d9-b05e-8700cfdbc43e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e8ad468a-71b3-41b5-9723-16676232ef49\",\r\n \"name\": \"e8ad468a-71b3-41b5-9723-16676232ef49\",\r\n \"etag\": \"\\\"7f005efc-0000-0100-0000-5fcf942e0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"CEE Azure Sentinel Rock!!! 10:22\",\r\n \"description\": \"CEE Azure Sentinel Rock!!! 10:22\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T14:29:49.0938867Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T14:29:49.0938867Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-08T14:56:46.187193Z\",\r\n \"createdTimeUtc\": \"2020-12-08T14:56:46.187193Z\",\r\n \"incidentNumber\": 74,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ]\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-08T14:56:32.5704583Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-08T14:56:32.5704583Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e8ad468a-71b3-41b5-9723-16676232ef49\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/fc26f90c-2134-4de2-bd42-279fba4cbf57\",\r\n \"name\": \"fc26f90c-2134-4de2-bd42-279fba4cbf57\",\r\n \"etag\": \"\\\"7f0014f9-0000-0100-0000-5fcf8c0f0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"MTP File activity alert\",\r\n \"description\": \"MTP File activity alert\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T14:05:01.1326784Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T14:05:01.1326784Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-08T14:22:07.355655Z\",\r\n \"createdTimeUtc\": \"2020-12-08T14:22:07.355655Z\",\r\n \"incidentNumber\": 73,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": []\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-08T14:22:07.2882692Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-08T14:22:07.2882692Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/fc26f90c-2134-4de2-bd42-279fba4cbf57\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/db63eb23-6b5c-4810-92ce-53fa5937178f\",\r\n \"name\": \"db63eb23-6b5c-4810-92ce-53fa5937178f\",\r\n \"etag\": \"\\\"62005cd4-0000-0100-0000-5fcf39fe0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"CEE Azure Sentinel Rock!!! 10:22\",\r\n \"description\": \"CEE Azure Sentinel Rock!!! 10:22\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T03:50:17.6487678Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T03:50:17.6487678Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-08T08:31:58.2820319Z\",\r\n \"createdTimeUtc\": \"2020-12-08T08:31:58.2820319Z\",\r\n \"incidentNumber\": 72,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ]\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-08T08:31:58.188433Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-08T08:31:58.188433Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/db63eb23-6b5c-4810-92ce-53fa5937178f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/ef17f26c-25e0-465a-9390-5dfc2fa62bde\",\r\n \"name\": \"ef17f26c-25e0-465a-9390-5dfc2fa62bde\",\r\n \"etag\": \"\\\"61002cc0-0000-0100-0000-5fcf2c050000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"MTP Sync - Yanivsh\",\r\n \"description\": \"MTP Sync - Yanivsh\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T07:18:05.8786345Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T07:18:05.8786345Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-08T07:32:21.0005158Z\",\r\n \"createdTimeUtc\": \"2020-12-08T07:32:21.0005158Z\",\r\n \"incidentNumber\": 71,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ]\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-08T07:32:20.9413713Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-08T07:32:20.9413713Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/ef17f26c-25e0-465a-9390-5dfc2fa62bde\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/3b73c374-dd2e-4d0c-9bfc-e38de9a02b8e\",\r\n \"name\": \"3b73c374-dd2e-4d0c-9bfc-e38de9a02b8e\",\r\n \"etag\": \"\\\"5c006f5c-0000-0100-0000-5fcef0fa0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-08T03:20:26.5509969Z\",\r\n \"createdTimeUtc\": \"2020-12-08T03:20:26.5509969Z\",\r\n \"incidentNumber\": 68,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/3b73c374-dd2e-4d0c-9bfc-e38de9a02b8e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/af9792ba-857a-49f9-9ab0-cae6a4ea7a25\",\r\n \"name\": \"af9792ba-857a-49f9-9ab0-cae6a4ea7a25\",\r\n \"etag\": \"\\\"5c000158-0000-0100-0000-5fcef0c60000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-08T03:19:34.1416452Z\",\r\n \"createdTimeUtc\": \"2020-12-08T03:19:34.1416452Z\",\r\n \"incidentNumber\": 67,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/af9792ba-857a-49f9-9ab0-cae6a4ea7a25\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/004e4954-edd5-47aa-a745-107c8be9e8b1\",\r\n \"name\": \"004e4954-edd5-47aa-a745-107c8be9e8b1\",\r\n \"etag\": \"\\\"5c009838-0000-0100-0000-5fceef5a0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-08T03:13:30.7115451Z\",\r\n \"createdTimeUtc\": \"2020-12-08T03:13:30.7115451Z\",\r\n \"incidentNumber\": 63,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/004e4954-edd5-47aa-a745-107c8be9e8b1\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/13d697e9-dec5-4aa3-980c-578328767961\",\r\n \"name\": \"13d697e9-dec5-4aa3-980c-578328767961\",\r\n \"etag\": \"\\\"5c000f38-0000-0100-0000-5fceef540000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-08T03:13:24.8080045Z\",\r\n \"createdTimeUtc\": \"2020-12-08T03:13:24.8080045Z\",\r\n \"incidentNumber\": 59,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/13d697e9-dec5-4aa3-980c-578328767961\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/ed5610fb-d221-4006-82c3-7a296f0e89b6\",\r\n \"name\": \"ed5610fb-d221-4006-82c3-7a296f0e89b6\",\r\n \"etag\": \"\\\"5c00df2f-0000-0100-0000-5fceeefc0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-08T03:11:56.310588Z\",\r\n \"createdTimeUtc\": \"2020-12-08T03:11:56.310588Z\",\r\n \"incidentNumber\": 53,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/ed5610fb-d221-4006-82c3-7a296f0e89b6\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e45ff961-9ac7-4cd1-9f3f-92578ac007ce\",\r\n \"name\": \"e45ff961-9ac7-4cd1-9f3f-92578ac007ce\",\r\n \"etag\": \"\\\"5c00512f-0000-0100-0000-5fceeef60000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-08T03:11:50.6729196Z\",\r\n \"createdTimeUtc\": \"2020-12-08T03:11:50.6729196Z\",\r\n \"incidentNumber\": 49,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e45ff961-9ac7-4cd1-9f3f-92578ac007ce\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2a8b581f-20cb-49a9-93e8-a98f31d7c150\",\r\n \"name\": \"2a8b581f-20cb-49a9-93e8-a98f31d7c150\",\r\n \"etag\": \"\\\"58004518-0000-0100-0000-5fce7d570000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"MTP File activity alert\",\r\n \"description\": \"MTP File activity alert\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-07T18:48:34.3363505Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-07T18:48:34.3363505Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-07T19:07:03.5640939Z\",\r\n \"createdTimeUtc\": \"2020-12-07T19:07:03.5640939Z\",\r\n \"incidentNumber\": 46,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": []\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-07T19:07:03.4926642Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-07T19:07:03.4926642Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2a8b581f-20cb-49a9-93e8-a98f31d7c150\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9ad4e331-42c9-4629-a77d-6067d823c537\",\r\n \"name\": \"9ad4e331-42c9-4629-a77d-6067d823c537\",\r\n \"etag\": \"\\\"c80034c8-0000-0100-0000-5fc6b9e50000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"description\": \"\",\r\n \"severity\": \"Medium\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": \"73175b58-b9d7-49eb-b315-7f792a03e380\",\r\n \"email\": \"tiandert@buildseccxpninja.onmicrosoft.com\",\r\n \"assignedTo\": \"Tiander Turpijn\",\r\n \"userPrincipalName\": \"tiandert@buildseccxpninja.onmicrosoft.com\"\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-01T21:47:17.1929778Z\",\r\n \"createdTimeUtc\": \"2020-11-29T23:37:21.077359Z\",\r\n \"incidentNumber\": 45,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 1,\r\n \"commentsCount\": 1,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9ad4e331-42c9-4629-a77d-6067d823c537\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/24a9d0ef-a43c-43a6-a96e-fb0a5bf2ac86\",\r\n \"name\": \"24a9d0ef-a43c-43a6-a96e-fb0a5bf2ac86\",\r\n \"etag\": \"\\\"a2003222-0000-0100-0000-5fc433a90000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-29T23:50:01.3150768Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:45:36.1963838Z\",\r\n \"incidentNumber\": 32,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 1,\r\n \"commentsCount\": 2,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/24a9d0ef-a43c-43a6-a96e-fb0a5bf2ac86\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/8a649275-21e0-4a3f-a6cd-d7a1598fee6a\",\r\n \"name\": \"8a649275-21e0-4a3f-a6cd-d7a1598fee6a\",\r\n \"etag\": \"\\\"1e00921c-0000-0100-0000-5fbc1f500000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:45:04.1765042Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:45:04.1765042Z\",\r\n \"incidentNumber\": 31,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/8a649275-21e0-4a3f-a6cd-d7a1598fee6a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/57b16c90-3bf2-4c14-884f-4acc0a88c6e0\",\r\n \"name\": \"57b16c90-3bf2-4c14-884f-4acc0a88c6e0\",\r\n \"etag\": \"\\\"1e00b719-0000-0100-0000-5fbc1f230000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:44:19.4658389Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:44:19.4658389Z\",\r\n \"incidentNumber\": 30,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/57b16c90-3bf2-4c14-884f-4acc0a88c6e0\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4541d8a2-0883-454b-8066-186cbe095558\",\r\n \"name\": \"4541d8a2-0883-454b-8066-186cbe095558\",\r\n \"etag\": \"\\\"1e000e15-0000-0100-0000-5fbc1ed90000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:43:05.7558114Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:43:05.3753439Z\",\r\n \"incidentNumber\": 28,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 1,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4541d8a2-0883-454b-8066-186cbe095558\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/f43365b7-e355-47d6-a5d4-578e7a57be37\",\r\n \"name\": \"f43365b7-e355-47d6-a5d4-578e7a57be37\",\r\n \"etag\": \"\\\"1e005f13-0000-0100-0000-5fbc1eb70000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:42:31.1301819Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:42:30.7228533Z\",\r\n \"incidentNumber\": 27,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 1,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/f43365b7-e355-47d6-a5d4-578e7a57be37\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2992b2dd-bea0-49eb-bb3b-7c25df8a55fb\",\r\n \"name\": \"2992b2dd-bea0-49eb-bb3b-7c25df8a55fb\",\r\n \"etag\": \"\\\"1e007d11-0000-0100-0000-5fbc1e800000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:41:36.5956726Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:41:36.5956726Z\",\r\n \"incidentNumber\": 25,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2992b2dd-bea0-49eb-bb3b-7c25df8a55fb\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/bdb9b1a2-b1cf-4b2d-981b-ebf5cf896d16\",\r\n \"name\": \"bdb9b1a2-b1cf-4b2d-981b-ebf5cf896d16\",\r\n \"etag\": \"\\\"a3008448-0000-0100-0000-5fc439f70000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [\r\n {\r\n \"labelName\": \"test\",\r\n \"labelType\": \"User\"\r\n }\r\n ],\r\n \"lastModifiedTimeUtc\": \"2020-11-30T00:16:55.0086648Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:41:02.1446955Z\",\r\n \"incidentNumber\": 24,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/bdb9b1a2-b1cf-4b2d-981b-ebf5cf896d16\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/168cea98-4380-46bf-a62c-de008cdea3ff\",\r\n \"name\": \"168cea98-4380-46bf-a62c-de008cdea3ff\",\r\n \"etag\": \"\\\"1e00560e-0000-0100-0000-5fbc1d240000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:35:48.2045285Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:35:48.2045285Z\",\r\n \"incidentNumber\": 23,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/168cea98-4380-46bf-a62c-de008cdea3ff\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/19c1a62d-4643-4a64-b551-b5c18e6f9660\",\r\n \"name\": \"19c1a62d-4643-4a64-b551-b5c18e6f9660\",\r\n \"etag\": \"\\\"1e00bb0d-0000-0100-0000-5fbc1d040000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:35:16.6872236Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:35:16.6872236Z\",\r\n \"incidentNumber\": 22,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/19c1a62d-4643-4a64-b551-b5c18e6f9660\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2bd37e65-3a44-40e6-b06b-65579b178214\",\r\n \"name\": \"2bd37e65-3a44-40e6-b06b-65579b178214\",\r\n \"etag\": \"\\\"1e00660c-0000-0100-0000-5fbc1cb10000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:33:53.599723Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:33:53.599723Z\",\r\n \"incidentNumber\": 21,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2bd37e65-3a44-40e6-b06b-65579b178214\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/3943df6b-c886-4eb4-8303-341cb34bb2c7\",\r\n \"name\": \"3943df6b-c886-4eb4-8303-341cb34bb2c7\",\r\n \"etag\": \"\\\"1e009e0b-0000-0100-0000-5fbc1c8a0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:33:14.3058272Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:33:14.3058272Z\",\r\n \"incidentNumber\": 20,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/3943df6b-c886-4eb4-8303-341cb34bb2c7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/cb83e51c-f94d-45f0-ad19-6bd2e80026f6\",\r\n \"name\": \"cb83e51c-f94d-45f0-ad19-6bd2e80026f6\",\r\n \"etag\": \"\\\"1e00860a-0000-0100-0000-5fbc1c550000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:32:21.6790712Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:32:21.6790712Z\",\r\n \"incidentNumber\": 19,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/cb83e51c-f94d-45f0-ad19-6bd2e80026f6\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/338a12ce-c46b-4e7b-bd9a-6fdbced79a64\",\r\n \"name\": \"338a12ce-c46b-4e7b-bd9a-6fdbced79a64\",\r\n \"etag\": \"\\\"1e003d07-0000-0100-0000-5fbc1c1e0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:31:26.8920339Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:31:26.8920339Z\",\r\n \"incidentNumber\": 18,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/338a12ce-c46b-4e7b-bd9a-6fdbced79a64\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a9c55386-be06-40ef-b909-48c4abcc696f\",\r\n \"name\": \"a9c55386-be06-40ef-b909-48c4abcc696f\",\r\n \"etag\": \"\\\"1e00f704-0000-0100-0000-5fbc1c030000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:30:59.2614436Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:30:59.2614436Z\",\r\n \"incidentNumber\": 17,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a9c55386-be06-40ef-b909-48c4abcc696f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/b8578956-c86e-4d9b-b950-98a955102d08\",\r\n \"name\": \"b8578956-c86e-4d9b-b950-98a955102d08\",\r\n \"etag\": \"\\\"1e00fe01-0000-0100-0000-5fbc1be30000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:30:27.0263621Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:30:27.0263621Z\",\r\n \"incidentNumber\": 16,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/b8578956-c86e-4d9b-b950-98a955102d08\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/d8ba1aed-e64b-4fe4-9fba-8bb95b098f67\",\r\n \"name\": \"d8ba1aed-e64b-4fe4-9fba-8bb95b098f67\",\r\n \"etag\": \"\\\"1d0008fd-0000-0100-0000-5fbc1b9d0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:29:17.9413965Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:29:17.9413965Z\",\r\n \"incidentNumber\": 15,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/d8ba1aed-e64b-4fe4-9fba-8bb95b098f67\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e10a00b2-c388-4ad9-9897-2b444a8fe50d\",\r\n \"name\": \"e10a00b2-c388-4ad9-9897-2b444a8fe50d\",\r\n \"etag\": \"\\\"1d0045f2-0000-0100-0000-5fbc1aee0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:26:21.9796208Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:26:21.9796208Z\",\r\n \"incidentNumber\": 8,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e10a00b2-c388-4ad9-9897-2b444a8fe50d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1ae861a1-c949-42c1-8c37-5f382d99fac3\",\r\n \"name\": \"1ae861a1-c949-42c1-8c37-5f382d99fac3\",\r\n \"etag\": \"\\\"1d0092ef-0000-0100-0000-5fbc1ab20000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:25:22.0712913Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:25:22.0712913Z\",\r\n \"incidentNumber\": 6,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1ae861a1-c949-42c1-8c37-5f382d99fac3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/f1a89b23-0c09-4a6c-af77-7935e1b87797\",\r\n \"name\": \"f1a89b23-0c09-4a6c-af77-7935e1b87797\",\r\n \"etag\": \"\\\"1d008eef-0000-0100-0000-5fbc1ab00000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:25:20.5970746Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:25:20.5970746Z\",\r\n \"incidentNumber\": 5,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/f1a89b23-0c09-4a6c-af77-7935e1b87797\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/061c9297-d356-485e-9676-b44cf9b0df92\",\r\n \"name\": \"061c9297-d356-485e-9676-b44cf9b0df92\",\r\n \"etag\": \"\\\"1d008def-0000-0100-0000-5fbc1aaf0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:25:19.2307468Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:25:19.2307468Z\",\r\n \"incidentNumber\": 4,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/061c9297-d356-485e-9676-b44cf9b0df92\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2da34951-449e-463b-bd0a-d771af82e590\",\r\n \"name\": \"2da34951-449e-463b-bd0a-d771af82e590\",\r\n \"etag\": \"\\\"1d0088ef-0000-0100-0000-5fbc1aad0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest2\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:25:17.5717541Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:25:17.5717541Z\",\r\n \"incidentNumber\": 3,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2da34951-449e-463b-bd0a-d771af82e590\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a537c5e1-4d52-44cb-b012-83c9d8437207\",\r\n \"name\": \"a537c5e1-4d52-44cb-b012-83c9d8437207\",\r\n \"etag\": \"\\\"1d0087ef-0000-0100-0000-5fbc1aad0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:25:17.3157001Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:25:17.3157001Z\",\r\n \"incidentNumber\": 2,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a537c5e1-4d52-44cb-b012-83c9d8437207\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/808b10de-0841-40c1-ba57-75a05f98ad01\",\r\n \"name\": \"808b10de-0841-40c1-ba57-75a05f98ad01\",\r\n \"etag\": \"\\\"0100a486-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"testapi\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-19T00:16:50.0225943Z\",\r\n \"createdTimeUtc\": \"2020-11-11T23:35:52.6826913Z\",\r\n \"incidentNumber\": 1,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 1,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/808b10de-0841-40c1-ba57-75a05f98ad01\"\r\n }\r\n }\r\n ]\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/9948fe0a-433c-4230-ab18-41ba430d68bc?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvOTk0OGZlMGEtNDMzYy00MjMwLWFiMTgtNDFiYTQzMGQ2OGJjP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "1aa4abe4-3730-40fe-955b-d595936a33b3"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "988ea313-ba18-44b8-a1ea-57aefd302c29"
+ ],
+ "x-ms-correlation-request-id": [
+ "988ea313-ba18-44b8-a1ea-57aefd302c29"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211147Z:988ea313-ba18-44b8-a1ea-57aefd302c29"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:46 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/93a8577f-b4e6-4225-9240-57bd52238502?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvOTNhODU3N2YtYjRlNi00MjI1LTkyNDAtNTdiZDUyMjM4NTAyP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "36bf4015-5b8f-4801-b332-29a1ef69eefc"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "7d58c328-7c2e-45ec-a712-f831cc35027d"
+ ],
+ "x-ms-correlation-request-id": [
+ "7d58c328-7c2e-45ec-a712-f831cc35027d"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211147Z:7d58c328-7c2e-45ec-a712-f831cc35027d"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:46 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Remove.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Remove.json
new file mode 100644
index 000000000000..28cae531184d
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Remove.json
@@ -0,0 +1,197 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/a91c3054-ced5-4e5b-90ba-ef3d031a34e2?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvYTkxYzMwNTQtY2VkNS00ZTViLTkwYmEtZWYzZDAzMWEzNGUyP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "79022c4d-1d8d-4c3e-b521-788ef6be7c23"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "105"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "08b08cbe-7caa-41a2-865f-c18e1de26c9f"
+ ],
+ "x-ms-correlation-request-id": [
+ "08b08cbe-7caa-41a2-865f-c18e1de26c9f"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211154Z:08b08cbe-7caa-41a2-865f-c18e1de26c9f"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:53 GMT"
+ ],
+ "Content-Length": [
+ "1115"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a91c3054-ced5-4e5b-90ba-ef3d031a34e2\",\r\n \"name\": \"a91c3054-ced5-4e5b-90ba-ef3d031a34e2\",\r\n \"etag\": \"\\\"bd0062a3-0000-0100-0000-5fd28f190000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:53.9702619Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:53.9702619Z\",\r\n \"incidentNumber\": 94,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a91c3054-ced5-4e5b-90ba-ef3d031a34e2\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/a91c3054-ced5-4e5b-90ba-ef3d031a34e2?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvYTkxYzMwNTQtY2VkNS00ZTViLTkwYmEtZWYzZDAzMWEzNGUyP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "1c1c432c-9fe2-4365-a350-226a086a1cbb"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "6aae6056-4ef4-4e48-b0c7-4cae3cb7181f"
+ ],
+ "x-ms-correlation-request-id": [
+ "6aae6056-4ef4-4e48-b0c7-4cae3cb7181f"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211154Z:6aae6056-4ef4-4e48-b0c7-4cae3cb7181f"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:53 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/a91c3054-ced5-4e5b-90ba-ef3d031a34e2?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvYTkxYzMwNTQtY2VkNS00ZTViLTkwYmEtZWYzZDAzMWEzNGUyP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "65db61ff-d330-47f4-9892-1618b0380909"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
+ "x-ms-request-id": [
+ "1527eec9-5922-4915-ad31-5a50031a4e4e"
+ ],
+ "x-ms-correlation-request-id": [
+ "1527eec9-5922-4915-ad31-5a50031a4e4e"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211154Z:1527eec9-5922-4915-ad31-5a50031a4e4e"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:54 GMT"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "",
+ "StatusCode": 204
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Update.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Update.json
new file mode 100644
index 000000000000..c67f4c946547
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Update.json
@@ -0,0 +1,272 @@
+{
+ "Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvNGMzZjU2ZTAtYzQwYy00YzAzLWFmMDgtYTQwZjZiZTM2NzE1P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "ab600141-7077-4b77-900a-13bb11133c3c"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "105"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "992ad7ec-2a5e-40a5-b9f8-b70f196f3707"
+ ],
+ "x-ms-correlation-request-id": [
+ "992ad7ec-2a5e-40a5-b9f8-b70f196f3707"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211149Z:992ad7ec-2a5e-40a5-b9f8-b70f196f3707"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:48 GMT"
+ ],
+ "Content-Length": [
+ "1115"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"name\": \"4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"etag\": \"\\\"bd0055a3-0000-0100-0000-5fd28f150000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:49.0190894Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:49.0190894Z\",\r\n \"incidentNumber\": 91,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvNGMzZjU2ZTAtYzQwYy00YzAzLWFmMDgtYTQwZjZiZTM2NzE1P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "PUT",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"classification\": \"FalsePositive\",\r\n \"classificationReason\": \"InaccurateData\",\r\n \"labels\": [],\r\n \"owner\": {},\r\n \"severity\": \"Low\",\r\n \"status\": \"Closed\",\r\n \"title\": \"PoshModuleTest\"\r\n },\r\n \"etag\": \"\\\"bd0055a3-0000-0100-0000-5fd28f150000\\\"\"\r\n}",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "1b5c64b6-88a2-427d-8852-ee84544d9d2b"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Content-Length": [
+ "287"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "6da29833-4bc2-4c24-a8bd-ed37e3b8345f"
+ ],
+ "x-ms-correlation-request-id": [
+ "6da29833-4bc2-4c24-a8bd-ed37e3b8345f"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211149Z:6da29833-4bc2-4c24-a8bd-ed37e3b8345f"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:49 GMT"
+ ],
+ "Content-Length": [
+ "1191"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"name\": \"4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"etag\": \"\\\"bd0056a3-0000-0100-0000-5fd28f150000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"Closed\",\r\n \"classification\": \"FalsePositive\",\r\n \"classificationReason\": \"InaccurateData\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:49.4598307Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:49.0190894Z\",\r\n \"incidentNumber\": 91,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvNGMzZjU2ZTAtYzQwYy00YzAzLWFmMDgtYTQwZjZiZTM2NzE1P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "GET",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "f010b048-02b1-4c5a-b945-ca6e65ac5632"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "36203b91-ed47-4d60-9d6a-f460c998bad0"
+ ],
+ "x-ms-correlation-request-id": [
+ "36203b91-ed47-4d60-9d6a-f460c998bad0"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211149Z:36203b91-ed47-4d60-9d6a-f460c998bad0"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:49 GMT"
+ ],
+ "Content-Length": [
+ "1115"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"name\": \"4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"etag\": \"\\\"bd0055a3-0000-0100-0000-5fd28f150000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:49.0190894Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:49.0190894Z\",\r\n \"incidentNumber\": 91,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\"\r\n }\r\n}",
+ "StatusCode": 200
+ },
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvNGMzZjU2ZTAtYzQwYy00YzAzLWFmMDgtYTQwZjZiZTM2NzE1P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "8d615fb6-cbf2-466d-94b3-f48dc9bbf7fb"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29321.03",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-request-id": [
+ "8ed6d260-c25c-42e3-9a34-46e3ccaef14f"
+ ],
+ "x-ms-correlation-request-id": [
+ "8ed6d260-c25c-42e3-9a34-46e3ccaef14f"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20201210T211149Z:8ed6d260-c25c-42e3-9a34-46e3ccaef14f"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Thu, 10 Dec 2020 21:11:49 GMT"
+ ],
+ "Content-Length": [
+ "2"
+ ],
+ "Content-Type": [
+ "application/json; charset=utf-8"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "{}",
+ "StatusCode": 200
+ }
+ ],
+ "Names": {},
+ "Variables": {
+ "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6"
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights.sln b/src/SecurityInsights/SecurityInsights.sln
new file mode 100644
index 000000000000..eff87290f707
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights.sln
@@ -0,0 +1,66 @@
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.30611.23
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SecurityInsights", "SecurityInsights\SecurityInsights.csproj", "{8F202610-FAF5-45D5-8126-4D4210F0F3CA}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Accounts", "..\Accounts\Accounts\Accounts.csproj", "{142D7B0B-388A-4CEB-A228-7F6D423C5C2E}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Authenticators", "..\Accounts\Authenticators\Authenticators.csproj", "{6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Authentication", "..\Accounts\Authentication\Authentication.csproj", "{FF81DC73-B8EC-4082-8841-4FBF2B16E7CE}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Authentication.ResourceManager", "..\Accounts\Authentication.ResourceManager\Authentication.ResourceManager.csproj", "{3E016018-D65D-4336-9F64-17DA97783AD0}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TestFx", "..\..\tools\TestFx\TestFx.csproj", "{F176D3E0-BC08-41E2-A56D-6E408A8013A1}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "ScenarioTest.ResourceManager", "..\..\tools\ScenarioTest.ResourceManager\ScenarioTest.ResourceManager.csproj", "{AEF6A096-21FD-4A3C-B3B4-5D010A7A0310}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SecurityInsights.Test", "SecurityInsights.Test\SecurityInsights.Test.csproj", "{2F30A582-03C8-449C-BA5B-E0C814BD8FF3}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|Any CPU = Debug|Any CPU
+ Release|Any CPU = Release|Any CPU
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {8F202610-FAF5-45D5-8126-4D4210F0F3CA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {8F202610-FAF5-45D5-8126-4D4210F0F3CA}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {8F202610-FAF5-45D5-8126-4D4210F0F3CA}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {8F202610-FAF5-45D5-8126-4D4210F0F3CA}.Release|Any CPU.Build.0 = Release|Any CPU
+ {142D7B0B-388A-4CEB-A228-7F6D423C5C2E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {142D7B0B-388A-4CEB-A228-7F6D423C5C2E}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {142D7B0B-388A-4CEB-A228-7F6D423C5C2E}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {142D7B0B-388A-4CEB-A228-7F6D423C5C2E}.Release|Any CPU.Build.0 = Release|Any CPU
+ {6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Release|Any CPU.Build.0 = Release|Any CPU
+ {FF81DC73-B8EC-4082-8841-4FBF2B16E7CE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {FF81DC73-B8EC-4082-8841-4FBF2B16E7CE}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {FF81DC73-B8EC-4082-8841-4FBF2B16E7CE}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {FF81DC73-B8EC-4082-8841-4FBF2B16E7CE}.Release|Any CPU.Build.0 = Release|Any CPU
+ {3E016018-D65D-4336-9F64-17DA97783AD0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {3E016018-D65D-4336-9F64-17DA97783AD0}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {3E016018-D65D-4336-9F64-17DA97783AD0}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {3E016018-D65D-4336-9F64-17DA97783AD0}.Release|Any CPU.Build.0 = Release|Any CPU
+ {F176D3E0-BC08-41E2-A56D-6E408A8013A1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {F176D3E0-BC08-41E2-A56D-6E408A8013A1}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {F176D3E0-BC08-41E2-A56D-6E408A8013A1}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {F176D3E0-BC08-41E2-A56D-6E408A8013A1}.Release|Any CPU.Build.0 = Release|Any CPU
+ {AEF6A096-21FD-4A3C-B3B4-5D010A7A0310}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {AEF6A096-21FD-4A3C-B3B4-5D010A7A0310}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {AEF6A096-21FD-4A3C-B3B4-5D010A7A0310}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {AEF6A096-21FD-4A3C-B3B4-5D010A7A0310}.Release|Any CPU.Build.0 = Release|Any CPU
+ {2F30A582-03C8-449C-BA5B-E0C814BD8FF3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {2F30A582-03C8-449C-BA5B-E0C814BD8FF3}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {2F30A582-03C8-449C-BA5B-E0C814BD8FF3}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {2F30A582-03C8-449C-BA5B-E0C814BD8FF3}.Release|Any CPU.Build.0 = Release|Any CPU
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+ GlobalSection(ExtensibilityGlobals) = postSolution
+ SolutionGuid = {0CC1C1B0-C1D3-4C3D-83B4-ACB1116AA01C}
+ EndGlobalSection
+EndGlobal
diff --git a/src/SecurityInsights/SecurityInsights/Az.SecurityInsights.psd1 b/src/SecurityInsights/SecurityInsights/Az.SecurityInsights.psd1
new file mode 100644
index 000000000000..e2c63eb55c29
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Az.SecurityInsights.psd1
@@ -0,0 +1,158 @@
+#
+# Module manifest for module 'Az.Security'
+#
+# Generated by: Microsoft Corporation
+#
+# Generated on: 7/30/2020
+#
+
+@{
+
+# Script module or binary module file associated with this manifest.
+# RootModule = ''
+
+# Version number of this module.
+ModuleVersion = '0.1.0'
+
+# Supported PSEditions
+CompatiblePSEditions = 'Core', 'Desktop'
+
+# ID used to uniquely identify this module
+GUID = '453D4FB9-65EC-4CF1-8358-6A0FBD995D19'
+
+# Author of this module
+Author = 'Microsoft Corporation'
+
+# Company or vendor of this module
+CompanyName = 'Microsoft Corporation'
+
+# Copyright statement for this module
+Copyright = 'Microsoft Corporation. All rights reserved.'
+
+# Description of the functionality provided by this module
+Description = 'Microsoft Azure PowerShell - Azure Sentinel cmdlets in Windows PowerShell and PowerShell Core. Allows managing and monitoring the security posture of your resources.
+
+For more information on Azure Sentinel, please visit the following: https://docs.microsoft.com/azure/sentinel'
+
+# Minimum version of the PowerShell engine required by this module
+PowerShellVersion = '5.1'
+
+# Name of the PowerShell host required by this module
+# PowerShellHostName = ''
+
+# Minimum version of the PowerShell host required by this module
+# PowerShellHostVersion = ''
+
+# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
+DotNetFrameworkVersion = '4.7.2'
+
+# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
+# CLRVersion = ''
+
+# Processor architecture (None, X86, Amd64) required by this module
+# ProcessorArchitecture = ''
+
+# Modules that must be imported into the global environment prior to importing this module
+RequiredModules = @(@{ModuleName = 'Az.Accounts'; ModuleVersion = '2.1.2'; })
+
+# Assemblies that must be loaded prior to importing this module
+RequiredAssemblies = 'Microsoft.Azure.Management.SecurityInsights.dll'
+
+# Script files (.ps1) that are run in the caller's environment prior to importing this module.
+# ScriptsToProcess = @()
+
+# Type files (.ps1xml) to be loaded when importing this module
+# TypesToProcess = @()
+
+# Format files (.ps1xml) to be loaded when importing this module
+# FormatsToProcess = @()
+
+# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
+NestedModules = @('Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll')
+
+# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
+FunctionsToExport = @()
+
+# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
+CmdletsToExport = 'Get-AzSentinelAlertRuleAction',
+ 'New-AzSentinelAlertRuleAction',
+ 'Remove-AzSentinelAlertRuleAction',
+ 'Update-AzSentinelAlertRuleAction',
+ 'Get-AzSentinelAlertRule',
+ 'New-AzSentinelAlertRule',
+ 'Remove-AzSentinelAlertRule',
+ 'Update-AzSentinelAlertRule',
+ 'Get-AzSentinelAlertRuleTemplate',
+ 'Get-AzSentinelBookmark',
+ 'New-AzSentinelBookmark',
+ 'Remove-AzSentinelBookmark',
+ 'Update-AzSentinelBookmark',
+ 'Get-AzSentinelDataConnector',
+ 'New-AzSentinelDataConnector',
+ 'Remove-AzSentinelDataConnector',
+ 'Update-AzSentinelDataConnector',
+ 'Get-AzSentinelIncidentComment',
+ 'New-AzSentinelIncidentComment',
+ 'Get-AzSentinelIncident',
+ 'New-AzSentinelIncident',
+ 'New-AzSentinelIncidentOwner',
+ 'Remove-AzSentinelIncident',
+ 'Update-AzSentinelIncident'
+
+
+# Variables to export from this module
+# VariablesToExport = @()
+
+# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
+AliasesToExport = @()
+
+# DSC resources to export from this module
+# DscResourcesToExport = @()
+
+# List of all modules packaged with this module
+# ModuleList = @()
+
+# List of all files packaged with this module
+# FileList = @()
+
+# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
+PrivateData = @{
+
+ PSData = @{
+
+ # Tags applied to this module. These help with module discovery in online galleries.
+ Tags = 'Azure','ResourceManager','ARM','Provider','SecurityInsights', 'AzureSentinel'
+
+ # A URL to the license for this module.
+ LicenseUri = 'https://aka.ms/azps-license'
+
+ # A URL to the main website for this project.
+ ProjectUri = 'https://github.com/Azure/azure-powershell'
+
+ # A URL to an icon representing this module.
+ # IconUri = ''
+
+ # ReleaseNotes of this module
+ ReleaseNotes = '* Initial Release'
+
+ # Prerelease string of this module
+ # Prerelease = ''
+
+ # Flag to indicate whether the module requires explicit user acceptance for install/update/save
+ # RequireLicenseAcceptance = $false
+
+ # External dependent modules of this module
+ # ExternalModuleDependencies = @()
+
+ } # End of PSData hashtable
+
+ } # End of PrivateData hashtable
+
+# HelpInfo URI of this module
+# HelpInfoURI = ''
+
+# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
+# DefaultCommandPrefix = ''
+
+}
+
diff --git a/src/SecurityInsights/SecurityInsights/ChangeLog.md b/src/SecurityInsights/SecurityInsights/ChangeLog.md
new file mode 100644
index 000000000000..0ed390ec20c9
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/ChangeLog.md
@@ -0,0 +1,24 @@
+
+
+## Upcoming Release
+
+## Version 0.1.0
+* Initial Release
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/GetAlertRuleActions.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/GetAlertRuleActions.cs
new file mode 100644
index 000000000000..708e1c46bc1d
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/GetAlertRuleActions.cs
@@ -0,0 +1,65 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System;
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.Actions;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions
+{
+ [Cmdlet(VerbsCommon.Get, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelAlertRuleAction", DefaultParameterSetName = ParameterSetNames.AlertRuleId), OutputType(typeof(PSSentinelActionResponse))]
+ public class GetAlertRuleActions : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.AlertRuleId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.ActionId)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AlertRuleId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.ActionId)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AlertRuleId, Mandatory = true, HelpMessage = ParameterHelpMessages.IncidentId)]
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.ActionId)]
+ [ValidateNotNullOrEmpty]
+ public string AlertRuleId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.ActionId)]
+ [ValidateNotNullOrEmpty]
+ public string ActionId { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ switch (ParameterSetName)
+ {
+ case ParameterSetNames.AlertRuleId:
+ var actions = SecurityInsightsClient.Actions.ListByAlertRule(ResourceGroupName, WorkspaceName, AlertRuleId);
+ WriteObject(actions.ConvertToPSType(), enumerateCollection: true);
+ break;
+ case ParameterSetNames.ActionId:
+ var action = SecurityInsightsClient.AlertRules.GetAction(ResourceGroupName, WorkspaceName, AlertRuleId, ActionId);
+ WriteObject(action.ConvertToPSType(), enumerateCollection: false);
+ break;
+ default:
+ throw new PSInvalidOperationException();
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/NewAlertRuleActions.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/NewAlertRuleActions.cs
new file mode 100644
index 000000000000..2b520f5a5ea5
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/NewAlertRuleActions.cs
@@ -0,0 +1,76 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Collections.Generic;
+using System;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using Microsoft.Azure.Commands.SecurityInsights.Models.Actions;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions
+{
+ [Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelAlertRuleAction", DefaultParameterSetName = ParameterSetNames.ActionId, SupportsShouldProcess = true), OutputType(typeof(PSSentinelActionResponse))]
+ public class NewAlertRuleActions : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.AlertRuleId)]
+ public string AlertRuleId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = false, HelpMessage = ParameterHelpMessages.ActionId)]
+ public string ActionId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.LogicAppResourceId)]
+ [ValidateNotNullOrEmpty]
+ public string LogicAppResourceId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.TriggerUri)]
+ public string TriggerUri { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ if (ActionId == null)
+ {
+ ActionId = Guid.NewGuid().ToString();
+ }
+
+ var name = ActionId;
+
+ ActionRequest action = new ActionRequest
+ {
+ LogicAppResourceId = LogicAppResourceId,
+ TriggerUri = TriggerUri
+ };
+
+ if (ShouldProcess(name, VerbsCommon.New))
+ {
+ var outputaction = SecurityInsightsClient.AlertRules.CreateOrUpdateAction(ResourceGroupName, WorkspaceName, AlertRuleId, name, action);
+
+ WriteObject(outputaction.ConvertToPSType(), enumerateCollection: false);
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/RemoveAlertRuleActions.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/RemoveAlertRuleActions.cs
new file mode 100644
index 000000000000..243de6bc6af3
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/RemoveAlertRuleActions.cs
@@ -0,0 +1,90 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Commands.SecurityInsights.Models.Actions;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions
+{
+ [Cmdlet(VerbsCommon.Remove, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelAlertRuleAction", DefaultParameterSetName = ParameterSetNames.ActionId, SupportsShouldProcess = true), OutputType(typeof(PSSentinelActionResponse))]
+ public class RemoveAlertRuleActions : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.AlertRuleId)]
+ [ValidateNotNullOrEmpty]
+ public string AlertRuleId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.ActionId)]
+ [ValidateNotNullOrEmpty]
+ public string ActionId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.InputObject, Mandatory = true, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.InputObject)]
+ [ValidateNotNullOrEmpty]
+ public PSSentinelActionResponse InputObject { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.PassThru)]
+ public SwitchParameter PassThru { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ var name = ActionId;
+ var alertrule = AlertRuleId;
+ var resourcegroup = ResourceGroupName;
+ var workspacename = WorkspaceName;
+ switch (ParameterSetName)
+ {
+ case ParameterSetNames.ActionId:
+ break;
+ case ParameterSetNames.InputObject:
+ name = InputObject.Name;
+ alertrule = AzureIdUtilities.GetAlertRuleName(InputObject.Id);
+ workspacename = AzureIdUtilities.GetWorkspaceName(InputObject.Id);
+ resourcegroup = AzureIdUtilities.GetResourceGroup(InputObject.Id);
+ break;
+ default:
+ throw new PSInvalidOperationException();
+ }
+
+ if (ShouldProcess(name, VerbsCommon.Remove))
+ {
+ var result = SecurityInsightsClient.AlertRules.DeleteActionWithHttpMessagesAsync(resourcegroup, workspacename, alertrule, name).Result;
+ if (result.Response.StatusCode == (System.Net.HttpStatusCode)200)
+ {
+ System.Console.WriteLine("success");
+ }
+ else if (result.Response.StatusCode == (System.Net.HttpStatusCode)204)
+ {
+ System.Console.WriteLine("success");
+ }
+ }
+
+ if (PassThru.IsPresent)
+ {
+ WriteObject(true);
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/UpdateAlertRuleActions.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/UpdateAlertRuleActions.cs
new file mode 100644
index 000000000000..4a28a0fe3dd6
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/UpdateAlertRuleActions.cs
@@ -0,0 +1,118 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.Actions;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
+using Microsoft.Azure.Management.SecurityInsights;
+using System;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions
+{
+ [Cmdlet(VerbsData.Update, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelAlertRuleAction", DefaultParameterSetName = ParameterSetNames.ActionId, SupportsShouldProcess = true), OutputType(typeof(PSSentinelActionResponse))]
+ public class UpdateAlertRuleActions : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.AlertRuleId)]
+ [ValidateNotNullOrEmpty]
+ public string AlertRuleId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.ActionId)]
+ public string ActionId { get; set; }
+
+ [Parameter(Mandatory = true, ParameterSetName = ParameterSetNames.InputObject, HelpMessage = ParameterHelpMessages.LogicAppResourceId)]
+ [Parameter(Mandatory = true, ParameterSetName = ParameterSetNames.ResourceId, HelpMessage = ParameterHelpMessages.LogicAppResourceId)]
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.LogicAppResourceId)]
+ [ValidateNotNullOrEmpty]
+ public string LogicAppResourceId { get; set; }
+
+ [Parameter(Mandatory = true, ParameterSetName = ParameterSetNames.InputObject, HelpMessage = ParameterHelpMessages.TriggerUri)]
+ [Parameter(Mandatory = true, ParameterSetName = ParameterSetNames.ResourceId, HelpMessage = ParameterHelpMessages.TriggerUri)]
+ [Parameter(ParameterSetName = ParameterSetNames.ActionId, Mandatory = true, HelpMessage = ParameterHelpMessages.TriggerUri)]
+ public string TriggerUri { get; set; }
+
+
+
+ [Parameter(Mandatory = true, ValueFromPipeline = true, ParameterSetName = ParameterSetNames.InputObject, HelpMessage = ParameterHelpMessages.InputObject)]
+ [ValidateNotNull]
+ public PSSentinelActionResponse InputObject { get; set; }
+
+ [Parameter(Mandatory = true, ValueFromPipelineByPropertyName = true, ParameterSetName = ParameterSetNames.ResourceId, HelpMessage = ParameterHelpMessages.ResourceId)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceId { get; set; }
+
+
+ public override void ExecuteCmdlet()
+ {
+ if (this.IsParameterBound(c => c.InputObject))
+ {
+ this.ResourceGroupName = AzureIdUtilities.GetResourceGroup(this.InputObject.Id);
+ this.WorkspaceName = AzureIdUtilities.GetWorkspaceName(this.InputObject.Id);
+ this.AlertRuleId = AzureIdUtilities.GetAlertRuleName(this.InputObject.Id);
+ this.ActionId = this.InputObject.Name;
+ }
+
+ if (this.IsParameterBound(c => c.ResourceId))
+ {
+ var resourceIdentifier = new ResourceIdentifier(this.ResourceId);
+ this.ResourceGroupName = resourceIdentifier.ResourceGroupName;
+ this.WorkspaceName = AzureIdUtilities.GetWorkspaceName(this.ResourceId);
+ this.AlertRuleId = AzureIdUtilities.GetAlertRuleName(this.ResourceId);
+ this.ActionId = resourceIdentifier.ResourceName;
+ }
+
+ PSSentinelActionResponse alertRuleAction = null;
+ try
+ {
+ alertRuleAction = this.SecurityInsightsClient.AlertRules.GetAction(ResourceGroupName, WorkspaceName, AlertRuleId, ActionId).ConvertToPSType();
+ }
+ catch
+ {
+ alertRuleAction = null;
+ }
+
+ if (alertRuleAction == null)
+ {
+ throw new Exception(string.Format("An Alert Rule Action with ActionId '{0}' for Alert Rule '{1}' in resource group '{2}' under workspace '{3}' does not exist. Please use New-AzSentinelAlertRuleAction to create an Alert Rule Action with these properties.", this.ActionId, this.AlertRuleId, this.ResourceGroupName, this.WorkspaceName));
+ }
+
+ PSSentinelActionRequest updateAlertRuleAction = new PSSentinelActionRequest
+ {
+ LogicAppResourceId = this.LogicAppResourceId,
+ TriggerUri = this.TriggerUri
+ };
+
+ if (this.ShouldProcess(this.ActionId, string.Format("Updating Action '{0}' for Alert Rule '{1}' in resource group '{2}' under workspace '{3}'.", this.ActionId, this.AlertRuleId, this.ResourceGroupName, this.WorkspaceName)))
+ {
+ var result = this.SecurityInsightsClient.AlertRules.CreateOrUpdateAction(this.ResourceGroupName, this.WorkspaceName, this.AlertRuleId, this.ActionId, updateAlertRuleAction.CreatePSType()).ConvertToPSType();
+ WriteObject(result);
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRuleTemplates/GetAlertRuleTemplates.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRuleTemplates/GetAlertRuleTemplates.cs
new file mode 100644
index 000000000000..2c7a8ad0cd2b
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRuleTemplates/GetAlertRuleTemplates.cs
@@ -0,0 +1,85 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System;
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.AlertRuleTemplates;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Linq;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRulesTemplates
+{
+ [Cmdlet(VerbsCommon.Get, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelAlertRuleTemplate", DefaultParameterSetName = ParameterSetNames.WorkspaceScope), OutputType(typeof(PSSentinelAlertRuleTemplate))]
+ public class GetAlertRuleTemplate : SecurityInsightsCmdletBase
+ {
+ private const int MaxAlertRulesToFetch = 1500;
+
+ [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [Parameter(ParameterSetName = ParameterSetNames.AlertRuleTemplateId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [Parameter(ParameterSetName = ParameterSetNames.AlertRuleTemplateId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AlertRuleTemplateId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.AlertRuleTemplateId)]
+ [ValidateNotNullOrEmpty]
+ public string AlertRuleTemplateId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ResourceId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.ResourceId)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceId { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ int numberOfFetchedAlertRuleTemplates = 0;
+ string nextLink = null;
+ switch (ParameterSetName)
+ {
+ case ParameterSetNames.WorkspaceScope:
+ var alertruletemplates = SecurityInsightsClient.AlertRuleTemplates.List(ResourceGroupName, WorkspaceName);
+
+ int alertruletemplatecount = alertruletemplates.Count();
+ WriteObject(alertruletemplates.ConvertToPSType(), enumerateCollection: true);
+ numberOfFetchedAlertRuleTemplates += alertruletemplatecount;
+ nextLink = alertruletemplates?.NextPageLink;
+ while (!string.IsNullOrWhiteSpace(nextLink) && numberOfFetchedAlertRuleTemplates < MaxAlertRulesToFetch)
+ {
+ alertruletemplates = SecurityInsightsClient.AlertRuleTemplates.ListNext(alertruletemplates.NextPageLink);
+ alertruletemplatecount = alertruletemplates.Count();
+ WriteObject(alertruletemplates.ConvertToPSType(), enumerateCollection: true);
+ numberOfFetchedAlertRuleTemplates += alertruletemplatecount;
+ nextLink = alertruletemplates?.NextPageLink;
+ }
+ break;
+ case ParameterSetNames.AlertRuleTemplateId:
+ var alertruletemplate = SecurityInsightsClient.AlertRuleTemplates.Get(ResourceGroupName, WorkspaceName, AlertRuleTemplateId);
+ WriteObject(alertruletemplate.ConvertToPSType(), enumerateCollection: false);
+ break;
+ case ParameterSetNames.ResourceId:
+ alertruletemplate = SecurityInsightsClient.AlertRuleTemplates.Get(ResourceGroupName, WorkspaceName, AzureIdUtilities.GetResourceName(ResourceId));
+ WriteObject(alertruletemplate.ConvertToPSType(), enumerateCollection: false);
+ break;
+ default:
+ throw new PSInvalidOperationException();
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/GetAlertRules.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/GetAlertRules.cs
new file mode 100644
index 000000000000..6e036860887d
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/GetAlertRules.cs
@@ -0,0 +1,85 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System;
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Linq;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules
+{
+ [Cmdlet(VerbsCommon.Get, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelAlertRule", DefaultParameterSetName = ParameterSetNames.WorkspaceScope), OutputType(typeof(PSSentinelAlertRule))]
+ public class GetIncidents : SecurityInsightsCmdletBase
+ {
+ private const int MaxAlertRulesToFetch = 1500;
+
+ [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [Parameter(ParameterSetName = ParameterSetNames.AlertRuleId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [Parameter(ParameterSetName = ParameterSetNames.AlertRuleId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AlertRuleId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.IncidentId)]
+ [ValidateNotNullOrEmpty]
+ public string AlertRuleId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ResourceId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.ResourceId)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceId { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ int numberOfFetchedAlertRules = 0;
+ string nextLink = null;
+ switch (ParameterSetName)
+ {
+ case ParameterSetNames.WorkspaceScope:
+ var alertrules = SecurityInsightsClient.AlertRules.List(ResourceGroupName, WorkspaceName);
+
+ int alertrulescount = alertrules.Count();
+ WriteObject(alertrules.ConvertToPSType(), enumerateCollection: true);
+ numberOfFetchedAlertRules += alertrulescount;
+ nextLink = alertrules?.NextPageLink;
+ while (!string.IsNullOrWhiteSpace(nextLink) && numberOfFetchedAlertRules < MaxAlertRulesToFetch)
+ {
+ alertrules = SecurityInsightsClient.AlertRules.ListNext(alertrules.NextPageLink);
+ alertrulescount = alertrules.Count();
+ WriteObject(alertrules.ConvertToPSType(), enumerateCollection: true);
+ numberOfFetchedAlertRules += alertrulescount;
+ nextLink = alertrules?.NextPageLink;
+ }
+ break;
+ case ParameterSetNames.AlertRuleId:
+ var alertrule = SecurityInsightsClient.AlertRules.Get(ResourceGroupName, WorkspaceName, AlertRuleId);
+ WriteObject(alertrule.ConvertToPSType(), enumerateCollection: false);
+ break;
+ case ParameterSetNames.ResourceId:
+ alertrule = SecurityInsightsClient.AlertRules.Get(ResourceGroupName, WorkspaceName, AzureIdUtilities.GetResourceName(ResourceId));
+ WriteObject(alertrule.ConvertToPSType(), enumerateCollection: false);
+ break;
+ default:
+ throw new PSInvalidOperationException();
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/NewAlertRules.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/NewAlertRules.cs
new file mode 100644
index 000000000000..720387f05284
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/NewAlertRules.cs
@@ -0,0 +1,202 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System;
+using Microsoft.Azure.Management.SecurityInsights;
+using Microsoft.Azure.Commands.Common.Compute.Version_2018_04.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules
+{
+ [Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelAlertRule", DefaultParameterSetName = ParameterSetNames.ScheduledAlertRule, SupportsShouldProcess = true), OutputType(typeof(PSSentinelAlertRule))]
+ public class NewAlertRules : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.FusionAlertRule, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftSecurityIncidentCreationRule, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.FusionAlertRule, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftSecurityIncidentCreationRule, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = true, HelpMessage = ParameterHelpMessages.Kind)]
+ public SwitchParameter Scheduled { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftSecurityIncidentCreationRule, Mandatory = true, HelpMessage = ParameterHelpMessages.Kind)]
+ public SwitchParameter MicrosoftSecurityIncidentCreation { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.FusionAlertRule, Mandatory = true, HelpMessage = ParameterHelpMessages.Kind)]
+ public SwitchParameter Fusion { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.FusionAlertRule, Mandatory = false, HelpMessage = ParameterHelpMessages.AlertRuleId)]
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftSecurityIncidentCreationRule, Mandatory = false, HelpMessage = ParameterHelpMessages.AlertRuleId)]
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = false, HelpMessage = ParameterHelpMessages.AlertRuleId)]
+ public string AlertRuleId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.FusionAlertRule, Mandatory = true, HelpMessage = ParameterHelpMessages.AlertRuleTemplateName)]
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftSecurityIncidentCreationRule, Mandatory = false, HelpMessage = ParameterHelpMessages.AlertRuleTemplateName)]
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = false, HelpMessage = ParameterHelpMessages.AlertRuleTemplateName)]
+ [ValidateNotNullOrEmpty]
+ public string AlertRuleTemplateName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.FusionAlertRule, Mandatory = false, HelpMessage = ParameterHelpMessages.Enabled)]
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftSecurityIncidentCreationRule, Mandatory = false, HelpMessage = ParameterHelpMessages.Enabled)]
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = false, HelpMessage = ParameterHelpMessages.Enabled)]
+ public SwitchParameter Enabled { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftSecurityIncidentCreationRule, Mandatory = true, HelpMessage = ParameterHelpMessages.DisplayName)]
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = true, HelpMessage = ParameterHelpMessages.DisplayName)]
+ [ValidateNotNullOrEmpty]
+ public string DisplayName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftSecurityIncidentCreationRule, Mandatory = true, HelpMessage = ParameterHelpMessages.ProductFilter)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Azure Active Directory Identity Protection", "Azure Advanced Threat Protection", "Azure Security Center", "Azure Security Center for IoT", "Microsoft Cloud App Security", "Microsoft Defender Advanced Threat Protection", "Office 365 Advanced Threat Protection")]
+ public string ProductFilter { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftSecurityIncidentCreationRule, Mandatory = false, HelpMessage = ParameterHelpMessages.Description)]
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = false, HelpMessage = ParameterHelpMessages.Description)]
+ [ValidateNotNullOrEmpty]
+ public string Description { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftSecurityIncidentCreationRule, Mandatory = false, HelpMessage = ParameterHelpMessages.DisplayNamesExcludeFilter)]
+ [ValidateNotNullOrEmpty]
+ public IList DisplayNamesExcludeFilter { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftSecurityIncidentCreationRule, Mandatory = false, HelpMessage = ParameterHelpMessages.DisplayNamesFilter)]
+ [ValidateNotNullOrEmpty]
+ public IList DisplayNamesFilter { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftSecurityIncidentCreationRule, Mandatory = false, HelpMessage = ParameterHelpMessages.SeveritiesFilter)]
+ [ValidateNotNullOrEmpty]
+ public IList SeveritiesFilter { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = false, HelpMessage = ParameterHelpMessages.SuppressionDuration)]
+ [ValidateNotNullOrEmpty]
+ public TimeSpan SuppressionDuration { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = false, HelpMessage = ParameterHelpMessages.SuppressionEnabled)]
+ public SwitchParameter SuppressionEnabled { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = true, HelpMessage = ParameterHelpMessages.Query)]
+ [ValidateNotNullOrEmpty]
+ public string Query { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = true, HelpMessage = ParameterHelpMessages.QueryFrequency)]
+ [ValidateNotNullOrEmpty]
+ public TimeSpan? QueryFrequency { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = true, HelpMessage = ParameterHelpMessages.QueryPeriod)]
+ [ValidateNotNullOrEmpty]
+ public TimeSpan? QueryPeriod { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = true, HelpMessage = ParameterHelpMessages.Severity)]
+ [ValidateSet("High", "Informational", "Low", "Medium")]
+ [ValidateNotNullOrEmpty]
+ public string Severity { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = false, HelpMessage = ParameterHelpMessages.Tactics)]
+ [ValidateNotNullOrEmpty]
+ public IList Tactic { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = false, HelpMessage = ParameterHelpMessages.TriggerOperator)]
+ [ValidateSet("Equal", "GreaterThan", "LessThan", "NotEqual")]
+ [ValidateNotNullOrEmpty]
+ public TriggerOperator TriggerOperator { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ScheduledAlertRule, Mandatory = true, HelpMessage = ParameterHelpMessages.TriggerThreshold)]
+ [ValidateNotNullOrEmpty]
+ public int? TriggerThreshold { get; set; }
+
+
+ public override void ExecuteCmdlet()
+ {
+
+ if(AlertRuleId == null)
+ {
+ AlertRuleId = Guid.NewGuid().ToString();
+ }
+ if(SuppressionEnabled == false)
+ {
+ SuppressionDuration = new TimeSpan(1, 00, 00);
+ }
+
+ var name = AlertRuleId;
+ if (ShouldProcess(name, VerbsCommon.New))
+ {
+
+ switch(ParameterSetName)
+ {
+ case ParameterSetNames.FusionAlertRule:
+ FusionAlertRule fusionalertrule = new FusionAlertRule
+ {
+ AlertRuleTemplateName = AlertRuleTemplateName,
+ Enabled = Enabled
+ };
+ var outputfusionalertrule = SecurityInsightsClient.AlertRules.CreateOrUpdate(ResourceGroupName, WorkspaceName, name, fusionalertrule);
+ WriteObject(outputfusionalertrule.ConvertToPSType(), enumerateCollection: false);
+ break;
+ case ParameterSetNames.MicrosoftSecurityIncidentCreationRule:
+ MicrosoftSecurityIncidentCreationAlertRule msicalertrule = new MicrosoftSecurityIncidentCreationAlertRule
+ {
+ DisplayName = DisplayName,
+ Enabled = Enabled,
+ ProductFilter = ProductFilter,
+ AlertRuleTemplateName = AlertRuleTemplateName,
+ Description = Description,
+ DisplayNamesExcludeFilter = DisplayNamesExcludeFilter,
+ DisplayNamesFilter = DisplayNamesFilter,
+ SeveritiesFilter = SeveritiesFilter
+ };
+ var outputmsicalertrule = SecurityInsightsClient.AlertRules.CreateOrUpdate(ResourceGroupName, WorkspaceName, name, msicalertrule);
+ WriteObject(outputmsicalertrule.ConvertToPSType(), enumerateCollection: false);
+ break;
+ case ParameterSetNames.ScheduledAlertRule:
+ ScheduledAlertRule scheduledalertrule = new ScheduledAlertRule
+ {
+ DisplayName = DisplayName,
+ Enabled = Enabled,
+ SuppressionDuration = SuppressionDuration,
+ SuppressionEnabled = SuppressionEnabled,
+ AlertRuleTemplateName = AlertRuleTemplateName,
+ Description = Description,
+ Query = Query,
+ QueryFrequency = QueryFrequency,
+ QueryPeriod = QueryPeriod,
+ Severity = Severity,
+ Tactics = Tactic,
+ TriggerOperator = TriggerOperator,
+ TriggerThreshold = TriggerThreshold
+ };
+ var outputscheduledalertrule = SecurityInsightsClient.AlertRules.CreateOrUpdate(ResourceGroupName, WorkspaceName, name, scheduledalertrule);
+ WriteObject(outputscheduledalertrule.ConvertToPSType(), enumerateCollection: false);
+ break;
+ default:
+ throw new PSInvalidOperationException();
+ }
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/RemoveAlertRules.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/RemoveAlertRules.cs
new file mode 100644
index 000000000000..37fa5ec08044
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/RemoveAlertRules.cs
@@ -0,0 +1,80 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules
+{
+ [Cmdlet(VerbsCommon.Remove, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelAlertRule", DefaultParameterSetName = ParameterSetNames.AlertRuleId, SupportsShouldProcess = true), OutputType(typeof(PSSentinelAlertRule))]
+ public class RemoveAlertRules : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.AlertRuleId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AlertRuleId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AlertRuleId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.AlertRuleId)]
+ [ValidateNotNullOrEmpty]
+ public string AlertRuleId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.InputObject, Mandatory = true, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.InputObject)]
+ [ValidateNotNullOrEmpty]
+ public PSSentinelAlertRule InputObject { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.PassThru)]
+ public SwitchParameter PassThru { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ var name = AlertRuleId;
+
+ switch (ParameterSetName)
+ {
+ case ParameterSetNames.AlertRuleId:
+ break;
+ case ParameterSetNames.InputObject:
+ name = InputObject.Name;
+ break;
+ default:
+ throw new PSInvalidOperationException();
+ }
+
+ if (ShouldProcess(name, VerbsCommon.Remove))
+ {
+ var result = SecurityInsightsClient.AlertRules.DeleteWithHttpMessagesAsync(ResourceGroupName, WorkspaceName, name).Result;
+ if (result.Response.StatusCode == (System.Net.HttpStatusCode)200)
+ {
+ System.Console.WriteLine("success");
+ }
+ else if(result.Response.StatusCode == (System.Net.HttpStatusCode)204)
+ {
+ System.Console.WriteLine("success");
+ }
+ }
+
+ if (PassThru.IsPresent)
+ {
+ WriteObject(true);
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/UpdateAlertRules.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/UpdateAlertRules.cs
new file mode 100644
index 000000000000..777cfa73b072
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/UpdateAlertRules.cs
@@ -0,0 +1,262 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
+using Microsoft.Azure.Management.SecurityInsights;
+using System;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions
+{
+ [Cmdlet(VerbsData.Update, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelAlertRule", DefaultParameterSetName = ParameterSetNames.AlertRuleId, SupportsShouldProcess = true), OutputType(typeof(PSSentinelAlertRule))]
+ public class UpdateAlertRules : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.AlertRuleId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AlertRuleId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AlertRuleId, Mandatory = true, HelpMessage = ParameterHelpMessages.AlertRuleId)]
+ [ValidateNotNullOrEmpty]
+ public string AlertRuleId { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.AlertRuleTemplateName)]
+ [ValidateNotNullOrEmpty]
+ public string AlertRuleTemplateName { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Enabled)]
+ [ValidateNotNullOrEmpty]
+ public SwitchParameter Enabled { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Disabled)]
+ [ValidateNotNullOrEmpty]
+ public SwitchParameter Disabled { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.DisplayName)]
+ [ValidateNotNullOrEmpty]
+ public string DisplayName { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.ProductFilter)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Azure Active Directory Identity Protection", "Azure Advanced Threat Protection", "Azure Security Center", "Azure Security Center for IoT", "Microsoft Cloud App Security", "Microsoft Defender Advanced Threat Protection", "Office 365 Advanced Threat Protection")]
+ public string ProductFilter { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Description)]
+ [ValidateNotNullOrEmpty]
+ public string Description { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.DisplayNamesExcludeFilter)]
+ [ValidateNotNullOrEmpty]
+ public IList DisplayNamesExcludeFilter { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.DisplayNamesFilter)]
+ [ValidateNotNullOrEmpty]
+ public IList DisplayNamesFilter { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.SeveritiesFilter)]
+ [ValidateNotNullOrEmpty]
+ public IList SeveritiesFilter { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.SuppressionDuration)]
+ [ValidateNotNullOrEmpty]
+ public TimeSpan SuppressionDuration { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.SuppressionEnabled)]
+ public SwitchParameter SuppressionEnabled { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.SuppressionDisabled)]
+ public SwitchParameter SuppressionDisabled { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Query)]
+ [ValidateNotNullOrEmpty]
+ public string Query { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.QueryFrequency)]
+ [ValidateNotNullOrEmpty]
+ public TimeSpan? QueryFrequency { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.QueryPeriod)]
+ [ValidateNotNullOrEmpty]
+ public TimeSpan? QueryPeriod { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Severity)]
+ [ValidateNotNullOrEmpty]
+ public string Severity { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Tactics)]
+ [ValidateNotNullOrEmpty]
+ public IList Tactic { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.TriggerOperator)]
+ [ValidateNotNullOrEmpty]
+ public TriggerOperator TriggerOperator { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.TriggerThreshold)]
+ [ValidateNotNullOrEmpty]
+ public int? TriggerThreshold { get; set; }
+
+
+ [Parameter(Mandatory = true, ValueFromPipeline = true, ParameterSetName = ParameterSetNames.InputObject, HelpMessage = ParameterHelpMessages.InputObject)]
+ [ValidateNotNull]
+ public PSSentinelAlertRule InputObject { get; set; }
+
+ [Parameter(Mandatory = true, ValueFromPipelineByPropertyName = true, ParameterSetName = ParameterSetNames.ResourceId, HelpMessage = ParameterHelpMessages.ResourceId)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceId { get; set; }
+
+
+ public override void ExecuteCmdlet()
+ {
+
+ if (this.IsParameterBound(c => c.InputObject))
+ {
+ this.ResourceGroupName = AzureIdUtilities.GetResourceGroup(this.InputObject.Id);
+ this.WorkspaceName = AzureIdUtilities.GetWorkspaceName(this.InputObject.Id);
+ this.AlertRuleId = this.InputObject.Name;
+ }
+
+ if (this.IsParameterBound(c => c.ResourceId))
+ {
+ var resourceIdentifier = new ResourceIdentifier(this.ResourceId);
+ this.ResourceGroupName = resourceIdentifier.ResourceGroupName;
+ this.WorkspaceName = AzureIdUtilities.GetWorkspaceName(this.ResourceId);
+ this.AlertRuleId = resourceIdentifier.ResourceName;
+ }
+
+ PSSentinelAlertRule alertRule = null;
+ try
+ {
+ alertRule = this.SecurityInsightsClient.AlertRules.Get(ResourceGroupName, WorkspaceName, AlertRuleId).ConvertToPSType();
+ }
+ catch
+ {
+ alertRule = null;
+ }
+
+ if (alertRule == null)
+ {
+ throw new Exception(string.Format("An Alert Rule with AlertRuleId '{0}' in resource group '{1}' under workspace '{2}' does not exist. Please use New-AzSentinelAlertRule to create an Alert Rule Action with these properties.", this.AlertRuleId, this.ResourceGroupName, this.WorkspaceName));
+ }
+
+ if(alertRule.Kind == "Fusion")
+ {
+ var convertedFusionAlertRule = alertRule as PSSentinelFusionAlertRule;
+
+ convertedFusionAlertRule.Etag = convertedFusionAlertRule.Etag;
+ convertedFusionAlertRule.AlertRuleTemplateName = this.IsParameterBound(c => c.AlertRuleTemplateName) ? this.AlertRuleTemplateName : convertedFusionAlertRule.AlertRuleTemplateName;
+ if (this.IsParameterBound(c => c.Enabled))
+ {
+ convertedFusionAlertRule.Enabled = true;
+ }
+ else if (this.IsParameterBound(c => c.Disabled))
+ {
+ convertedFusionAlertRule.Enabled = false;
+ }
+ else
+ {
+ convertedFusionAlertRule.Enabled = convertedFusionAlertRule.Enabled;
+ }
+
+ var alertule = convertedFusionAlertRule;
+ };
+ if(alertRule.Kind == "MicrosoftSecurityIncidentCreationRule")
+ {
+ var convertedMicrosoftSecurityIncidentCreationAlertRule = alertRule as PSSentinelMicrosoftSecurityIncidentCreationRule;
+
+ convertedMicrosoftSecurityIncidentCreationAlertRule.Etag = convertedMicrosoftSecurityIncidentCreationAlertRule.Etag;
+ convertedMicrosoftSecurityIncidentCreationAlertRule.DisplayName = this.IsParameterBound(c => c.DisplayName) ? this.DisplayName : convertedMicrosoftSecurityIncidentCreationAlertRule.DisplayName;
+ if (this.IsParameterBound(c => c.Enabled))
+ {
+ convertedMicrosoftSecurityIncidentCreationAlertRule.Enabled = true;
+ }
+ else if (this.IsParameterBound(c => c.Disabled))
+ {
+ convertedMicrosoftSecurityIncidentCreationAlertRule.Enabled = false;
+ }
+ else
+ {
+ convertedMicrosoftSecurityIncidentCreationAlertRule.Enabled = convertedMicrosoftSecurityIncidentCreationAlertRule.Enabled;
+ }
+ convertedMicrosoftSecurityIncidentCreationAlertRule.Description = this.IsParameterBound(c => c.Description) ? this.Description : convertedMicrosoftSecurityIncidentCreationAlertRule.Description;
+ convertedMicrosoftSecurityIncidentCreationAlertRule.AlertRuleTemplateName = this.IsParameterBound(c => c.AlertRuleTemplateName) ? this.AlertRuleTemplateName : convertedMicrosoftSecurityIncidentCreationAlertRule.AlertRuleTemplateName;
+ convertedMicrosoftSecurityIncidentCreationAlertRule.ProductFilter = this.IsParameterBound(c => c.ProductFilter) ? this.ProductFilter : convertedMicrosoftSecurityIncidentCreationAlertRule.ProductFilter;
+ convertedMicrosoftSecurityIncidentCreationAlertRule.DisplayNamesExcludeFilter = this.IsParameterBound(c => c.DisplayNamesExcludeFilter) ? this.DisplayNamesExcludeFilter : convertedMicrosoftSecurityIncidentCreationAlertRule.DisplayNamesExcludeFilter;
+ convertedMicrosoftSecurityIncidentCreationAlertRule.DisplayNamesFilter = this.IsParameterBound(c => c.DisplayNamesFilter) ? this.DisplayNamesFilter : convertedMicrosoftSecurityIncidentCreationAlertRule.DisplayNamesFilter;
+ convertedMicrosoftSecurityIncidentCreationAlertRule.SeveritiesFilter = this.IsParameterBound(c => c.SeveritiesFilter) ? this.SeveritiesFilter : convertedMicrosoftSecurityIncidentCreationAlertRule.SeveritiesFilter;
+
+ var alertule = convertedMicrosoftSecurityIncidentCreationAlertRule;
+ };
+ if (alertRule.Kind == "Scheduled")
+ {
+ var convertedScheduledAlertRule = alertRule as PSSentinelScheduledAlertRule;
+
+ convertedScheduledAlertRule.Etag = convertedScheduledAlertRule.Etag;
+ convertedScheduledAlertRule.DisplayName = this.IsParameterBound(c => c.DisplayName) ? this.DisplayName : convertedScheduledAlertRule.DisplayName;
+ if (this.IsParameterBound(c => c.Enabled))
+ {
+ convertedScheduledAlertRule.Enabled = true;
+ }
+ else if (this.IsParameterBound(c => c.Disabled))
+ {
+ convertedScheduledAlertRule.Enabled = false;
+ }
+ else
+ {
+ convertedScheduledAlertRule.Enabled = convertedScheduledAlertRule.Enabled;
+ }
+ convertedScheduledAlertRule.SuppressionDuration = this.IsParameterBound(c => c.SuppressionDuration) ? this.SuppressionDuration : convertedScheduledAlertRule.SuppressionDuration;
+ if (this.IsParameterBound(c => c.SuppressionEnabled))
+ {
+ convertedScheduledAlertRule.SuppressionEnabled = true;
+ }
+ else if (this.IsParameterBound(c => c.SuppressionDisabled))
+ {
+ convertedScheduledAlertRule.SuppressionEnabled = false;
+ }
+ else
+ {
+ convertedScheduledAlertRule.SuppressionEnabled = convertedScheduledAlertRule.SuppressionEnabled;
+ }
+ convertedScheduledAlertRule.AlertRuleTemplateName = this.IsParameterBound(c => c.AlertRuleTemplateName) ? this.AlertRuleTemplateName : convertedScheduledAlertRule.AlertRuleTemplateName;
+ convertedScheduledAlertRule.Description = this.IsParameterBound(c => c.Description) ? this.Description : convertedScheduledAlertRule.Description;
+ convertedScheduledAlertRule.Query = this.IsParameterBound(c => c.Query) ? this.Query : convertedScheduledAlertRule.Query;
+ convertedScheduledAlertRule.QueryFrequency = this.IsParameterBound(c => c.QueryFrequency) ? this.QueryFrequency : convertedScheduledAlertRule.QueryFrequency;
+ convertedScheduledAlertRule.QueryPeriod = this.IsParameterBound(c => c.QueryPeriod) ? this.QueryPeriod : convertedScheduledAlertRule.QueryPeriod;
+ convertedScheduledAlertRule.Severity = this.IsParameterBound(c => c.Severity) ? this.Severity : convertedScheduledAlertRule.Severity;
+ convertedScheduledAlertRule.Tactics = this.IsParameterBound(c => c.Tactic) ? this.Tactic : convertedScheduledAlertRule.Tactics;
+ convertedScheduledAlertRule.TriggerOperator = this.IsParameterBound(c => c.TriggerOperator) ? this.TriggerOperator : convertedScheduledAlertRule.TriggerOperator;
+ convertedScheduledAlertRule.TriggerThreshold = this.IsParameterBound(c => c.TriggerThreshold) ? this.TriggerThreshold : convertedScheduledAlertRule.TriggerThreshold;
+
+ var alertule = convertedScheduledAlertRule;
+ };
+
+ if (this.ShouldProcess(this.AlertRuleId, string.Format("Updating Alert Rule '{0}' in resource group '{1}' under workspace '{2}'.", this.AlertRuleId, this.ResourceGroupName, this.WorkspaceName)))
+ {
+ var result = this.SecurityInsightsClient.AlertRules.CreateOrUpdate(this.ResourceGroupName, this.WorkspaceName, this.AlertRuleId, alertRule.CreatePSStype()).ConvertToPSType();
+ WriteObject(result);
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Bookmarks/GetBookmarks.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Bookmarks/GetBookmarks.cs
new file mode 100644
index 000000000000..5343fc828e98
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Bookmarks/GetBookmarks.cs
@@ -0,0 +1,84 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System;
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Linq;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks
+{
+ [Cmdlet(VerbsCommon.Get, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelBookmark", DefaultParameterSetName = ParameterSetNames.WorkspaceScope), OutputType(typeof(PSSentinelBookmark))]
+ public class GetBookmarks : SecurityInsightsCmdletBase
+ {
+ private const int MaxBookmarksToFetch = 1500;
+
+ [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.BookmarkId)]
+ [ValidateNotNullOrEmpty]
+ public string BookmarkId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ResourceId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.ResourceId)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceId { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ int numberOfFetchedBookmarks = 0;
+ string nextLink = null;
+ switch (ParameterSetName)
+ {
+ case ParameterSetNames.WorkspaceScope:
+ var bookmarks = SecurityInsightsClient.Bookmarks.List(ResourceGroupName, WorkspaceName);
+ int bookmarkscount = bookmarks.Count();
+ WriteObject(bookmarks.ConvertToPSType(), enumerateCollection: true);
+ numberOfFetchedBookmarks += bookmarkscount;
+ nextLink = bookmarks?.NextPageLink;
+ while (!string.IsNullOrWhiteSpace(nextLink) && numberOfFetchedBookmarks < MaxBookmarksToFetch)
+ {
+ bookmarks = SecurityInsightsClient.Bookmarks.ListNext(bookmarks.NextPageLink);
+ bookmarkscount = bookmarks.Count();
+ WriteObject(bookmarks.ConvertToPSType(), enumerateCollection: true);
+ numberOfFetchedBookmarks += bookmarkscount;
+ nextLink = bookmarks?.NextPageLink;
+ }
+ break;
+ case ParameterSetNames.BookmarkId:
+ var bookmark = SecurityInsightsClient.Bookmarks.Get(ResourceGroupName, WorkspaceName, BookmarkId);
+ WriteObject(bookmark.ConvertToPSType(), enumerateCollection: false);
+ break;
+ case ParameterSetNames.ResourceId:
+ bookmark = SecurityInsightsClient.Bookmarks.Get(ResourceGroupName, WorkspaceName, AzureIdUtilities.GetResourceName(ResourceId));
+ WriteObject(bookmark.ConvertToPSType(), enumerateCollection: false);
+ break;
+ default:
+ throw new PSInvalidOperationException();
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Bookmarks/NewBookmarks.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Bookmarks/NewBookmarks.cs
new file mode 100644
index 000000000000..0c10cf2c0112
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Bookmarks/NewBookmarks.cs
@@ -0,0 +1,91 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System;
+using Microsoft.Azure.Management.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Models.Actions;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks
+{
+ [Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelBookmark", DefaultParameterSetName = ParameterSetNames.BookmarkId, SupportsShouldProcess = true), OutputType(typeof(PSSentinelBookmark))]
+ public class NewBookmarks : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = false, HelpMessage = ParameterHelpMessages.BookmarkId)]
+ public string BookmarkId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = true, HelpMessage = ParameterHelpMessages.BookmarkDisplayName)]
+ public string DisplayName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = false, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.IncidentInfo)]
+ public PSSentinelBookmarkIncidentInfo IncidentInfo { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = false, HelpMessage = ParameterHelpMessages.Labels)]
+ public IList Label { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = false, HelpMessage = ParameterHelpMessages.Notes)]
+ public string Note { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = true, HelpMessage = ParameterHelpMessages.BookmarkQuery)]
+ public string Query { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = false, HelpMessage = ParameterHelpMessages.QueryResult)]
+ public string QueryResult { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ if (BookmarkId == null)
+ {
+ BookmarkId = Guid.NewGuid().ToString();
+ }
+
+ var name = BookmarkId;
+
+ Bookmark bookmark = new Bookmark
+ {
+ Created = DateTime.Now,
+ DisplayName = DisplayName,
+ IncidentInfo = IncidentInfo?.CreatePSType(),
+ Labels = Label,
+ Notes = Note,
+ Query = Query,
+ QueryResult = QueryResult
+
+ };
+
+ if (ShouldProcess(name, VerbsCommon.New))
+ {
+ var outputBookmark = SecurityInsightsClient.Bookmarks.CreateOrUpdate(ResourceGroupName, WorkspaceName, name, bookmark);
+
+ WriteObject(outputBookmark.ConvertToPSType(), enumerateCollection: false);
+ }
+
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Bookmarks/RemoveBookmarks.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Bookmarks/RemoveBookmarks.cs
new file mode 100644
index 000000000000..ec3bc36b2089
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Bookmarks/RemoveBookmarks.cs
@@ -0,0 +1,80 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks
+{
+ [Cmdlet(VerbsCommon.Remove, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelBookmark", DefaultParameterSetName = ParameterSetNames.BookmarkId, SupportsShouldProcess = true), OutputType(typeof(PSSentinelBookmark))]
+ public class RemoveAlertRules : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.BookmarkId)]
+ [ValidateNotNullOrEmpty]
+ public string BookmarkId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.InputObject, Mandatory = true, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.InputObject)]
+ [ValidateNotNullOrEmpty]
+ public PSSentinelBookmark InputObject { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.PassThru)]
+ public SwitchParameter PassThru { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ var name = BookmarkId;
+
+ switch (ParameterSetName)
+ {
+ case ParameterSetNames.BookmarkId:
+ break;
+ case ParameterSetNames.InputObject:
+ name = InputObject.Name;
+ break;
+ default:
+ throw new PSInvalidOperationException();
+ }
+
+ if (ShouldProcess(name, VerbsCommon.Remove))
+ {
+ var result = SecurityInsightsClient.Bookmarks.DeleteWithHttpMessagesAsync(ResourceGroupName, WorkspaceName, name).Result;
+ if (result.Response.StatusCode == (System.Net.HttpStatusCode)200)
+ {
+ System.Console.WriteLine("success");
+ }
+ else if (result.Response.StatusCode == (System.Net.HttpStatusCode)204)
+ {
+ System.Console.WriteLine("success");
+ }
+ }
+
+ if (PassThru.IsPresent)
+ {
+ WriteObject(true);
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Bookmarks/UpdateBookmarks.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Bookmarks/UpdateBookmarks.cs
new file mode 100644
index 000000000000..e43d111bb57a
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Bookmarks/UpdateBookmarks.cs
@@ -0,0 +1,119 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System;
+using Microsoft.Azure.Management.SecurityInsights;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks
+{
+ [Cmdlet(VerbsData.Update, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelBookmark", DefaultParameterSetName = ParameterSetNames.BookmarkId, SupportsShouldProcess = true), OutputType(typeof(PSSentinelBookmark))]
+ public class UpdateBoomarks : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.BookmarkId, Mandatory = true, HelpMessage = ParameterHelpMessages.BookmarkId)]
+ public string BookmarkId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.InputObject, Mandatory = true, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.InputObject)]
+ [ValidateNotNull]
+ public PSSentinelBookmark InputObject { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ResourceId, Mandatory = true, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.ResourceId)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceId { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.BookmarkDisplayName)]
+ public string DisplayName { get; set; }
+
+ [Parameter(Mandatory = false, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.IncidentInfo)]
+ public PSSentinelBookmarkIncidentInfo IncidentInfo { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Labels)]
+ public IList Label { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Notes)]
+ public string Note { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.BookmarkQuery)]
+ public string Query { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.QueryResult)]
+ public string QueryResult { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ if (this.IsParameterBound(c => c.InputObject))
+ {
+ this.ResourceGroupName = AzureIdUtilities.GetResourceGroup(InputObject.Id);
+ this.WorkspaceName = AzureIdUtilities.GetWorkspaceName(InputObject.Id);
+ this.BookmarkId = this.InputObject.Name;
+ }
+
+ if (this.IsParameterBound(c => c.ResourceId))
+ {
+ var resourceIdentifier = new ResourceIdentifier(this.ResourceId);
+ this.ResourceGroupName = resourceIdentifier.ResourceGroupName;
+ this.WorkspaceName = AzureIdUtilities.GetWorkspaceName(this.ResourceId);
+ this.BookmarkId = resourceIdentifier.ResourceName;
+ }
+
+ PSSentinelBookmark bookmark = null;
+ try
+ {
+ bookmark = this.SecurityInsightsClient.Bookmarks.Get(this.ResourceGroupName, this.WorkspaceName, this.BookmarkId).ConvertToPSType();
+ }
+ catch
+ {
+ bookmark = null;
+ }
+
+ if (bookmark == null)
+ {
+ throw new Exception(string.Format("A Bookmark with BookmarkId '{0}' in resource group '{1}' under parent workspace '{2}' does not exist. Please use New-AzSentinelBookmark to create a Bookmark with these properties.", this.BookmarkId, this.ResourceGroupName, this.WorkspaceName));
+ }
+
+ var updatedbookmark = new PSSentinelBookmark();
+ updatedbookmark.Etag = bookmark.Etag;
+ updatedbookmark.DisplayName = this.IsParameterBound(c => c.DisplayName) ? this.DisplayName : bookmark.DisplayName;
+ //bookmark.IncidentInfo = this.IsParameterBound(c => c.IncidentInfo) ? this.IncidentInfo : bookmark.IncidentInfo;
+ updatedbookmark.Labels = this.IsParameterBound(c => c.Label) ? this.Label : bookmark.Labels;
+ updatedbookmark.Notes = this.IsParameterBound(c => c.Note) ? this.Note : bookmark.Notes;
+ updatedbookmark.Query = this.IsParameterBound(c => c.Query) ? this.Query : bookmark.Query;
+ updatedbookmark.QueryResult = this.IsParameterBound(c => c.QueryResult) ? this.QueryResult : bookmark.QueryResult;
+
+
+ if (this.ShouldProcess(this.BookmarkId, string.Format("Updating BookmarkID '{0}' in resource group '{1}' under workspace '{2}'.", this.BookmarkId, this.ResourceGroupName, this.WorkspaceName)))
+ {
+ var result = this.SecurityInsightsClient.Bookmarks.CreateOrUpdate(this.ResourceGroupName, this.WorkspaceName, this.BookmarkId, updatedbookmark.CreatePSType()).ConvertToPSType();
+ WriteObject(result);
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/GetDataConnectors.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/GetDataConnectors.cs
new file mode 100644
index 000000000000..3857060387fd
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/GetDataConnectors.cs
@@ -0,0 +1,84 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System;
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Linq;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors
+{
+ [Cmdlet(VerbsCommon.Get, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelDataConnector", DefaultParameterSetName = ParameterSetNames.WorkspaceScope), OutputType(typeof(PSSentinelDataConnector))]
+ public class GetDataConnectors : SecurityInsightsCmdletBase
+ {
+ private const int MaxDataConnectorsToFetch = 1500;
+
+ [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [Parameter(ParameterSetName = ParameterSetNames.DataConnectorId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [Parameter(ParameterSetName = ParameterSetNames.DataConnectorId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.DataConnectorId, Mandatory = true, HelpMessage = ParameterHelpMessages.DataConnectorId)]
+ [ValidateNotNullOrEmpty]
+ public string DataConnectorId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ResourceId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.ResourceId)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceId { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ int numberOfFetchedDataConnectors = 0;
+ string nextLink = null;
+ switch (ParameterSetName)
+ {
+ case ParameterSetNames.WorkspaceScope:
+ var dataconnectors = SecurityInsightsClient.DataConnectors.List(ResourceGroupName, WorkspaceName);
+ int dataconnectorscount = dataconnectors.Count();
+ WriteObject(dataconnectors.ConvertToPSType(), enumerateCollection: true);
+ numberOfFetchedDataConnectors += dataconnectorscount;
+ nextLink = dataconnectors?.NextPageLink;
+ while (!string.IsNullOrWhiteSpace(nextLink) && numberOfFetchedDataConnectors < MaxDataConnectorsToFetch)
+ {
+ dataconnectors = SecurityInsightsClient.DataConnectors.ListNext(dataconnectors.NextPageLink);
+ dataconnectorscount = dataconnectors.Count();
+ WriteObject(dataconnectors.ConvertToPSType(), enumerateCollection: true);
+ numberOfFetchedDataConnectors += dataconnectorscount;
+ nextLink = dataconnectors?.NextPageLink;
+ }
+ break;
+ case ParameterSetNames.DataConnectorId:
+ var dataconnector = SecurityInsightsClient.DataConnectors.Get(ResourceGroupName, WorkspaceName, DataConnectorId);
+ WriteObject(dataconnector.ConvertToPSType(), enumerateCollection: false);
+ break;
+ case ParameterSetNames.ResourceId:
+ dataconnector = SecurityInsightsClient.DataConnectors.Get(ResourceGroupName, WorkspaceName, AzureIdUtilities.GetResourceName(ResourceId));
+ WriteObject(dataconnector.ConvertToPSType(), enumerateCollection: false);
+ break;
+ default:
+ throw new PSInvalidOperationException();
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/NewDataConnectors.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/NewDataConnectors.cs
new file mode 100644
index 000000000000..9e67706f3261
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/NewDataConnectors.cs
@@ -0,0 +1,291 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System;
+using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
+using Microsoft.Azure.Management.SecurityInsights;
+using Microsoft.Azure.Commands.ResourceManager.Common;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors
+{
+ [Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelDataConnector", DefaultParameterSetName = ParameterSetNames.AzureActiveDirectory, SupportsShouldProcess = true), OutputType(typeof(PSSentinelDataConnector))]
+ public class NewDataConnectors : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.AzureActiveDirectory, Mandatory = true, HelpMessage = ParameterHelpMessages.AzureActiveDirectory)]
+ [Parameter(ParameterSetName = ParameterSetNames.AzureAdvancedThreatProtection, Mandatory = true, HelpMessage = ParameterHelpMessages.AzureAdvancedThreatProtection)]
+ [Parameter(ParameterSetName = ParameterSetNames.AzureSecurityCenter, Mandatory = true, HelpMessage = ParameterHelpMessages.AzureSecurityCenter)]
+ [Parameter(ParameterSetName = ParameterSetNames.AmazonWebServicesCloudTrail, Mandatory = true, HelpMessage = ParameterHelpMessages.AmazonWebServicesCloudTrail)]
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftCloudAppSecurity, Mandatory = true, HelpMessage = ParameterHelpMessages.MicrosoftCloudAppSecurity)]
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftDefenderAdvancedThreatProtection, Mandatory = true, HelpMessage = ParameterHelpMessages.MicrosoftDefenderAdvancedThreatProtection)]
+ [Parameter(ParameterSetName = ParameterSetNames.Office365, Mandatory = true, HelpMessage = ParameterHelpMessages.Office365)]
+ [Parameter(ParameterSetName = ParameterSetNames.ThreatIntelligence, Mandatory = true, HelpMessage = ParameterHelpMessages.ThreatIntelligence)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AzureActiveDirectory, Mandatory = true, HelpMessage = ParameterHelpMessages.AzureActiveDirectory)]
+ [Parameter(ParameterSetName = ParameterSetNames.AzureAdvancedThreatProtection, Mandatory = true, HelpMessage = ParameterHelpMessages.AzureAdvancedThreatProtection)]
+ [Parameter(ParameterSetName = ParameterSetNames.AzureSecurityCenter, Mandatory = true, HelpMessage = ParameterHelpMessages.AzureSecurityCenter)]
+ [Parameter(ParameterSetName = ParameterSetNames.AmazonWebServicesCloudTrail, Mandatory = true, HelpMessage = ParameterHelpMessages.AmazonWebServicesCloudTrail)]
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftCloudAppSecurity, Mandatory = true, HelpMessage = ParameterHelpMessages.MicrosoftCloudAppSecurity)]
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftDefenderAdvancedThreatProtection, Mandatory = true, HelpMessage = ParameterHelpMessages.MicrosoftDefenderAdvancedThreatProtection)]
+ [Parameter(ParameterSetName = ParameterSetNames.Office365, Mandatory = true, HelpMessage = ParameterHelpMessages.Office365)]
+ [Parameter(ParameterSetName = ParameterSetNames.ThreatIntelligence, Mandatory = true, HelpMessage = ParameterHelpMessages.ThreatIntelligence)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AzureActiveDirectory, Mandatory = false, HelpMessage = ParameterHelpMessages.AzureActiveDirectory)]
+ [Parameter(ParameterSetName = ParameterSetNames.AzureAdvancedThreatProtection, Mandatory = false, HelpMessage = ParameterHelpMessages.AzureAdvancedThreatProtection)]
+ [Parameter(ParameterSetName = ParameterSetNames.AzureSecurityCenter, Mandatory = false, HelpMessage = ParameterHelpMessages.AzureSecurityCenter)]
+ [Parameter(ParameterSetName = ParameterSetNames.AmazonWebServicesCloudTrail, Mandatory = false, HelpMessage = ParameterHelpMessages.AmazonWebServicesCloudTrail)]
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftCloudAppSecurity, Mandatory = false, HelpMessage = ParameterHelpMessages.MicrosoftCloudAppSecurity)]
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftDefenderAdvancedThreatProtection, Mandatory = false, HelpMessage = ParameterHelpMessages.MicrosoftDefenderAdvancedThreatProtection)]
+ [Parameter(ParameterSetName = ParameterSetNames.Office365, Mandatory = false, HelpMessage = ParameterHelpMessages.Office365)]
+ [Parameter(ParameterSetName = ParameterSetNames.ThreatIntelligence, Mandatory = false, HelpMessage = ParameterHelpMessages.ThreatIntelligence)]
+ public string DataConnectorId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AzureActiveDirectory, Mandatory = true, HelpMessage = ParameterHelpMessages.AzureActiveDirectory)]
+ public SwitchParameter AzureActiveDirectory { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AzureAdvancedThreatProtection, Mandatory = true, HelpMessage = ParameterHelpMessages.AzureAdvancedThreatProtection)]
+
+ public SwitchParameter AzureAdvancedThreatProtection { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AzureSecurityCenter, Mandatory = true, HelpMessage = ParameterHelpMessages.AzureSecurityCenter)]
+ public SwitchParameter AzureSecurityCenter { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AmazonWebServicesCloudTrail, Mandatory = true, HelpMessage = ParameterHelpMessages.AmazonWebServicesCloudTrail)]
+ public SwitchParameter AmazonWebServicesCloudTrail { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftCloudAppSecurity, Mandatory = true, HelpMessage = ParameterHelpMessages.MicrosoftCloudAppSecurity)]
+ public SwitchParameter MicrosoftCloudAppSecurity { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftDefenderAdvancedThreatProtection, Mandatory = true, HelpMessage = ParameterHelpMessages.MicrosoftDefenderAdvancedThreatProtection)]
+ public SwitchParameter MicrosoftDefenderAdvancedThreatProtection { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.Office365, Mandatory = true, HelpMessage = ParameterHelpMessages.Office365)]
+ public SwitchParameter Office365 { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ThreatIntelligence, Mandatory = true, HelpMessage = ParameterHelpMessages.ThreatIntelligence)]
+ public SwitchParameter ThreatIntelligence { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AzureActiveDirectory, Mandatory = true, HelpMessage = ParameterHelpMessages.Alerts)]
+ [Parameter(ParameterSetName = ParameterSetNames.AzureAdvancedThreatProtection, Mandatory = true, HelpMessage = ParameterHelpMessages.Alerts)]
+ [Parameter(ParameterSetName = ParameterSetNames.AzureSecurityCenter, Mandatory = true, HelpMessage = ParameterHelpMessages.Alerts)]
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftCloudAppSecurity, Mandatory = true, HelpMessage = ParameterHelpMessages.Alerts)]
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftDefenderAdvancedThreatProtection, Mandatory = true, HelpMessage = ParameterHelpMessages.Alerts)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Enabled", "Disabled")]
+ public string Alerts { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AzureSecurityCenter, Mandatory = true, HelpMessage = ParameterHelpMessages.SubscriptionId)]
+ [ValidateNotNullOrEmpty]
+ public string SubscriptionId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AmazonWebServicesCloudTrail, Mandatory = true, HelpMessage = ParameterHelpMessages.AwsRoleArn)]
+ [ValidateNotNullOrEmpty]
+ public string AwsRoleArn { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.AmazonWebServicesCloudTrail, Mandatory = true, HelpMessage = ParameterHelpMessages.Logs)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Enabled", "Disabled")]
+ public string Logs { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.MicrosoftCloudAppSecurity, Mandatory = true, HelpMessage = ParameterHelpMessages.DiscoveryLogs)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Enabled", "Disabled")]
+ public string DiscoveryLogs { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.Office365, Mandatory = true, HelpMessage = ParameterHelpMessages.Exchange)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Enabled", "Disabled")]
+ public string Exchange { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.Office365, Mandatory = true, HelpMessage = ParameterHelpMessages.SharePoint)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Enabled", "Disabled")]
+ public string SharePoint { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ThreatIntelligence, Mandatory = true, HelpMessage = ParameterHelpMessages.Indicators)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Enabled", "Disabled")]
+ public string Indicators { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ if (DataConnectorId == null)
+ {
+ DataConnectorId = Guid.NewGuid().ToString();
+ }
+
+ var name = DataConnectorId;
+
+ var tenantId = AzureRmProfileProvider.Instance.Profile.DefaultContext.Tenant.Id;
+
+ if (ShouldProcess(name, VerbsCommon.New))
+ {
+
+ switch (ParameterSetName)
+ {
+ case ParameterSetNames.AzureActiveDirectory:
+ DataConnectorDataTypeCommon aadcommon = new DataConnectorDataTypeCommon
+ { State = Alerts.ToLower()};
+ AlertsDataTypeOfDataConnector aadalerts = new AlertsDataTypeOfDataConnector
+ {
+ Alerts = aadcommon
+ };
+ AADDataConnector aadDataTypes = new AADDataConnector
+ {
+ DataTypes = aadalerts,
+ TenantId = tenantId
+ };
+ DataConnector aadDataConnector = aadDataTypes;
+ var outputaadconnector = SecurityInsightsClient.DataConnectors.CreateOrUpdate(ResourceGroupName, WorkspaceName, name, aadDataConnector);
+ WriteObject(outputaadconnector.ConvertToPSType(), enumerateCollection: false);
+ break;
+ case ParameterSetNames.AzureAdvancedThreatProtection:
+ DataConnectorDataTypeCommon aatpcommon = new DataConnectorDataTypeCommon
+ { State = Alerts.ToLower() };
+ AlertsDataTypeOfDataConnector aatpalerts = new AlertsDataTypeOfDataConnector
+ {
+ Alerts = aatpcommon
+ };
+ AATPDataConnector aatpDataTypes = new AATPDataConnector
+ {
+ DataTypes = aatpalerts,
+ TenantId = tenantId
+ };
+ DataConnector aatpDataConnector = aatpDataTypes;
+ var outputaatpconnector = SecurityInsightsClient.DataConnectors.CreateOrUpdate(ResourceGroupName, WorkspaceName, name, aatpDataConnector);
+ WriteObject(outputaatpconnector.ConvertToPSType(), enumerateCollection: false);
+ break;
+ case ParameterSetNames.AzureSecurityCenter:
+ DataConnectorDataTypeCommon asccommon = new DataConnectorDataTypeCommon
+ { State = Alerts.ToLower() };
+ AlertsDataTypeOfDataConnector ascalerts = new AlertsDataTypeOfDataConnector
+ {
+ Alerts = asccommon
+
+ };
+ ASCDataConnector ascDataTypes = new ASCDataConnector
+ {
+ DataTypes = ascalerts,
+ SubscriptionId = SubscriptionId
+
+ };
+ DataConnector ascDataConnector = ascDataTypes;
+ var outputascconnector = SecurityInsightsClient.DataConnectors.CreateOrUpdate(ResourceGroupName, WorkspaceName, name, ascDataConnector);
+ WriteObject(outputascconnector.ConvertToPSType(), enumerateCollection: false);
+ break;
+ case ParameterSetNames.AmazonWebServicesCloudTrail:
+ AwsCloudTrailDataConnectorDataTypesLogs awscommon = new AwsCloudTrailDataConnectorDataTypesLogs
+ { State = Logs.ToLower() };
+ AwsCloudTrailDataConnectorDataTypes awslogs = new AwsCloudTrailDataConnectorDataTypes
+ {
+ Logs = awscommon
+ };
+ AwsCloudTrailDataConnector awsDataTypes = new AwsCloudTrailDataConnector
+ {
+ DataTypes = awslogs,
+ AwsRoleArn = AwsRoleArn
+
+ };
+ DataConnector awsDataConnector = awsDataTypes;
+ var outputawsconnector = SecurityInsightsClient.DataConnectors.CreateOrUpdate(ResourceGroupName, WorkspaceName, name, awsDataConnector);
+ WriteObject(outputawsconnector.ConvertToPSType(), enumerateCollection: false);
+ break;
+ case ParameterSetNames.MicrosoftCloudAppSecurity:
+ DataConnectorDataTypeCommon mcascommon = new DataConnectorDataTypeCommon
+ { State = Alerts.ToLower() };
+ DataConnectorDataTypeCommon mcasdiscovery = new DataConnectorDataTypeCommon
+ { State = DiscoveryLogs };
+ MCASDataConnectorDataTypes mcasDataTypes = new MCASDataConnectorDataTypes
+ {
+ Alerts = mcascommon,
+ DiscoveryLogs = mcasdiscovery
+ };
+ MCASDataConnector mcasConnector = new MCASDataConnector
+ {
+ DataTypes = mcasDataTypes,
+ TenantId = tenantId
+ };
+ DataConnector mcasDataConnector = mcasConnector;
+ var outputmcasconnector = SecurityInsightsClient.DataConnectors.CreateOrUpdate(ResourceGroupName, WorkspaceName, name, mcasDataConnector);
+ WriteObject(outputmcasconnector.ConvertToPSType(), enumerateCollection: false);
+ break;
+ case ParameterSetNames.MicrosoftDefenderAdvancedThreatProtection:
+ DataConnectorDataTypeCommon mdatpcommon = new DataConnectorDataTypeCommon
+ { State = Alerts.ToLower() };
+ AlertsDataTypeOfDataConnector mdatpalerts = new AlertsDataTypeOfDataConnector
+ {
+ Alerts = mdatpcommon
+ };
+ MDATPDataConnector mdatpDataTypes = new MDATPDataConnector
+ {
+ DataTypes = mdatpalerts,
+ TenantId = tenantId
+ };
+ DataConnector mdatpDataConnector = mdatpDataTypes;
+ var outputmdatpconnector = SecurityInsightsClient.DataConnectors.CreateOrUpdate(ResourceGroupName, WorkspaceName, name, mdatpDataConnector);
+ WriteObject(outputmdatpconnector.ConvertToPSType(), enumerateCollection: false);
+ break;
+ case ParameterSetNames.Office365:
+ OfficeDataConnectorDataTypesExchange officeExchange = new OfficeDataConnectorDataTypesExchange
+ { State = Exchange.ToLower() };
+ OfficeDataConnectorDataTypesSharePoint officeSharePoint = new OfficeDataConnectorDataTypesSharePoint
+ { State = SharePoint.ToLower() };
+ OfficeDataConnectorDataTypes officeDataTypes = new OfficeDataConnectorDataTypes
+ {
+ Exchange = officeExchange,
+ SharePoint = officeSharePoint
+ };
+ OfficeDataConnector officeConnector = new OfficeDataConnector
+ {
+ DataTypes = officeDataTypes,
+ TenantId = tenantId
+ };
+ DataConnector officeDataConnector = officeConnector;
+ var outputofficeconnector = SecurityInsightsClient.DataConnectors.CreateOrUpdate(ResourceGroupName, WorkspaceName, name, officeDataConnector);
+ WriteObject(outputofficeconnector.ConvertToPSType(), enumerateCollection: false);
+ break;
+ case ParameterSetNames.ThreatIntelligence:
+ TIDataConnectorDataTypesIndicators tiIndicators = new TIDataConnectorDataTypesIndicators
+ { State = Indicators.ToLower() };
+ TIDataConnectorDataTypes tiDataTypes = new TIDataConnectorDataTypes
+ {
+ Indicators = tiIndicators
+ };
+ TIDataConnector tiConnector = new TIDataConnector
+ {
+ DataTypes = tiDataTypes,
+ TenantId = tenantId
+ };
+ DataConnector tiDataConnector = tiConnector;
+ var outputticonnector = SecurityInsightsClient.DataConnectors.CreateOrUpdate(ResourceGroupName, WorkspaceName, name, tiDataConnector);
+ WriteObject(outputticonnector.ConvertToPSType(), enumerateCollection: false);
+ break;
+ default:
+ throw new PSInvalidOperationException();
+ }
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/RemoveDataConnectors.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/RemoveDataConnectors.cs
new file mode 100644
index 000000000000..a63bdc58dafe
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/RemoveDataConnectors.cs
@@ -0,0 +1,80 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors
+{
+ [Cmdlet(VerbsCommon.Remove, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelDataConnector", DefaultParameterSetName = ParameterSetNames.DataConnectorId, SupportsShouldProcess = true), OutputType(typeof(PSSentinelDataConnector))]
+ public class RemoveDataConnectors : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.DataConnectorId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.DataConnectorId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.DataConnectorId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.DataConnectorId)]
+ [ValidateNotNullOrEmpty]
+ public string DataConnectorId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.InputObject, Mandatory = true, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.InputObject)]
+ [ValidateNotNullOrEmpty]
+ public PSSentinelDataConnector InputObject { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.PassThru)]
+ public SwitchParameter PassThru { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ var name = DataConnectorId;
+
+ switch (ParameterSetName)
+ {
+ case ParameterSetNames.DataConnectorId:
+ break;
+ case ParameterSetNames.InputObject:
+ name = InputObject.Name;
+ break;
+ default:
+ throw new PSInvalidOperationException();
+ }
+
+ if (ShouldProcess(name, VerbsCommon.Remove))
+ {
+ var result = SecurityInsightsClient.DataConnectors.DeleteWithHttpMessagesAsync(ResourceGroupName, WorkspaceName, name).Result;
+ if (result.Response.StatusCode == (System.Net.HttpStatusCode)200)
+ {
+ System.Console.WriteLine("success");
+ }
+ else if (result.Response.StatusCode == (System.Net.HttpStatusCode)204)
+ {
+ System.Console.WriteLine("success");
+ }
+ }
+
+ if (PassThru.IsPresent)
+ {
+ WriteObject(true);
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/UpdateDataConnectors.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/UpdateDataConnectors.cs
new file mode 100644
index 000000000000..a024a3c5beee
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/UpdateDataConnectors.cs
@@ -0,0 +1,215 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
+using Microsoft.Azure.Management.SecurityInsights;
+using System;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors
+{
+ [Cmdlet(VerbsData.Update, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelDataConnector", DefaultParameterSetName = ParameterSetNames.DataConnectorId, SupportsShouldProcess = true), OutputType(typeof(PSSentinelDataConnector))]
+ public class UpdateDataConnectors : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.DataConnectorId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.DataConnectorId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.DataConnectorId, Mandatory = true, HelpMessage = ParameterHelpMessages.DataConnectorId)]
+ [ValidateNotNullOrEmpty]
+ public string DataConnectorId { get; set; }
+
+ [Parameter(Mandatory = true, ValueFromPipeline = true, ParameterSetName = ParameterSetNames.InputObject, HelpMessage = ParameterHelpMessages.InputObject)]
+ [ValidateNotNull]
+ public PSSentinelDataConnector InputObject { get; set; }
+
+ [Parameter(Mandatory = true, ValueFromPipelineByPropertyName = true, ParameterSetName = ParameterSetNames.ResourceId, HelpMessage = ParameterHelpMessages.ResourceId)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceId { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Alerts)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Enabled", "Disabled")]
+ public string Alerts { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.SubscriptionId)]
+ [ValidateNotNullOrEmpty]
+ public string SubscriptionId { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.AwsRoleArn)]
+ [ValidateNotNullOrEmpty]
+ public string AwsRoleArn { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Logs)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Enabled", "Disabled")]
+ public string Logs { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.DiscoveryLogs)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Enabled", "Disabled")]
+ public string DiscoveryLogs { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Exchange)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Enabled", "Disabled")]
+ public string Exchange { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.SharePoint)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Enabled", "Disabled")]
+ public string SharePoint { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Indicators)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Enabled", "Disabled")]
+ public string Indicators { get; set; }
+
+
+ public override void ExecuteCmdlet()
+ {
+ if (this.IsParameterBound(c => c.InputObject))
+ {
+ this.ResourceGroupName = AzureIdUtilities.GetResourceGroup(this.InputObject.Id);
+ this.WorkspaceName = AzureIdUtilities.GetWorkspaceName(this.InputObject.Id);
+ this.DataConnectorId = this.InputObject.Name;
+ }
+
+ if (this.IsParameterBound(c => c.ResourceId))
+ {
+ var resourceIdentifier = new ResourceIdentifier(this.ResourceId);
+ this.ResourceGroupName = resourceIdentifier.ResourceGroupName;
+ this.WorkspaceName = AzureIdUtilities.GetWorkspaceName(this.ResourceId);
+ this.DataConnectorId = resourceIdentifier.ResourceName;
+ }
+
+ PSSentinelDataConnector dataConnector = null;
+ try
+ {
+ dataConnector = this.SecurityInsightsClient.DataConnectors.Get(ResourceGroupName, WorkspaceName, DataConnectorId).ConvertToPSType();
+ }
+ catch
+ {
+ dataConnector = null;
+ }
+
+ if (dataConnector == null)
+ {
+ throw new Exception(string.Format("A Data Connector with DataConnectorId '{0}' in resource group '{1}' under workspace '{2}' does not exist. Please use New-AzSentinelDataConnector to create a Data Connector with these properties.", this.DataConnectorId, this.ResourceGroupName, this.WorkspaceName));
+ }
+
+ if(dataConnector.Kind == "AzureActiveDirectory")
+ {
+ var convertedAADDataConnector = dataConnector as PSSentinelDataConnectorAAD;
+
+ convertedAADDataConnector.Etag = convertedAADDataConnector.Etag;
+ convertedAADDataConnector.TenantId = convertedAADDataConnector.TenantId;
+ convertedAADDataConnector.DataTypes.Alerts.State = this.IsParameterBound(c => c.Alerts) ? this.Alerts : convertedAADDataConnector.DataTypes.Alerts.State;
+
+ dataConnector = convertedAADDataConnector;
+ };
+ if (dataConnector.Kind == "AzureAdvancedThreatProtection")
+ {
+ var convertedAATPDataConnector = dataConnector as PSSentinelDataConnectorAATP;
+
+ convertedAATPDataConnector.Etag = convertedAATPDataConnector.Etag;
+ convertedAATPDataConnector.TenantId = convertedAATPDataConnector.TenantId;
+ convertedAATPDataConnector.DataTypes.Alerts.State = this.IsParameterBound(c => c.Alerts) ? this.Alerts : convertedAATPDataConnector.DataTypes.Alerts.State;
+
+ dataConnector = convertedAATPDataConnector;
+ };
+ if (dataConnector.Kind == "AzureSecurityCenter")
+ {
+ var convertedASCDataConnector = dataConnector as PSSentinelDataConnectorASC;
+
+ convertedASCDataConnector.Etag = convertedASCDataConnector.Etag;
+ convertedASCDataConnector.SubscriptionId = this.IsParameterBound(c => c.SubscriptionId) ? this.SubscriptionId : convertedASCDataConnector.SubscriptionId;
+ convertedASCDataConnector.DataTypes.Alerts.State = this.IsParameterBound(c => c.Alerts) ? this.Alerts : convertedASCDataConnector.DataTypes.Alerts.State;
+
+ dataConnector = convertedASCDataConnector;
+ };
+ if (dataConnector.Kind == "AmazonWebServicesCloudTrail")
+ {
+ var convertedAWSDataConnector = dataConnector as PSSentinelDataConnectorAWS;
+
+ convertedAWSDataConnector.Etag = convertedAWSDataConnector.Etag;
+ convertedAWSDataConnector.AwsRoleArn = this.IsParameterBound(c => c.AwsRoleArn) ? this.AwsRoleArn : convertedAWSDataConnector.AwsRoleArn;
+ convertedAWSDataConnector.DataTypes.Logs.State = this.IsParameterBound(c => c.Logs) ? this.Logs : convertedAWSDataConnector.DataTypes.Logs.State;
+
+ dataConnector = convertedAWSDataConnector;
+ };
+ if (dataConnector.Kind == "MicrosoftCloudAppSecurity")
+ {
+ var convertedMCASDataConnector = dataConnector as PSSentinelDataConnectorMCAS;
+
+ convertedMCASDataConnector.Etag = convertedMCASDataConnector.Etag;
+ convertedMCASDataConnector.TenantId = convertedMCASDataConnector.TenantId;
+ convertedMCASDataConnector.DataTypes.Alerts.State = this.IsParameterBound(c => c.Alerts) ? this.Alerts : convertedMCASDataConnector.DataTypes.Alerts.State;
+ convertedMCASDataConnector.DataTypes.DiscoveryLogs.State = this.IsParameterBound(c => c.DiscoveryLogs) ? this.DiscoveryLogs : convertedMCASDataConnector.DataTypes.DiscoveryLogs.State;
+
+ dataConnector = convertedMCASDataConnector;
+ };
+ if (dataConnector.Kind == "MicrosoftDefenderAdvancedThreatProtection")
+ {
+ var convertedMDATPDataConnector = dataConnector as PSSentinelDataConnectorMDATP;
+
+ convertedMDATPDataConnector.Etag = convertedMDATPDataConnector.Etag;
+ convertedMDATPDataConnector.TenantId = convertedMDATPDataConnector.TenantId;
+ convertedMDATPDataConnector.DataTypes.Alerts.State = this.IsParameterBound(c => c.Alerts) ? this.Alerts : convertedMDATPDataConnector.DataTypes.Alerts.State;
+
+ dataConnector = convertedMDATPDataConnector;
+ };
+ if (dataConnector.Kind == "Office365")
+ {
+ var convertedO365DataConnector = dataConnector as PSSentinelDataConnectorOffice;
+
+ convertedO365DataConnector.Etag = convertedO365DataConnector.Etag;
+ convertedO365DataConnector.TenantId = convertedO365DataConnector.TenantId;
+ convertedO365DataConnector.DataTypes.Exchange.State = this.IsParameterBound(c => c.Exchange) ? this.Exchange : convertedO365DataConnector.DataTypes.Exchange.State;
+ convertedO365DataConnector.DataTypes.SharePoint.State = this.IsParameterBound(c => c.SharePoint) ? this.SharePoint : convertedO365DataConnector.DataTypes.SharePoint.State;
+
+ dataConnector = convertedO365DataConnector;
+ };
+ if (dataConnector.Kind == "ThreatIntelligence")
+ {
+ var convertedTIDataConnector = dataConnector as PSSentinelDataConnectorTI;
+
+ convertedTIDataConnector.Etag = convertedTIDataConnector.Etag;
+ convertedTIDataConnector.TenantId = convertedTIDataConnector.TenantId;
+ convertedTIDataConnector.DataTypes.Indicators.State = this.IsParameterBound(c => c.Indicators) ? this.Indicators : convertedTIDataConnector.DataTypes.Indicators.State;
+
+ dataConnector = convertedTIDataConnector;
+ };
+
+
+ if (this.ShouldProcess(this.DataConnectorId, string.Format("Updating Data Connector '{0}' in resource group '{1}' under workspace '{2}'.", this.DataConnectorId, this.ResourceGroupName, this.WorkspaceName)))
+ {
+ var result = this.SecurityInsightsClient.DataConnectors.CreateOrUpdate(this.ResourceGroupName, this.WorkspaceName, this.DataConnectorId, dataConnector.CreatePSType()).ConvertToPSType();
+ WriteObject(result);
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/IncidentComments/GetIncidentComments.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/IncidentComments/GetIncidentComments.cs
new file mode 100644
index 000000000000..5dce7e9b90a1
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/IncidentComments/GetIncidentComments.cs
@@ -0,0 +1,89 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System;
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.IncidentComments;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Linq;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments
+{
+ [Cmdlet(VerbsCommon.Get, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelIncidentComment", DefaultParameterSetName = ParameterSetNames.IncidentId), OutputType(typeof(PSSentinelIncidentComment))]
+ public class GetIncidentComments : SecurityInsightsCmdletBase
+ {
+ private const int MaxIncidentCommentsToFetch = 1500;
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentCommentId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentCommentId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, HelpMessage = ParameterHelpMessages.IncidentId)]
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentCommentId, Mandatory = true, HelpMessage = ParameterHelpMessages.IncidentId)]
+ [ValidateNotNullOrEmpty]
+ public string IncidentId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentCommentId, Mandatory = true, HelpMessage = ParameterHelpMessages.IncidentCommentId)]
+ [ValidateNotNullOrEmpty]
+ public string IncidentCommentId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ResourceId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.ResourceId)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceId { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ int numberOfFetchedIncidentComments = 0;
+ string nextLink = null;
+ switch (ParameterSetName)
+ {
+ case ParameterSetNames.IncidentId:
+ var incidentComments = SecurityInsightsClient.IncidentComments.ListByIncident(ResourceGroupName, WorkspaceName, IncidentId);
+ int incidentCommentsCount = incidentComments.Count();
+ WriteObject(incidentComments.ConvertToPSType(), enumerateCollection: true);
+ numberOfFetchedIncidentComments += incidentCommentsCount;
+ nextLink = incidentComments?.NextPageLink;
+ while (!string.IsNullOrWhiteSpace(nextLink) && numberOfFetchedIncidentComments < MaxIncidentCommentsToFetch)
+ {
+ incidentComments = SecurityInsightsClient.IncidentComments.ListByIncidentNext(incidentComments.NextPageLink);
+ incidentCommentsCount = incidentComments.Count();
+ WriteObject(incidentComments.ConvertToPSType(), enumerateCollection: true);
+ numberOfFetchedIncidentComments += incidentCommentsCount;
+ nextLink = incidentComments?.NextPageLink;
+ }
+ break;
+ case ParameterSetNames.IncidentCommentId:
+ var incidentComment = SecurityInsightsClient.IncidentComments.Get(ResourceGroupName, WorkspaceName, IncidentId, IncidentCommentId);
+ WriteObject(incidentComment.ConvertToPSType(), enumerateCollection: false);
+ break;
+ case ParameterSetNames.ResourceId:
+ incidentComment = SecurityInsightsClient.IncidentComments.Get(ResourceGroupName, WorkspaceName, AzureIdUtilities.GetIncidentName(ResourceId), AzureIdUtilities.GetIncidentCommentName(ResourceId));
+ WriteObject(incidentComment.ConvertToPSType(), enumerateCollection: false);
+ break;
+ default:
+ throw new PSInvalidOperationException();
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/IncidentComments/NewIncidentComments.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/IncidentComments/NewIncidentComments.cs
new file mode 100644
index 000000000000..ff026a67e5ac
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/IncidentComments/NewIncidentComments.cs
@@ -0,0 +1,66 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.IncidentComments;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments
+{
+ [Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelIncidentComment", DefaultParameterSetName = ParameterSetNames.IncidentCommentId, SupportsShouldProcess = true), OutputType(typeof(PSSentinelIncidentComment))]
+ public class NewBookmarks : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentCommentId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentCommentId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentCommentId, Mandatory = true, HelpMessage = ParameterHelpMessages.IncidentId)]
+ [ValidateNotNullOrEmpty]
+ public string IncidentId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentCommentId, Mandatory = false, HelpMessage = ParameterHelpMessages.IncidentCommentId)]
+ public string IncidentCommentId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentCommentId, Mandatory = true, HelpMessage = ParameterHelpMessages.Message)]
+ public string Message { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ if (IncidentCommentId == null)
+ {
+ IncidentCommentId = Guid.NewGuid().ToString();
+ }
+
+ var name = IncidentCommentId;
+
+ if (ShouldProcess(name, VerbsCommon.New))
+ {
+ var outputIncidentCommnet = SecurityInsightsClient.IncidentComments.CreateComment(ResourceGroupName, WorkspaceName, IncidentId, name, Message);
+
+ WriteObject(outputIncidentCommnet.ConvertToPSType(), enumerateCollection: false);
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/GetIncidents.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/GetIncidents.cs
new file mode 100644
index 000000000000..9ef147b9954d
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/GetIncidents.cs
@@ -0,0 +1,84 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System;
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.Incidents;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Linq;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents
+{
+ [Cmdlet(VerbsCommon.Get, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelIncident", DefaultParameterSetName = ParameterSetNames.WorkspaceScope), OutputType(typeof(PSSentinelIncident))]
+ public class GetIncidents : SecurityInsightsCmdletBase
+ {
+ private const int MaxIncidentsToFetch = 1500;
+
+ [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = false, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.IncidentId)]
+ [ValidateNotNullOrEmpty]
+ public string IncidentId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ResourceId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.ResourceId)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceId { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ int numberOfFetchedIncidents = 0;
+ string nextLink = null;
+ switch (ParameterSetName)
+ {
+ case ParameterSetNames.WorkspaceScope:
+ var incidents = SecurityInsightsClient.Incidents.List(ResourceGroupName, WorkspaceName);
+ var incidentscount = incidents.Count();
+ WriteObject(incidents.ConvertToPSType(), enumerateCollection: true);
+ numberOfFetchedIncidents += incidentscount;
+ nextLink = incidents?.NextPageLink;
+ while (!string.IsNullOrWhiteSpace(nextLink) && numberOfFetchedIncidents < MaxIncidentsToFetch)
+ {
+ incidents = SecurityInsightsClient.Incidents.ListNext(incidents.NextPageLink);
+ incidentscount = incidents.Count();
+ WriteObject(incidents.ConvertToPSType(), enumerateCollection: true);
+ numberOfFetchedIncidents += incidentscount;
+ nextLink = incidents?.NextPageLink;
+ }
+ break;
+ case ParameterSetNames.IncidentId:
+ var incident = SecurityInsightsClient.Incidents.Get(ResourceGroupName, WorkspaceName, IncidentId);
+ WriteObject(incident.ConvertToPSType(), enumerateCollection: false);
+ break;
+ case ParameterSetNames.ResourceId:
+ incident = SecurityInsightsClient.Incidents.Get(ResourceGroupName, WorkspaceName, AzureIdUtilities.GetResourceName(ResourceId));
+ WriteObject(incident.ConvertToPSType(), enumerateCollection: false);
+ break;
+ default:
+ throw new PSInvalidOperationException();
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/NewIncidents.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/NewIncidents.cs
new file mode 100644
index 000000000000..489c338ab851
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/NewIncidents.cs
@@ -0,0 +1,103 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using System;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.Incidents;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents
+{
+ [Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelIncident", DefaultParameterSetName = ParameterSetNames.IncidentId, SupportsShouldProcess = true), OutputType(typeof(PSSentinelIncident))]
+ public class NewIncidents : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = false, HelpMessage = ParameterHelpMessages.IncidentId)]
+ [ValidateNotNullOrEmpty]
+ public string IncidentId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = false, HelpMessage = ParameterHelpMessages.Classificaton)]
+ [ValidateSet("BenignPositive", "FalsePositive", "TruePositive", "Undetermined")]
+ public string Classificaton { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = false, HelpMessage = ParameterHelpMessages.ClassificationComment)]
+ public string ClassificationComment { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = false, HelpMessage = ParameterHelpMessages.ClassificationReason)]
+ [ValidateSet("InaccurateData", "IncorrectAlertLogic", "SuspiciousActivity", "SuspiciousButExpected")]
+ public string ClassificationReason { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = false, HelpMessage = ParameterHelpMessages.Description)]
+ public string Description { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = false, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.Labels)]
+ public IList Label { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = false, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.Owner)]
+ public PSSentinelIncidentOwner Owner { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, HelpMessage = ParameterHelpMessages.Severity)]
+ [ValidateSet("High", "Informational", "Low", "Medium")]
+ public string Severity { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, HelpMessage = ParameterHelpMessages.Status)]
+ [ValidateSet("Active", "Closed", "New")]
+ public string Status { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, HelpMessage = ParameterHelpMessages.Title)]
+ public string Title { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ if (IncidentId == null)
+ {
+ IncidentId = Guid.NewGuid().ToString();
+ }
+ var name = IncidentId;
+
+ Incident incident = new Incident
+ {
+ Title = Title,
+ Status = Status,
+ Severity = Severity,
+ Classification = Classificaton,
+ ClassificationComment = ClassificationComment,
+ ClassificationReason = ClassificationReason,
+ Description = Description,
+ Labels = Label?.CreatePSType(),
+ Owner = Owner?.CreatePSType()
+ };
+
+ if (ShouldProcess(name, VerbsCommon.New))
+ {
+ var outputIncident = SecurityInsightsClient.Incidents.CreateOrUpdate(ResourceGroupName, WorkspaceName, name, incident);
+
+ WriteObject(outputIncident.ConvertToPSType(), enumerateCollection: false);
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/NewIncidentsOwner.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/NewIncidentsOwner.cs
new file mode 100644
index 000000000000..037c656a2df8
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/NewIncidentsOwner.cs
@@ -0,0 +1,56 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System;
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.Incidents;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents
+{
+ [Cmdlet(VerbsCommon.New, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelIncidentOwner", DefaultParameterSetName = ParameterSetNames.GeneralScope, SupportsShouldProcess = true), OutputType(typeof(PSSentinelIncident))]
+ public class NewIncidentsOwner : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.GeneralScope, Mandatory = true, HelpMessage = ParameterHelpMessages.AssignedTo)]
+ public string AssignedTo { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.GeneralScope, Mandatory = true, HelpMessage = ParameterHelpMessages.Email)]
+ public string Email { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.GeneralScope, Mandatory = true, HelpMessage = ParameterHelpMessages.ObjectId)]
+ public string ObjectId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.GeneralScope, Mandatory = true, HelpMessage = ParameterHelpMessages.UserPrincipalName)]
+ public string UserPrincipalName { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ PSSentinelIncidentOwner owner = new PSSentinelIncidentOwner
+ {
+ AssignedTo = AssignedTo,
+ Email = Email,
+ ObjectId = Guid.Parse(ObjectId),
+ UserPrincipalName = UserPrincipalName
+ };
+
+ if (ShouldProcess(ObjectId, VerbsCommon.New))
+ {
+ WriteObject(owner, enumerateCollection: false);
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/RemoveIncidents.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/RemoveIncidents.cs
new file mode 100644
index 000000000000..f65ba9575086
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/RemoveIncidents.cs
@@ -0,0 +1,80 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.Incidents;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents
+{
+ [Cmdlet(VerbsCommon.Remove, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelIncident", DefaultParameterSetName = ParameterSetNames.IncidentId, SupportsShouldProcess = true), OutputType(typeof(bool))]
+ public class RemoveIncidents : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.IncidentId)]
+ [ValidateNotNullOrEmpty]
+ public string IncidentId { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.InputObject, Mandatory = true, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.InputObject)]
+ [ValidateNotNullOrEmpty]
+ public PSSentinelIncident InputObject { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.PassThru)]
+ public SwitchParameter PassThru { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ var name = IncidentId;
+
+ switch (ParameterSetName)
+ {
+ case ParameterSetNames.IncidentId:
+ break;
+ case ParameterSetNames.InputObject:
+ name = InputObject.Name;
+ break;
+ default:
+ throw new PSInvalidOperationException();
+ }
+
+ if (ShouldProcess(name, VerbsCommon.Remove))
+ {
+ var result = SecurityInsightsClient.Incidents.DeleteWithHttpMessagesAsync(ResourceGroupName, WorkspaceName, name).Result;
+ if (result.Response.StatusCode == (System.Net.HttpStatusCode)200)
+ {
+ System.Console.WriteLine("success");
+ }
+ else if (result.Response.StatusCode == (System.Net.HttpStatusCode)204)
+ {
+ System.Console.WriteLine("success");
+ }
+ }
+
+ if (PassThru.IsPresent)
+ {
+ WriteObject(true);
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/UpdateIncidents.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/UpdateIncidents.cs
new file mode 100644
index 000000000000..89c96a4e8b99
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/UpdateIncidents.cs
@@ -0,0 +1,133 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System.Management.Automation;
+using Microsoft.Azure.Commands.SecurityInsights;
+using Microsoft.Azure.Commands.SecurityInsights.Common;
+using Microsoft.Azure.Commands.SecurityInsights.Models.Incidents;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System;
+using Microsoft.Azure.Management.SecurityInsights;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents
+{
+ [Cmdlet(VerbsData.Update, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelIncident", DefaultParameterSetName = ParameterSetNames.IncidentId, SupportsShouldProcess = true), OutputType(typeof(PSSentinelIncident))]
+ public class UpdateIncidents : SecurityInsightsCmdletBase
+ {
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+ [ResourceGroupCompleter]
+ [ValidateNotNullOrEmpty]
+ public string ResourceGroupName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, HelpMessage = ParameterHelpMessages.WorkspaceName)]
+ [ValidateNotNullOrEmpty]
+ public string WorkspaceName { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, HelpMessage = ParameterHelpMessages.IncidentId)]
+ public string IncidentID { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.InputObject, Mandatory = true, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.InputObject)]
+ [ValidateNotNull]
+ public PSSentinelIncident InputObject { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.ResourceId, Mandatory = true, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.ResourceId)]
+ [ValidateNotNullOrEmpty]
+ public string ResourceId { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Classificaton)]
+ [ValidateSet("BenignPositive", "FalsePositive", "TruePositive", "Undetermined")]
+ public string Classification { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.ClassificationComment)]
+ public string ClassificationComment { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.ClassificationReason)]
+ [ValidateSet("InaccurateData", "IncorrectAlertLogic", "SuspiciousActivity", "SuspiciousButExpected")]
+ public string ClassificationReason { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Description)]
+ public string Description { get; set; }
+
+ [Parameter(Mandatory = false, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.Labels)]
+ public IList Label { get; set; }
+
+ [Parameter(Mandatory = false, ValueFromPipeline = true, HelpMessage = ParameterHelpMessages.Owner)]
+ public PSSentinelIncidentOwner Owner { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Severity)]
+ [ValidateSet("High", "Informational", "Low", "Medium")]
+ public string Severity { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Status)]
+ [ValidateSet("Active", "Closed", "New")]
+ public string Status { get; set; }
+
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Title)]
+ public string Title { get; set; }
+
+ public override void ExecuteCmdlet()
+ {
+ if (this.IsParameterBound(c => c.InputObject))
+ {
+ this.ResourceGroupName = AzureIdUtilities.GetResourceGroup(InputObject.Id);
+ this.WorkspaceName = AzureIdUtilities.GetWorkspaceName(InputObject.Id);
+ this.IncidentID = this.InputObject.Name;
+ }
+
+ if (this.IsParameterBound(c => c.ResourceId))
+ {
+ var resourceIdentifier = new ResourceIdentifier(this.ResourceId);
+ this.ResourceGroupName = resourceIdentifier.ResourceGroupName;
+ this.WorkspaceName = AzureIdUtilities.GetWorkspaceName(this.ResourceId);
+ this.IncidentID = resourceIdentifier.ResourceName;
+ }
+
+ PSSentinelIncident incident = null;
+ try
+ {
+ incident = this.SecurityInsightsClient.Incidents.Get(this.ResourceGroupName, this.WorkspaceName, this.IncidentID).ConvertToPSType();
+ }
+ catch
+ {
+ incident = null;
+ }
+
+ if (incident == null)
+ {
+ throw new Exception(string.Format("An Incident with IncidentID '{0}' in resource group '{1}' under parent workspace '{2}' does not exist. Please use New-AzSentinelBookmark to create a Bookmark with these properties.", this.IncidentID, this.ResourceGroupName, this.WorkspaceName));
+ }
+
+ incident.Etag = incident.Etag;
+ incident.Classification = this.IsParameterBound(c => c.Classification) ? this.Classification : incident.Classification;
+ incident.ClassificationComment = this.IsParameterBound(c => c.ClassificationComment) ? this.ClassificationComment : incident.ClassificationComment;
+ incident.ClassificationReason = this.IsParameterBound(c => c.ClassificationReason) ? this.ClassificationReason : incident.ClassificationReason;
+ incident.Description = this.IsParameterBound(c => c.Description) ? this.Description : incident.Description;
+ incident.Labels = this.IsParameterBound(c => c.Label) ? this.Label : incident.Labels;
+ incident.Owner = this.IsParameterBound(c => c.Owner) ? this.Owner : incident.Owner;
+ incident.Severity = this.IsParameterBound(c => c.Severity) ? this.Severity : incident.Severity;
+ incident.Status = this.IsParameterBound(c => c.Status) ? this.Status : incident.Status;
+ incident.Title = this.IsParameterBound(c => c.Title) ? this.Title : incident.Title;
+
+ if (this.ShouldProcess(this.IncidentID, string.Format("Updating IncidentID '{0}' in resource group '{1}' under workspace '{2}'.", this.IncidentID, this.ResourceGroupName, this.WorkspaceName)))
+ {
+ var result = this.SecurityInsightsClient.Incidents.CreateOrUpdate(this.ResourceGroupName, this.WorkspaceName, this.IncidentID, incident.CreatePSType()).ConvertToPSType();
+ WriteObject(result);
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Common/AzureIdUtilities.cs b/src/SecurityInsights/SecurityInsights/Common/AzureIdUtilities.cs
new file mode 100644
index 000000000000..77e147655401
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Common/AzureIdUtilities.cs
@@ -0,0 +1,145 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+
+using System;
+using System.Linq;
+using System.Text.RegularExpressions;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Common
+{
+ public static class AzureIdUtilities
+ {
+ private static Regex locationRegex = new Regex("/locations/(?.*?)/", RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
+ private static Regex rgRegex = new Regex("/resourceGroups/(?.*?)/", RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
+ private static Regex subscriptionRegex = new Regex("/subscriptions/(?.*?)/", RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
+ private static Regex workspaceRegex = new Regex("/workspaces/(?.*?)/", RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
+ private static Regex alertruleRegex = new Regex("/alertRules/(?.*?)/", RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
+ private static Regex actionRegex = new Regex("/actions/(?.*?)/", RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
+ private static Regex incidentRegex = new Regex("/incidents/(?.*?)/", RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
+ private static Regex incidentCommentRegex = new Regex("/comments/(?.*?)/", RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
+ public static string GetResourceName(string id)
+ {
+ return id.Split('/').Last();
+ }
+
+ public static string GetWorkspaceName(string id)
+ {
+ var match = workspaceRegex.Match(id);
+
+ if (match.Success != true)
+ {
+ throw new ArgumentException("Invalid format of the resource identifier.", "id");
+ }
+
+ return match.Groups["workspace"].Value;
+
+ }
+
+ public static string GetAlertRuleName(string id)
+ {
+ var match = alertruleRegex.Match(id);
+
+ if (match.Success != true)
+ {
+ throw new ArgumentException("Invalid format of the resource identifier.", "id");
+ }
+
+ return match.Groups["alertrule"].Value;
+
+ }
+
+ public static string GetActionName(string id)
+ {
+ var match = actionRegex.Match(id);
+
+ if (match.Success != true)
+ {
+ throw new ArgumentException("Invalid format of the resource identifier.", "id");
+ }
+
+ return match.Groups["action"].Value;
+
+ }
+
+ public static string GetIncidentName(string id)
+ {
+ var match = incidentRegex.Match(id);
+
+ if (match.Success != true)
+ {
+ throw new ArgumentException("Invalid format of the resource identifier.", "id");
+ }
+
+ return match.Groups["incident"].Value;
+
+ }
+
+ public static string GetIncidentCommentName(string id)
+ {
+ var match = incidentCommentRegex.Match(id);
+
+ if (match.Success != true)
+ {
+ throw new ArgumentException("Invalid format of the resource identifier.", "id");
+ }
+
+ return match.Groups["comment"].Value;
+
+ }
+
+ public static string GetResourceLocation(string id)
+ {
+ var match = locationRegex.Match(id);
+
+ if (match.Success != true)
+ {
+ throw new ArgumentException("Invalid format of the resource identifier.", "id");
+ }
+
+ return match.Groups["Location"].Value;
+ }
+
+ public static string GetResourceGroup(string id)
+ {
+ var match = rgRegex.Match(id);
+
+ if (match.Success != true)
+ {
+ return null;
+ }
+
+ return match.Groups["RG"].Value;
+ }
+
+ public static string GetResourceSubscription(string id)
+ {
+ var match = subscriptionRegex.Match(id);
+
+ if (match.Success != true)
+ {
+ throw new ArgumentException("Invalid format of the resource identifier.", "id");
+ }
+
+ return match.Groups["subscriptionId"].Value;
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Common/ParameterHelpMessages.cs b/src/SecurityInsights/SecurityInsights/Common/ParameterHelpMessages.cs
new file mode 100644
index 000000000000..14c01ed23179
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Common/ParameterHelpMessages.cs
@@ -0,0 +1,124 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Management.WebSites.Version2016_09_01.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Common
+{
+ public static class ParameterHelpMessages
+ {
+ #region General
+
+ public const string ResourceGroupName = "Resource group name.";
+ public const string WorkspaceName = "Workspace Name.";
+ public const string ResourceId = "Resource Id.";
+ public const string InputObject = "InputObject.";
+ public const string Description = "Description.";
+ public const string PassThru = "PassThru";
+ public const string AsJob = "Run cmdlet in the background";
+ public const string Etag = "Etag";
+ public const string ParentObject = "Parent Object.";
+ #endregion
+
+ #region Actions
+ public const string ActionId = "Action Id.";
+ public const string LogicAppResourceId = "Action Logic App Resource Id.";
+ public const string TriggerUri = "Action Logic App Trigger Uri.";
+
+ #endregion
+ #region AlertRules
+ public const string AlertRuleId = "Alert Rule Id.";
+ public const string Kind = "Alert Rule Kind.";
+ public const string AlertRuleTemplateName = "Alert Rule Template.";
+ public const string Enabled = "Alert Rule Enabled.";
+ public const string Disabled = "Alert Rule Disabled.";
+ public const string DisplayName = "Alert Rule Display Name.";
+ public const string ProductFilter = "Alert Rule Product Filter.";
+ public const string DisplayNamesExcludeFilter = "Alert Rule Display Names Exclude Filter.";
+ public const string DisplayNamesFilter = "Alert Rule Display Names Filter.";
+ public const string SeveritiesFilter = "Alert Rule Severities Filter.";
+ public const string SuppressionDuration = "Alert Rule Suppression Duration.";
+ public const string SuppressionEnabled = "Alert Rule Suppression Enabled.";
+ public const string SuppressionDisabled = "Alert Rule Suppression Disabled.";
+ public const string Query = "Alert Rule Query.";
+ public const string QueryFrequency = "Alert Rule Query Frequency.";
+ public const string QueryPeriod = "Alert Rule Query Period.";
+ public const string Tactics = "Alert Rule Tactics.";
+ public const string TriggerOperator = "Alert Rule Trigger Operator.";
+ public const string TriggerThreshold = "Alert Rule Trigger Threshold.";
+ #endregion
+
+ #region
+ public const string AlertRuleTemplateId = "Template Alert Rule Id.";
+ #endregion
+
+ #region Bookmarks
+ public const string BookmarkId = "Bookmark Id,";
+ public const string RelationName = "Bookmark Relation Name.";
+ public const string CreatedBy = "Bookmark Created By.";
+ public const string BookmarkDisplayName = "Bookmark Rule Display Name.";
+ public const string IncidentInfo = "Bookmark Incident Info.";
+ public const string Notes = "Bookmark Notes.";
+ public const string BookmarkQuery = "Bookmark Query.";
+ public const string QueryResult = "Bookmark Query Result.";
+ public const string UpdatedBy = "Bookmark Updated By.";
+ #endregion
+
+ #region DataConnectors
+ public const string DataConnectorId = "Data Connector Id.";
+ public const string DataConnectorKind = "Data Connector Kind.";
+ public const string AzureActiveDirectory = "Data Connector Azure Active Directory";
+ public const string AzureAdvancedThreatProtection = "Data Connector Azure Advanced Threat Protection";
+ public const string AzureSecurityCenter = "Data Connector Azure Security Center";
+ public const string AmazonWebServicesCloudTrail = "Data Connector Amazon Web Services Cloud Trail";
+ public const string MicrosoftCloudAppSecurity = "Data Connector Microsoft Cloud App Security";
+ public const string MicrosoftDefenderAdvancedThreatProtection = "Data Connector Microsoft Defender Advanced Threat Protection";
+ public const string Office365 = "Data Connector Office 365";
+ public const string ThreatIntelligence = "Data Connector Threat Intelligence";
+ public const string Alerts = "Data Connector Alerts";
+ public const string AwsRoleArn = "Data Connector AWS Role Arn";
+ public const string Logs = "Data Connector Logs";
+ public const string DiscoveryLogs = "Data Connector Discovery Logs";
+ public const string Exchange = "Data Connector Exchange";
+ public const string SharePoint = "Data Connector SharePoint";
+ public const string Indicators = "Data Connector Indicators";
+ public const string SubscriptionId = "Data connector Subscription Id";
+ #endregion
+
+ #region IncidentComments
+ public const string IncidentCommentId = "Incident Comment Id.";
+ public const string Message = "Incident Message.";
+ #endregion
+
+ #region Incidents
+ public const string IncidentId = "Incident Id.";
+ public const string Classificaton = "Incident Classificaiton.";
+ public const string ClassificationComment = "Incident Classificaiton Comment.";
+ public const string ClassificationReason = "Incident Classificaiton Reason.";
+ public const string Labels = "Incident Labels.";
+ public const string Owner = "Incident Owner.";
+ public const string Severity = "Incident Severity.";
+ public const string Status = "Incident Status.";
+ public const string Title = "Incident Title.";
+ public const string LabelName = "Incident Label Name.";
+ public const string LabelType = "Incident Label Type.";
+ public const string AssignedTo = "Incident Owner - Assigned To";
+ public const string Email = "Incident Owner - Email";
+ public const string ObjectId = "Incident Owner - ObjectId";
+ public const string UserPrincipalName = "Incident Owner - User Principal Name";
+ #endregion
+
+
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/SecurityInsights/Common/ParameterSetNames.cs b/src/SecurityInsights/SecurityInsights/Common/ParameterSetNames.cs
new file mode 100644
index 000000000000..5cd3d8d836b7
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Common/ParameterSetNames.cs
@@ -0,0 +1,70 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Common
+{
+ public static class ParameterSetNames
+ {
+ # region General
+ public const string InputObject = "InputObject";
+ public const string WorkspaceScope = "WorkspaceScope";
+ public const string ResourceId = "ResourceId";
+ public const string GeneralScope = "GeneralScope";
+ public const string ParentObject = "ParentObject";
+ #endregion
+
+ #region Actions
+ public const string ActionId = "ActionId";
+ #endregion
+
+ #region AlertRules
+ public const string AlertRuleId = "AlertRuleId";
+ public const string FusionAlertRule = "FusionAlertRule";
+ public const string MicrosoftSecurityIncidentCreationRule = "MicrosoftSecurityIncidentCreationRule";
+ public const string ScheduledAlertRule = "ScheduledAlertRule";
+
+ #endregion
+
+ #region AlertRuleTemplates
+ public const string AlertRuleTemplateId = "AlertRuleTemplateId";
+ #endregion
+
+ #region Bookmarks
+ public const string BookmarkId = "BookmarkId.";
+ #endregion
+
+ #region DataConnectors
+ public const string DataConnectorId = "DataConnectorId";
+ public const string AzureActiveDirectory = "AzureActiveDirectory";
+ public const string AzureAdvancedThreatProtection = "AzureAdvancedThreatProtection";
+ public const string AzureSecurityCenter = "AzureSecurityCenter";
+ public const string AmazonWebServicesCloudTrail = "AmazonWebServicesCloudTrail";
+ public const string MicrosoftCloudAppSecurity = "MicrosoftCloudAppSecurity";
+ public const string MicrosoftDefenderAdvancedThreatProtection = "MicrosoftDefenderAdvancedThreatProtection";
+ public const string Office365 = "Office365";
+ public const string ThreatIntelligence = "ThreatIntelligence";
+ #endregion
+
+ #region IncidentComments
+ public const string IncidentCommentId = "IncidentCommentId";
+ #endregion
+
+ #region Incidents
+ public const string IncidentId = "IncidentId";
+ #endregion
+
+
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/Actions/PSSentinelActionConvertors.cs b/src/SecurityInsights/SecurityInsights/Models/Actions/PSSentinelActionConvertors.cs
new file mode 100644
index 000000000000..4bcf4afc6be0
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/Actions/PSSentinelActionConvertors.cs
@@ -0,0 +1,58 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System.Linq;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System.Security.Cryptography;
+using Microsoft.Azure.Commands.SecurityInsights.Models.Actions;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.Actions
+{
+ public static class PSSentinelActionConvertors
+ {
+
+ public static PSSentinelActionResponse ConvertToPSType(this ActionResponse value)
+ {
+ return new PSSentinelActionResponse()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ LogicAppResourceId = value.LogicAppResourceId,
+ WorkflowId = value.WorkflowId
+ };
+ }
+
+ public static List ConvertToPSType(this IEnumerable value)
+ {
+ return value.Select(dss => dss.ConvertToPSType()).ToList();
+ }
+
+ public static ActionRequest CreatePSType(this PSSentinelActionRequest value)
+ {
+ return new ActionRequest()
+ {
+ LogicAppResourceId = value.LogicAppResourceId,
+ TriggerUri = value.TriggerUri
+ };
+ }
+
+ public static List CreatePSType(this IEnumerable value)
+ {
+ return value.Select(rec => rec.CreatePSType()).ToList();
+ }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/Actions/PSSentinelActionRequests.cs b/src/SecurityInsights/SecurityInsights/Models/Actions/PSSentinelActionRequests.cs
new file mode 100644
index 000000000000..f3d3f2bfd015
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/Actions/PSSentinelActionRequests.cs
@@ -0,0 +1,28 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.Actions
+{
+ public class PSSentinelActionRequest
+ {
+
+ public string LogicAppResourceId { get; set; }
+
+ public string TriggerUri { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/Actions/PSSentinelActionResponses.cs b/src/SecurityInsights/SecurityInsights/Models/Actions/PSSentinelActionResponses.cs
new file mode 100644
index 000000000000..5f4e9dbab728
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/Actions/PSSentinelActionResponses.cs
@@ -0,0 +1,34 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.Actions
+{
+ public class PSSentinelActionResponse
+ {
+ public string Id { get; set; }
+
+ public string Name { get; set; }
+
+ public string Type { get; set; }
+
+ public string LogicAppResourceId { get; set; }
+
+ public string WorkflowId { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelAlertRuleTemplateDataSource.cs b/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelAlertRuleTemplateDataSource.cs
new file mode 100644
index 000000000000..cadbd770b467
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelAlertRuleTemplateDataSource.cs
@@ -0,0 +1,27 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.AlertRuleTemplates
+{
+ public class PSSentinelAlertRuleTemplateDataSource
+ {
+ public string ConnectorId { get; set; }
+
+ public IList DataTypes { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelAlertRuleTemplates.cs b/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelAlertRuleTemplates.cs
new file mode 100644
index 000000000000..dc986fb30996
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelAlertRuleTemplates.cs
@@ -0,0 +1,32 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.SecurityInsights.Models.Actions;
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.AlertRuleTemplates
+{
+ public class PSSentinelAlertRuleTemplate
+ {
+ public string Id { get; set; }
+
+ public string Name { get; set; }
+
+ public string Type { get; set; }
+
+ public string Kind { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelAlertRuleTemplatesConvertors.cs b/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelAlertRuleTemplatesConvertors.cs
new file mode 100644
index 000000000000..b8ea98739bd9
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelAlertRuleTemplatesConvertors.cs
@@ -0,0 +1,135 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System.Linq;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System.Security.Cryptography;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.AlertRuleTemplates
+{
+ public static class PSSentinelAlertRuleTemplateConvertors
+ {
+
+ public static PSSentinelAlertRuleTemplate ConvertToPSType(this AlertRuleTemplate value)
+ {
+ var convertedFusionValue = value as FusionAlertRuleTemplate;
+
+ if (convertedFusionValue != null)
+ {
+ return convertedFusionValue.ConvertToPSType();
+ }
+
+ var convertedMicrosoftSecurityIncidentCreationValue = value as MicrosoftSecurityIncidentCreationAlertRuleTemplate;
+
+ if (convertedMicrosoftSecurityIncidentCreationValue != null)
+ {
+ return convertedMicrosoftSecurityIncidentCreationValue.ConvertToPSType();
+ }
+
+ var convertedScheduledValue = value as ScheduledAlertRuleTemplate;
+
+ if (convertedScheduledValue != null)
+ {
+ return convertedScheduledValue.ConvertToPSType();
+ }
+
+ return new PSSentinelAlertRuleTemplate()
+ {
+ Kind = "Error",
+ Name = value.Name
+ };
+ }
+
+ public static List ConvertToPSType(this IEnumerable value)
+ {
+ return value.Select(dss => dss.ConvertToPSType()).ToList();
+ }
+
+ public static PSSentinelFusionAlertRuleTemplate ConvertToPSType(this FusionAlertRuleTemplate value)
+ {
+ return new PSSentinelFusionAlertRuleTemplate()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ Kind = "Fusion",
+ AlertRulesCreatedByTemplateCount = value.AlertRulesCreatedByTemplateCount,
+ Description = value.Description,
+ DisplayName = value.DisplayName,
+ Status = value.Status,
+ CreatedDateUtc = value.CreatedDateUTC,
+ Severity = value.Severity,
+ Tactics = value.Tactics,
+ };
+ }
+
+ public static PSSentinelMicrosoftSecurityIncidentCreationRuleTemplate ConvertToPSType(this MicrosoftSecurityIncidentCreationAlertRuleTemplate value)
+ {
+ return new PSSentinelMicrosoftSecurityIncidentCreationRuleTemplate()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ Kind = "MicrosoftSecurityIncidentCreation",
+ AlertRulesCreatedByTemplateCount = value.AlertRulesCreatedByTemplateCount,
+ Description = value.Description,
+ DisplayName = value.DisplayName,
+ Status = value.Status,
+ CreatedDateUtc = value.CreatedDateUTC,
+ ProductFilter = value.ProductFilter,
+ RequiredDataConnectors = value.RequiredDataConnectors.ConvertToPSType()
+ };
+ }
+
+ public static PSSentinelScheduledAlertRuleTemplate ConvertToPSType(this ScheduledAlertRuleTemplate value)
+ {
+ return new PSSentinelScheduledAlertRuleTemplate()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ Kind = "Scheduled",
+ AlertRulesCreatedByTemplateCount = value.AlertRulesCreatedByTemplateCount,
+ Description = value.Description,
+ DisplayName = value.DisplayName,
+ Status = value.Status,
+ CreatedDateUtc = value.CreatedDateUTC,
+ Query = value.Query,
+ QueryFrequency = value.QueryFrequency,
+ QueryPeriod = value.QueryPeriod,
+ Severity = value.Severity,
+ Tactics = value.Tactics,
+ TriggerOperator = value.TriggerOperator,
+ TriggerThreshold = value.TriggerThreshold,
+ RequiredDataConnectors = value.RequiredDataConnectors.ConvertToPSType()
+
+ };
+ }
+
+ public static PSSentinelAlertRuleTemplateDataSource ConvertToPSType(this AlertRuleTemplateDataSource value)
+ {
+ return new PSSentinelAlertRuleTemplateDataSource()
+ {
+ ConnectorId = value.ConnectorId,
+ DataTypes = value.DataTypes
+ };
+ }
+
+ public static List ConvertToPSType(this IEnumerable value)
+ {
+ return value.Select(dss => dss.ConvertToPSType()).ToList();
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelFusionAlertRuleTemplates.cs b/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelFusionAlertRuleTemplates.cs
new file mode 100644
index 000000000000..9b5c2c6f6af0
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelFusionAlertRuleTemplates.cs
@@ -0,0 +1,38 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.AlertRuleTemplates
+{
+ public class PSSentinelFusionAlertRuleTemplate : PSSentinelAlertRuleTemplate
+ {
+
+ public int? AlertRulesCreatedByTemplateCount { get; set; }
+
+ public string DisplayName { get; set; }
+
+ public string Description { get; set; }
+
+ public string Severity { get; set; }
+
+ public string Status { get; set; }
+
+ public DateTime? CreatedDateUtc { get; set; }
+
+ public IList Tactics { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelMicrosoftSecurityIncidentCreationRuleTemplates.cs b/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelMicrosoftSecurityIncidentCreationRuleTemplates.cs
new file mode 100644
index 000000000000..aea8f89ef389
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelMicrosoftSecurityIncidentCreationRuleTemplates.cs
@@ -0,0 +1,38 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.AlertRuleTemplates
+{
+ public class PSSentinelMicrosoftSecurityIncidentCreationRuleTemplate : PSSentinelAlertRuleTemplate
+ {
+
+ public int? AlertRulesCreatedByTemplateCount { get; set; }
+
+ public string DisplayName { get; set; }
+
+ public string Description { get; set; }
+
+ public string Status { get; set; }
+
+ public DateTime? CreatedDateUtc { get; set; }
+
+ public string ProductFilter { get; set; }
+
+ public IList RequiredDataConnectors { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelScheduledAlertRuleTemplates.cs b/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelScheduledAlertRuleTemplates.cs
new file mode 100644
index 000000000000..5efebfe197ad
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelScheduledAlertRuleTemplates.cs
@@ -0,0 +1,50 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.AlertRuleTemplates
+{
+ public class PSSentinelScheduledAlertRuleTemplate : PSSentinelAlertRuleTemplate
+ {
+ public int? AlertRulesCreatedByTemplateCount { get; set; }
+
+ public string DisplayName { get; set; }
+
+ public string Description { get; set; }
+
+ public string Status { get; set; }
+
+ public DateTime? CreatedDateUtc { get; set; }
+
+ public string Query { get; set; }
+
+ public TimeSpan? QueryFrequency { get; set; }
+
+ public TimeSpan? QueryPeriod { get; set; }
+
+ public IList RequiredDataConnectors { get; set; }
+
+ public string Severity { get; set; }
+
+ public TriggerOperator? TriggerOperator { get; set; }
+
+ public int? TriggerThreshold { get; set; }
+
+ public IList Tactics { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/AlertRules/PSSentinelAlertRules.cs b/src/SecurityInsights/SecurityInsights/Models/AlertRules/PSSentinelAlertRules.cs
new file mode 100644
index 000000000000..8d692cdcd62a
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/AlertRules/PSSentinelAlertRules.cs
@@ -0,0 +1,35 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules
+{
+ public class PSSentinelAlertRule
+ {
+
+ public string Id { get; set; }
+
+ public string Name { get; set; }
+
+ public string Type { get; set; }
+
+ public string Etag { get; set; }
+
+ public string Kind { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/AlertRules/PSSentinelAlertRulesConvertors.cs b/src/SecurityInsights/SecurityInsights/Models/AlertRules/PSSentinelAlertRulesConvertors.cs
new file mode 100644
index 000000000000..4fa4ba315308
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/AlertRules/PSSentinelAlertRulesConvertors.cs
@@ -0,0 +1,218 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System.Linq;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System.Security.Cryptography;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules
+{
+ public static class PSSentinelAlertRuleConvertors
+ {
+
+ public static PSSentinelAlertRule ConvertToPSType(this AlertRule value)
+ {
+ var convertedFusionValue = value as FusionAlertRule;
+
+ if (convertedFusionValue != null)
+ {
+ return convertedFusionValue.ConvertToPSType();
+ }
+
+ var convertedMicrosoftSecurityIncidentCreationValue = value as MicrosoftSecurityIncidentCreationAlertRule;
+
+ if (convertedMicrosoftSecurityIncidentCreationValue != null)
+ {
+ return convertedMicrosoftSecurityIncidentCreationValue.ConvertToPSType();
+ }
+
+ var convertedScheduledValue = value as ScheduledAlertRule;
+
+ if (convertedScheduledValue != null)
+ {
+ return convertedScheduledValue.ConvertToPSType();
+ }
+
+ return new PSSentinelAlertRule()
+ {
+ Kind = "Error",
+ Name = value.Name
+ };
+ }
+
+ public static List ConvertToPSType(this IEnumerable value)
+ {
+ return value.Select(dss => dss.ConvertToPSType()).ToList();
+ }
+
+ public static PSSentinelFusionAlertRule ConvertToPSType(this FusionAlertRule value)
+ {
+ return new PSSentinelFusionAlertRule()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ Etag = value.Etag,
+ Kind = "Fusion",
+ AlertRuleTemplateName = value.AlertRuleTemplateName,
+ Description = value.Description,
+ DisplayName = value.DisplayName,
+ Enabled = value.Enabled,
+ LastModifiedUtc = value.LastModifiedUtc,
+ Severity = value.Severity,
+ Tactics = value.Tactics
+ };
+ }
+
+ public static PSSentinelMicrosoftSecurityIncidentCreationRule ConvertToPSType(this MicrosoftSecurityIncidentCreationAlertRule value)
+ {
+ return new PSSentinelMicrosoftSecurityIncidentCreationRule()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Etag = value.Etag,
+ Type = value.Type,
+ Kind = "MicrosoftSecurityIncidentCreation",
+ AlertRuleTemplateName = value.AlertRuleTemplateName,
+ Description = value.Description,
+ DisplayName = value.DisplayName,
+ Enabled = value.Enabled,
+ LastModifiedUtc = value.LastModifiedUtc,
+ DisplayNamesExcludeFilter = value.DisplayNamesExcludeFilter,
+ DisplayNamesFilter = value.DisplayNamesFilter,
+ ProductFilter = value.ProductFilter,
+ SeveritiesFilter = value.SeveritiesFilter
+ };
+ }
+
+ public static PSSentinelScheduledAlertRule ConvertToPSType(this ScheduledAlertRule value)
+ {
+ return new PSSentinelScheduledAlertRule()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Etag = value.Etag,
+ Type = value.Type,
+ Kind = "Scheduled",
+ AlertRuleTemplateName = value.AlertRuleTemplateName,
+ Description = value.Description,
+ DisplayName = value.DisplayName,
+ Enabled = value.Enabled,
+ LastModifiedUtc = value.LastModifiedUtc,
+ Query = value.Query,
+ QueryFrequency = value.QueryFrequency,
+ QueryPeriod = value.QueryPeriod,
+ Severity = value.Severity,
+ SuppressionDuration = value.SuppressionDuration,
+ SuppressionEnabled = value.SuppressionEnabled,
+ Tactics = value.Tactics,
+ TriggerOperator = value.TriggerOperator,
+ TriggerThreshold = value.TriggerThreshold
+
+ };
+ }
+
+ public static AlertRule CreatePSStype(this PSSentinelAlertRule value)
+ {
+ var convertedFusionValue = value as PSSentinelFusionAlertRule;
+
+ if (convertedFusionValue != null)
+ {
+ return convertedFusionValue.CreatePSType();
+ }
+
+ var convertedMicrosoftSecurityIncidentCreationValue = value as PSSentinelMicrosoftSecurityIncidentCreationRule;
+
+ if (convertedMicrosoftSecurityIncidentCreationValue != null)
+ {
+ return convertedMicrosoftSecurityIncidentCreationValue.CreatePSType();
+ }
+
+ var convertedScheduledValue = value as PSSentinelScheduledAlertRule;
+
+ if (convertedScheduledValue != null)
+ {
+ return convertedScheduledValue.CreatePSType();
+ }
+
+ return new AlertRule()
+ { };
+ }
+
+ public static FusionAlertRule CreatePSType(this PSSentinelFusionAlertRule value)
+ {
+ return new FusionAlertRule()
+ {
+ Etag = value.Etag,
+ AlertRuleTemplateName = value.AlertRuleTemplateName,
+ Enabled = value.Enabled
+ };
+ }
+
+ public static List CreatePSType(this IEnumerable value)
+ {
+ return value.Select(rec => rec.CreatePSType()).ToList();
+ }
+
+ public static MicrosoftSecurityIncidentCreationAlertRule CreatePSType(this PSSentinelMicrosoftSecurityIncidentCreationRule value)
+ {
+ return new MicrosoftSecurityIncidentCreationAlertRule()
+ {
+ DisplayName = value.DisplayName,
+ Etag = value.Etag,
+ Enabled = value.Enabled,
+ ProductFilter = value.ProductFilter,
+ AlertRuleTemplateName = value.AlertRuleTemplateName,
+ Description = value.Description,
+ DisplayNamesExcludeFilter = value.DisplayNamesExcludeFilter,
+ DisplayNamesFilter = value.DisplayNamesFilter,
+ SeveritiesFilter = value.SeveritiesFilter
+
+ };
+ }
+
+ public static List CreatePSType(this IEnumerable value)
+ {
+ return value.Select(rec => rec.CreatePSType()).ToList();
+ }
+
+ public static ScheduledAlertRule CreatePSType(this PSSentinelScheduledAlertRule value)
+ {
+ return new ScheduledAlertRule()
+ {
+ Etag = value.Etag,
+ DisplayName = value.DisplayName,
+ Enabled = value.Enabled,
+ SuppressionDuration = value.SuppressionDuration,
+ SuppressionEnabled = value.SuppressionEnabled,
+ AlertRuleTemplateName = value.AlertRuleTemplateName,
+ Description = value.Description,
+ Query = value.Query,
+ QueryFrequency = value.QueryFrequency,
+ QueryPeriod = value.QueryPeriod,
+ Severity = value.Severity,
+ Tactics = value.Tactics,
+ TriggerOperator = value.TriggerOperator,
+ TriggerThreshold = value.TriggerThreshold
+
+ };
+ }
+
+ public static List CreatePSType(this IEnumerable value)
+ {
+ return value.Select(rec => rec.CreatePSType()).ToList();
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/AlertRules/PSSentinelFusionAlertRules.cs b/src/SecurityInsights/SecurityInsights/Models/AlertRules/PSSentinelFusionAlertRules.cs
new file mode 100644
index 000000000000..0a966c4f9709
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/AlertRules/PSSentinelFusionAlertRules.cs
@@ -0,0 +1,38 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules
+{
+ public class PSSentinelFusionAlertRule : PSSentinelAlertRule
+ {
+
+ public string AlertRuleTemplateName { get; set; }
+
+ public string DisplayName { get; set; }
+
+ public string Description { get; set; }
+
+ public string Severity { get; set; }
+
+ public bool Enabled { get; set; }
+
+ public DateTime? LastModifiedUtc { get; set; }
+
+ public IList Tactics { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/AlertRules/PSSentinelMicrosoftSecurityIncidentCreationRules.cs b/src/SecurityInsights/SecurityInsights/Models/AlertRules/PSSentinelMicrosoftSecurityIncidentCreationRules.cs
new file mode 100644
index 000000000000..181cbd983789
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/AlertRules/PSSentinelMicrosoftSecurityIncidentCreationRules.cs
@@ -0,0 +1,42 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules
+{
+ public class PSSentinelMicrosoftSecurityIncidentCreationRule : PSSentinelAlertRule
+ {
+
+ public string AlertRuleTemplateName { get; set; }
+
+ public string DisplayName { get; set; }
+
+ public string Description { get; set; }
+
+ public bool Enabled { get; set; }
+
+ public DateTime? LastModifiedUtc { get; set; }
+
+ public string ProductFilter { get; set; }
+
+ public IList DisplayNamesFilter { get; set; }
+
+ public IList DisplayNamesExcludeFilter { get; set; }
+
+ public IList SeveritiesFilter { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/AlertRules/PSSentinelScheduledAlertRules.cs b/src/SecurityInsights/SecurityInsights/Models/AlertRules/PSSentinelScheduledAlertRules.cs
new file mode 100644
index 000000000000..765d7678c4c3
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/AlertRules/PSSentinelScheduledAlertRules.cs
@@ -0,0 +1,52 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules
+{
+ public class PSSentinelScheduledAlertRule : PSSentinelAlertRule
+ {
+ public string AlertRuleTemplateName { get; set; }
+
+ public string DisplayName { get; set; }
+
+ public string Description { get; set; }
+
+ public bool Enabled { get; set; }
+
+ public DateTime? LastModifiedUtc { get; set; }
+
+ public string Query { get; set; }
+
+ public TimeSpan? QueryFrequency { get; set; }
+
+ public TimeSpan? QueryPeriod { get; set; }
+
+ public string Severity { get; set; }
+
+ public TimeSpan SuppressionDuration { get; set; }
+
+ public bool SuppressionEnabled { get; set; }
+
+ public TriggerOperator? TriggerOperator { get; set; }
+
+ public int? TriggerThreshold { get; set; }
+
+ public IList Tactics { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarkIncidentInfo.cs b/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarkIncidentInfo.cs
new file mode 100644
index 000000000000..4e902c0cd8a8
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarkIncidentInfo.cs
@@ -0,0 +1,31 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks
+{
+ public class PSSentinelBookmarkIncidentInfo
+ {
+
+ public string IncidentId { get; set; }
+
+ public string RelationName { get; set; }
+
+ public string Severity { get; set; }
+
+ public string Title { get; set; }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarkUserInfo.cs b/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarkUserInfo.cs
new file mode 100644
index 000000000000..91a30ca3018c
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarkUserInfo.cs
@@ -0,0 +1,29 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks
+{
+ public class PSSentinelBookmarkUserInfo
+ {
+
+ public string Email { get; set; }
+
+ public Guid? ObjectId { get; set; }
+
+ public string Name { get; set; }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarks.cs b/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarks.cs
new file mode 100644
index 000000000000..9bc3a6cf0f00
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarks.cs
@@ -0,0 +1,53 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks
+{
+ public class PSSentinelBookmark
+ {
+
+ public string Id { get; set; }
+
+ public string Name { get; set; }
+
+ public string Type { get; set; }
+
+ public string Etag { get; set; }
+
+ public DateTime? Created { get; set; }
+
+ public PSSentinelBookmarkUserInfo CreatedBy { get; set; }
+
+ public string DisplayName { get; set; }
+
+ public PSSentinelBookmarkIncidentInfo IncidentInfo { get; set; }
+
+ public IList Labels { get; set; }
+
+ public string Notes { get; set; }
+
+ public string Query { get; set; }
+
+ public string QueryResult { get; set; }
+
+ public DateTime? Updated { get; set; }
+
+ public PSSentinelBookmarkUserInfo UpdatedBy { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarksConvertors.cs b/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarksConvertors.cs
new file mode 100644
index 000000000000..006f70b30cba
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarksConvertors.cs
@@ -0,0 +1,125 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System.Linq;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System.Security.Cryptography;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks
+{
+ public static class PSSentinelBookmarkConvertors
+ {
+
+ public static PSSentinelBookmark ConvertToPSType(this Bookmark value)
+ {
+ return new PSSentinelBookmark()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ Etag = value.Etag,
+ Created = value.Created,
+ CreatedBy = value.CreatedBy.ConvertToPSType(),
+ DisplayName = value.DisplayName,
+ IncidentInfo = value.IncidentInfo.ConvertToPSType(),
+ Labels = value.Labels,
+ Notes = value.Notes,
+ Query = value.Query,
+ QueryResult = value.QueryResult,
+ Updated = value.Updated,
+ UpdatedBy = value.UpdatedBy.ConvertToPSType()
+ };
+ }
+
+ public static List ConvertToPSType(this IEnumerable value)
+ {
+ return value.Select(dss => dss.ConvertToPSType()).ToList();
+ }
+
+ public static PSSentinelBookmarkUserInfo ConvertToPSType(this UserInfo value)
+ {
+ return new PSSentinelBookmarkUserInfo()
+ {
+ Email = value.Email,
+ ObjectId = value.ObjectId,
+ Name = value.Name
+ };
+ }
+
+ public static List ConvertToPSType(this IEnumerable value)
+ {
+ return value.Select(dss => dss.ConvertToPSType()).ToList();
+ }
+
+ public static PSSentinelBookmarkIncidentInfo ConvertToPSType(this IncidentInfo value)
+ {
+ return new PSSentinelBookmarkIncidentInfo()
+ {
+ IncidentId = value.IncidentId,
+ RelationName = value.RelationName,
+ Severity = value.Severity,
+ Title = value.Title
+ };
+ }
+
+ public static IncidentInfo CreatePSType(this PSSentinelBookmarkIncidentInfo value)
+ {
+ return new IncidentInfo()
+ {
+ IncidentId = value.IncidentId,
+ RelationName = value.RelationName,
+ Severity = value.Severity,
+ Title = value.Title
+ };
+ }
+
+ public static List CreatePSType(this IEnumerable value)
+ {
+ return value.Select(rec => rec.CreatePSType()).ToList();
+ }
+
+ public static Bookmark CreatePSType(this PSSentinelBookmark value)
+ {
+ return new Bookmark()
+ {
+ Etag = value.Etag,
+ DisplayName = value.DisplayName,
+ //IncidentInfo = value.IncidentInfo.CreatePSType(),
+ Labels = value.Labels,
+ Notes = value.Notes,
+ Query = value.Query,
+ QueryResult = value.QueryResult
+ };
+ }
+
+ public static List CreatePSType(this IEnumerable value)
+ {
+ return value.Select(rec => rec.CreatePSType()).ToList();
+ }
+
+ public static UserInfo CreatePSType(this PSSentinelBookmarkUserInfo value)
+ {
+ return new UserInfo()
+ {
+ ObjectId = value.ObjectId
+ };
+ }
+
+ public static List CreatePSType(this IEnumerable value)
+ {
+ return value.Select(rec => rec.CreatePSType()).ToList();
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorConvertors.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorConvertors.cs
new file mode 100644
index 000000000000..ef3e9635f850
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorConvertors.cs
@@ -0,0 +1,519 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System.Linq;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System.Security.Cryptography;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public static class PSSentinelDataConnectorConvertors
+ {
+
+ public static PSSentinelDataConnector ConvertToPSType(this DataConnector value)
+ {
+ var convertedAADValue = value as AADDataConnector;
+
+ if (convertedAADValue != null)
+ {
+ return convertedAADValue.ConvertToPSType();
+ }
+
+ var convertedAATPValue = value as AATPDataConnector;
+
+ if (convertedAATPValue != null)
+ {
+ return convertedAATPValue.ConvertToPSType();
+ }
+
+ var convertedASCValue = value as ASCDataConnector;
+
+ if (convertedASCValue != null)
+ {
+ return convertedASCValue.ConvertToPSType();
+ }
+
+ var convertedAWSValue = value as AwsCloudTrailDataConnector;
+
+ if (convertedAWSValue != null)
+ {
+ return convertedAWSValue.ConvertToPSType();
+ }
+
+ var convertedMCASValue = value as MCASDataConnector;
+
+ if (convertedMCASValue != null)
+ {
+ return convertedMCASValue.ConvertToPSType();
+ }
+
+ var convertedMDATPValue = value as MDATPDataConnector;
+
+ if (convertedMDATPValue != null)
+ {
+ return convertedMDATPValue.ConvertToPSType();
+ }
+
+ var convertedOfficeValue = value as OfficeDataConnector;
+
+ if (convertedOfficeValue != null)
+ {
+ return convertedOfficeValue.ConvertToPSType();
+ }
+
+ var convertedTIValue = value as TIDataConnector;
+
+ if (convertedTIValue != null)
+ {
+ return convertedTIValue.ConvertToPSType();
+ }
+
+ return new PSSentinelDataConnector()
+ {
+ Kind = "Error",
+ Name = value.Name
+ };
+ }
+
+ public static List ConvertToPSType(this IEnumerable value)
+ {
+ return value.Select(dss => dss.ConvertToPSType()).ToList();
+ }
+
+ public static PSSentinelDataConnectorAAD ConvertToPSType(this AADDataConnector value)
+ {
+ return new PSSentinelDataConnectorAAD()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ Etag = value.Etag,
+ Kind = "AzureActiveDirectory",
+ DataTypes = value.DataTypes.ConvertToPSType(),
+ TenantId = value.TenantId
+ };
+ }
+
+ public static PSSentinelDataConnectorAATP ConvertToPSType(this AATPDataConnector value)
+ {
+ return new PSSentinelDataConnectorAATP()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ Etag = value.Etag,
+ Kind = "AzureAdvancedThreatProtection",
+ DataTypes = value.DataTypes.ConvertToPSType(),
+ TenantId = value.TenantId
+ };
+ }
+
+ public static PSSentinelDataConnectorASC ConvertToPSType(this ASCDataConnector value)
+ {
+ return new PSSentinelDataConnectorASC()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ Etag = value.Etag,
+ Kind = "AzureSecurityCenter",
+ DataTypes = value.DataTypes.ConvertToPSType(),
+ SubscriptionId = value.SubscriptionId
+ };
+ }
+
+ public static PSSentinelDataConnectorAWS ConvertToPSType(this AwsCloudTrailDataConnector value)
+ {
+ return new PSSentinelDataConnectorAWS()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ Etag = value.Etag,
+ Kind = "AmazonWebServicesCloudTrail",
+ DataTypes = value.DataTypes.ConvertToPSType(),
+ AwsRoleArn = value.AwsRoleArn
+ };
+ }
+
+ public static PSSentinelDataConnectorMCAS ConvertToPSType(this MCASDataConnector value)
+ {
+ return new PSSentinelDataConnectorMCAS()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ Etag = value.Etag,
+ Kind = "MicrosoftCloudAppSecurity",
+ DataTypes = value.DataTypes.ConvertToPSType(),
+ TenantId = value.TenantId
+ };
+ }
+
+ public static PSSentinelDataConnectorMDATP ConvertToPSType(this MDATPDataConnector value)
+ {
+ return new PSSentinelDataConnectorMDATP()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ Etag = value.Etag,
+ Kind = "MicrosoftDefenderAdvancedThreatProtection",
+ DataTypes = value.DataTypes.ConvertToPSType(),
+ TenantId = value.TenantId
+ };
+ }
+
+ public static PSSentinelDataConnectorOffice ConvertToPSType(this OfficeDataConnector value)
+ {
+ return new PSSentinelDataConnectorOffice()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ Etag = value.Etag,
+ Kind = "Office365",
+ DataTypes = value.DataTypes.ConvertToPSType(),
+ TenantId = value.TenantId
+ };
+ }
+
+ public static PSSentinelDataConnectorTI ConvertToPSType(this TIDataConnector value)
+ {
+ return new PSSentinelDataConnectorTI()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ Etag = value.Etag,
+ Kind = "ThreatIntelligence",
+ DataTypes = value.DataTypes.ConvertToPSType(),
+ TenantId = value.TenantId
+ };
+ }
+
+ public static PSSentinelDataConnectorDataTypeAlert ConvertToPSType(this AlertsDataTypeOfDataConnector value)
+ {
+ return new PSSentinelDataConnectorDataTypeAlert()
+ {
+ Alerts = value.Alerts.ConvertToPSType()
+ };
+ }
+
+ public static PSSentinelDataConnectorDataTypeCloudTrail ConvertToPSType(this AwsCloudTrailDataConnectorDataTypes value)
+ {
+ return new PSSentinelDataConnectorDataTypeCloudTrail()
+ {
+ Logs = value.Logs.ConvertToPSType()
+ };
+ }
+
+ public static PSSentinelDataConnectorDataTypeMCAS ConvertToPSType(this MCASDataConnectorDataTypes value)
+ {
+ return new PSSentinelDataConnectorDataTypeMCAS()
+ {
+ Alerts = value.Alerts.ConvertToPSType(),
+ DiscoveryLogs = value.DiscoveryLogs.ConvertToPSType()
+
+ };
+ }
+
+ public static PSSentinelDataConnectorDataTypeOffice ConvertToPSType(this OfficeDataConnectorDataTypes value)
+ {
+ return new PSSentinelDataConnectorDataTypeOffice()
+ {
+ Exchange = value.Exchange.ConvertToPSType(),
+ SharePoint = value.SharePoint.ConvertToPSType()
+
+ };
+ }
+
+ public static PSSentinelDataConnectorDataTypeTI ConvertToPSType(this TIDataConnectorDataTypes value)
+ {
+ return new PSSentinelDataConnectorDataTypeTI()
+ {
+ Indicators = value.Indicators.ConvertToPSType()
+ };
+ }
+
+ public static PSSentinelDataConnectorDataTypeCommon ConvertToPSType(this DataConnectorDataTypeCommon value)
+ {
+ return new PSSentinelDataConnectorDataTypeCommon()
+ {
+ State = value.State
+ };
+ }
+
+ public static PSSentinelDataConnectorDataTypeCloudTrailLog ConvertToPSType(this AwsCloudTrailDataConnectorDataTypesLogs value)
+ {
+ return new PSSentinelDataConnectorDataTypeCloudTrailLog()
+ {
+ State = value.State
+ };
+ }
+ public static PSSentinelDataConnectorDataTypeOfficeExchange ConvertToPSType(this OfficeDataConnectorDataTypesExchange value)
+ {
+ return new PSSentinelDataConnectorDataTypeOfficeExchange()
+ {
+ State = value.State
+ };
+ }
+ public static PSSentinelDataConnectorDataTypeOfficeSharePoint ConvertToPSType(this OfficeDataConnectorDataTypesSharePoint value)
+ {
+ return new PSSentinelDataConnectorDataTypeOfficeSharePoint()
+ {
+ State = value.State
+ };
+ }
+
+ public static PSSentinelDataConnectorDataTypeTIIndicator ConvertToPSType(this TIDataConnectorDataTypesIndicators value)
+ {
+ return new PSSentinelDataConnectorDataTypeTIIndicator()
+ {
+ State = value.State
+ };
+ }
+
+
+ public static DataConnector CreatePSType(this PSSentinelDataConnector value)
+ {
+ var convertedAADValue = value as PSSentinelDataConnectorAAD;
+
+ if (convertedAADValue != null)
+ {
+ return convertedAADValue.CreatePSType();
+ }
+
+ var convertedAATPValue = value as PSSentinelDataConnectorAATP;
+
+ if (convertedAATPValue != null)
+ {
+ return convertedAATPValue.CreatePSType();
+ }
+
+ var convertedASCValue = value as PSSentinelDataConnectorASC;
+
+ if (convertedASCValue != null)
+ {
+ return convertedASCValue.CreatePSType();
+ }
+
+ var convertedAWSValue = value as PSSentinelDataConnectorAWS;
+
+ if (convertedAWSValue != null)
+ {
+ return convertedAWSValue.CreatePSType();
+ }
+
+ var convertedMCASValue = value as PSSentinelDataConnectorMCAS;
+
+ if (convertedMCASValue != null)
+ {
+ return convertedMCASValue.CreatePSType();
+ }
+
+ var convertedMDATPValue = value as PSSentinelDataConnectorMDATP;
+
+ if (convertedMDATPValue != null)
+ {
+ return convertedMDATPValue.CreatePSType();
+ }
+
+ var convertedOfficeValue = value as PSSentinelDataConnectorOffice;
+
+ if (convertedOfficeValue != null)
+ {
+ return convertedOfficeValue.CreatePSType();
+ }
+
+ var convertedTIValue = value as PSSentinelDataConnectorTI;
+
+ if (convertedTIValue != null)
+ {
+ return convertedTIValue.CreatePSType();
+ }
+
+ return new DataConnector()
+ {
+ };
+ }
+
+ public static List CreatePSType(this IEnumerable value)
+ {
+ return value.Select(dss => dss.CreatePSType()).ToList();
+ }
+
+ public static AADDataConnector CreatePSType(this PSSentinelDataConnectorAAD value)
+ {
+ return new AADDataConnector()
+ {
+ Etag= value.Etag,
+ DataTypes = value.DataTypes.CreatePSType(),
+ TenantId = value.TenantId
+ };
+ }
+
+ public static AATPDataConnector CreatePSType(this PSSentinelDataConnectorAATP value)
+ {
+ return new AATPDataConnector()
+ {
+ Etag = value.Etag,
+ DataTypes = value.DataTypes.CreatePSType(),
+ TenantId = value.TenantId
+ };
+ }
+
+ public static ASCDataConnector CreatePSType(this PSSentinelDataConnectorASC value)
+ {
+ return new ASCDataConnector()
+ {
+ Etag = value.Etag,
+ DataTypes = value.DataTypes.CreatePSType(),
+ SubscriptionId = value.SubscriptionId
+ };
+ }
+
+ public static AwsCloudTrailDataConnector CreatePSType(this PSSentinelDataConnectorAWS value)
+ {
+ return new AwsCloudTrailDataConnector()
+ {
+ Etag = value.Etag,
+ DataTypes = value.DataTypes.CreatePSType(),
+ AwsRoleArn = value.AwsRoleArn
+ };
+ }
+
+ public static MCASDataConnector CreatePSType(this PSSentinelDataConnectorMCAS value)
+ {
+ return new MCASDataConnector()
+ {
+ Etag = value.Etag,
+ DataTypes = value.DataTypes.CreatePSType(),
+ TenantId = value.TenantId
+ };
+ }
+
+ public static MDATPDataConnector CreatePSType(this PSSentinelDataConnectorMDATP value)
+ {
+ return new MDATPDataConnector()
+ {
+ Etag = value.Etag,
+ DataTypes = value.DataTypes.CreatePSType(),
+ TenantId = value.TenantId
+ };
+ }
+
+ public static OfficeDataConnector CreatePSType(this PSSentinelDataConnectorOffice value)
+ {
+ return new OfficeDataConnector()
+ {
+ Etag = value.Etag,
+ DataTypes = value.DataTypes.CreatePSType(),
+ TenantId = value.TenantId
+ };
+ }
+
+ public static TIDataConnector CreatePSType(this PSSentinelDataConnectorTI value)
+ {
+ return new TIDataConnector()
+ {
+ Etag = value.Etag,
+ DataTypes = value.DataTypes.CreatePSType(),
+ TenantId = value.TenantId
+ };
+ }
+
+ public static AlertsDataTypeOfDataConnector CreatePSType(this PSSentinelDataConnectorDataTypeAlert value)
+ {
+ return new AlertsDataTypeOfDataConnector()
+ {
+ Alerts = value.Alerts.CreatePSType()
+ };
+ }
+
+ public static AwsCloudTrailDataConnectorDataTypes CreatePSType(this PSSentinelDataConnectorDataTypeCloudTrail value)
+ {
+ return new AwsCloudTrailDataConnectorDataTypes()
+ {
+ Logs = value.Logs.CreatePSType()
+ };
+ }
+
+ public static MCASDataConnectorDataTypes CreatePSType(this PSSentinelDataConnectorDataTypeMCAS value)
+ {
+ return new MCASDataConnectorDataTypes()
+ {
+ Alerts = value.Alerts.CreatePSType(),
+ DiscoveryLogs = value.DiscoveryLogs.CreatePSType()
+
+ };
+ }
+
+ public static OfficeDataConnectorDataTypes CreatePSType(this PSSentinelDataConnectorDataTypeOffice value)
+ {
+ return new OfficeDataConnectorDataTypes()
+ {
+ Exchange = value.Exchange.CreatePSType(),
+ SharePoint = value.SharePoint.CreatePSType()
+
+ };
+ }
+
+ public static TIDataConnectorDataTypes CreatePSType(this PSSentinelDataConnectorDataTypeTI value)
+ {
+ return new TIDataConnectorDataTypes()
+ {
+ Indicators = value.Indicators.CreatePSType()
+ };
+ }
+
+ public static DataConnectorDataTypeCommon CreatePSType(this PSSentinelDataConnectorDataTypeCommon value)
+ {
+ return new DataConnectorDataTypeCommon()
+ {
+ State = value.State
+ };
+ }
+
+ public static AwsCloudTrailDataConnectorDataTypesLogs CreatePSType(this PSSentinelDataConnectorDataTypeCloudTrailLog value)
+ {
+ return new AwsCloudTrailDataConnectorDataTypesLogs()
+ {
+ State = value.State
+ };
+ }
+ public static OfficeDataConnectorDataTypesExchange CreatePSType(this PSSentinelDataConnectorDataTypeOfficeExchange value)
+ {
+ return new OfficeDataConnectorDataTypesExchange()
+ {
+ State = value.State
+ };
+ }
+ public static OfficeDataConnectorDataTypesSharePoint CreatePSType(this PSSentinelDataConnectorDataTypeOfficeSharePoint value)
+ {
+ return new OfficeDataConnectorDataTypesSharePoint()
+ {
+ State = value.State
+ };
+ }
+ public static TIDataConnectorDataTypesIndicators CreatePSType(this PSSentinelDataConnectorDataTypeTIIndicator value)
+ {
+ return new TIDataConnectorDataTypesIndicators()
+ {
+ State = value.State
+ };
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectors.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectors.cs
new file mode 100644
index 000000000000..42ff261b2e80
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectors.cs
@@ -0,0 +1,35 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnector
+ {
+
+ public string Id { get; set; }
+
+ public string Name { get; set; }
+
+ public string Type { get; set; }
+
+ public string Etag { get; set; }
+
+ public string Kind { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsAAD.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsAAD.cs
new file mode 100644
index 000000000000..d5c351cce522
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsAAD.cs
@@ -0,0 +1,29 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorAAD : PSSentinelDataConnector
+ {
+
+ public PSSentinelDataConnectorDataTypeAlert DataTypes { get; set; }
+
+ public string TenantId { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsAATP.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsAATP.cs
new file mode 100644
index 000000000000..40b031c2b190
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsAATP.cs
@@ -0,0 +1,29 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorAATP : PSSentinelDataConnector
+ {
+
+ public PSSentinelDataConnectorDataTypeAlert DataTypes { get; set; }
+
+ public string TenantId { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsASC.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsASC.cs
new file mode 100644
index 000000000000..34987be8dea4
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsASC.cs
@@ -0,0 +1,29 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorASC : PSSentinelDataConnector
+ {
+
+ public PSSentinelDataConnectorDataTypeAlert DataTypes { get; set; }
+
+ public string SubscriptionId { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsAWS.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsAWS.cs
new file mode 100644
index 000000000000..61b498215ced
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsAWS.cs
@@ -0,0 +1,29 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorAWS : PSSentinelDataConnector
+ {
+
+ public PSSentinelDataConnectorDataTypeCloudTrail DataTypes { get; set; }
+
+ public string AwsRoleArn { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeAlerts.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeAlerts.cs
new file mode 100644
index 000000000000..9e26386fa8dc
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeAlerts.cs
@@ -0,0 +1,26 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorDataTypeAlert
+ {
+ public PSSentinelDataConnectorDataTypeCommon Alerts { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeCloudTrail.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeCloudTrail.cs
new file mode 100644
index 000000000000..0cb5595c3b27
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeCloudTrail.cs
@@ -0,0 +1,26 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorDataTypeCloudTrail
+ {
+ public PSSentinelDataConnectorDataTypeCloudTrailLog Logs { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeCloudTrailLogs.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeCloudTrailLogs.cs
new file mode 100644
index 000000000000..cb27f5745ec9
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeCloudTrailLogs.cs
@@ -0,0 +1,26 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorDataTypeCloudTrailLog
+ {
+ public string State { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeCommon.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeCommon.cs
new file mode 100644
index 000000000000..552822bd882c
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeCommon.cs
@@ -0,0 +1,27 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorDataTypeCommon
+ {
+
+ public string State { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeMCAS.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeMCAS.cs
new file mode 100644
index 000000000000..5ea9a747d6b6
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeMCAS.cs
@@ -0,0 +1,29 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorDataTypeMCAS
+ {
+ public PSSentinelDataConnectorDataTypeCommon Alerts { get; set; }
+
+ public PSSentinelDataConnectorDataTypeCommon DiscoveryLogs { get; set; }
+
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOffice.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOffice.cs
new file mode 100644
index 000000000000..94d0e04e6289
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOffice.cs
@@ -0,0 +1,28 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorDataTypeOffice
+ {
+ public PSSentinelDataConnectorDataTypeOfficeExchange Exchange { get; set; }
+
+ public PSSentinelDataConnectorDataTypeOfficeSharePoint SharePoint { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOfficeExchange.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOfficeExchange.cs
new file mode 100644
index 000000000000..bb5b5d472875
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOfficeExchange.cs
@@ -0,0 +1,26 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorDataTypeOfficeExchange
+ {
+ public string State { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOfficeSharePoint.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOfficeSharePoint.cs
new file mode 100644
index 000000000000..d0c11f9ba530
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOfficeSharePoint.cs
@@ -0,0 +1,26 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorDataTypeOfficeSharePoint
+ {
+ public string State { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeTI.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeTI.cs
new file mode 100644
index 000000000000..dd72154f730c
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeTI.cs
@@ -0,0 +1,26 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorDataTypeTI
+ {
+ public PSSentinelDataConnectorDataTypeTIIndicator Indicators { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeTIIndicators.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeTIIndicators.cs
new file mode 100644
index 000000000000..59b78298e190
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeTIIndicators.cs
@@ -0,0 +1,26 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorDataTypeTIIndicator
+ {
+ public string State { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsMCAS.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsMCAS.cs
new file mode 100644
index 000000000000..c587b5673d40
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsMCAS.cs
@@ -0,0 +1,29 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorMCAS : PSSentinelDataConnector
+ {
+
+ public PSSentinelDataConnectorDataTypeMCAS DataTypes { get; set; }
+
+ public string TenantId { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsMDATP.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsMDATP.cs
new file mode 100644
index 000000000000..fa8b04b9f851
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsMDATP.cs
@@ -0,0 +1,29 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorMDATP : PSSentinelDataConnector
+ {
+
+ public PSSentinelDataConnectorDataTypeAlert DataTypes { get; set; }
+
+ public string TenantId { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsOffice.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsOffice.cs
new file mode 100644
index 000000000000..56e45bd28a59
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsOffice.cs
@@ -0,0 +1,29 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorOffice : PSSentinelDataConnector
+ {
+
+ public PSSentinelDataConnectorDataTypeOffice DataTypes { get; set; }
+
+ public string TenantId { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsTI.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsTI.cs
new file mode 100644
index 000000000000..6265941bafaa
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsTI.cs
@@ -0,0 +1,29 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorTI : PSSentinelDataConnector
+ {
+
+ public PSSentinelDataConnectorDataTypeTI DataTypes { get; set; }
+
+ public string TenantId { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/IncidentComments/PSSentinelIncidentComment.cs b/src/SecurityInsights/SecurityInsights/Models/IncidentComments/PSSentinelIncidentComment.cs
new file mode 100644
index 000000000000..0d1658bf7f6a
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/IncidentComments/PSSentinelIncidentComment.cs
@@ -0,0 +1,37 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.IncidentComments
+{
+ public class PSSentinelIncidentComment
+ {
+
+ public string Id { get; set; }
+
+ public string Name { get; set; }
+
+ public string Type { get; set; }
+
+ public PSSentinelIncidentCommentAuthor Author { get; set; }
+
+ public DateTime? CreatedTimeUtc { get; set; }
+
+ public string Message { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/IncidentComments/PSSentinelIncidentCommentAuthor.cs b/src/SecurityInsights/SecurityInsights/Models/IncidentComments/PSSentinelIncidentCommentAuthor.cs
new file mode 100644
index 000000000000..ac9db0b41819
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/IncidentComments/PSSentinelIncidentCommentAuthor.cs
@@ -0,0 +1,32 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.IncidentComments
+{
+ public class PSSentinelIncidentCommentAuthor
+ {
+ public Guid? ObjectId { get; set; }
+
+ public string Email { get; set; }
+
+ public string UserPrincipalName { get; set; }
+
+ public string Name { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/IncidentComments/PSSentinelIncidentCommentConvertors.cs b/src/SecurityInsights/SecurityInsights/Models/IncidentComments/PSSentinelIncidentCommentConvertors.cs
new file mode 100644
index 000000000000..e89b5bb3f820
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/IncidentComments/PSSentinelIncidentCommentConvertors.cs
@@ -0,0 +1,55 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System.Linq;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System.Security.Cryptography;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.IncidentComments
+{
+ public static class PSSentinelIncidentCommentConvertors
+ {
+
+ public static PSSentinelIncidentComment ConvertToPSType(this IncidentComment value)
+ {
+ return new PSSentinelIncidentComment()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ Author = value.Author.ConvertToPSType(),
+ CreatedTimeUtc = value.CreatedTimeUtc,
+ Message = value.Message
+ };
+ }
+
+ public static List ConvertToPSType(this IEnumerable value)
+ {
+ return value.Select(dss => dss.ConvertToPSType()).ToList();
+ }
+
+ public static PSSentinelIncidentCommentAuthor ConvertToPSType(this ClientInfo value)
+ {
+ return new PSSentinelIncidentCommentAuthor()
+ {
+ Email = value.Email,
+ Name = value.Name,
+ ObjectId = value.ObjectId,
+ UserPrincipalName = value.UserPrincipalName
+ };
+ }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncident.cs b/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncident.cs
new file mode 100644
index 000000000000..b396d9e4d3c0
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncident.cs
@@ -0,0 +1,62 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.Incidents
+{
+ public class PSSentinelIncident
+ {
+ public string Id { get; set; }
+
+ public string Name { get; set; }
+
+ public string Type { get; set; }
+
+ public string Etag { get; set; }
+
+ public PSSentinelIncidentAdditionalData AdditonalData { get; set; }
+
+ public string Classification { get; set; }
+
+ public string ClassificationComment { get; set; }
+
+ public string ClassificationReason { get; set; }
+
+ public DateTime? CreatedTimeUTC { get; set; }
+
+ public string Description { get; set; }
+
+ public DateTime? FirstActivityTimeUtc { get; set; }
+
+ public int? IncidentNumber { get; set; }
+
+ public string IncidentUrl { get; set; }
+
+ public IList Labels { get; set; }
+
+ public DateTime? LastActivityTimeUtc { get; set; }
+
+ public DateTime? LastModifiedTimeUtc { get; set; }
+
+ public PSSentinelIncidentOwner Owner { get; set; }
+
+ public string Severity { get; set; }
+
+ public string Status { get; set; }
+
+ public string Title { get; set; }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentAddtionalData.cs b/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentAddtionalData.cs
new file mode 100644
index 000000000000..fbd9dd31381c
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentAddtionalData.cs
@@ -0,0 +1,31 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.Incidents
+{
+ public class PSSentinelIncidentAdditionalData
+ {
+ public IList AlertProductNames { get; set; }
+
+ public int? AlertsCount { get; set; }
+
+ public int? BookmarksCount { get; set; }
+
+ public int? CommentsCount { get; set; }
+
+ public IList Tactics { get; set; }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentConvertors.cs b/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentConvertors.cs
new file mode 100644
index 000000000000..c46dba726d23
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentConvertors.cs
@@ -0,0 +1,159 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System.Linq;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+using System.Security.Cryptography;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.Incidents
+{
+ public static class PSSentinelIncidentConvertors
+ {
+
+ public static PSSentinelIncident ConvertToPSType(this Incident value)
+ {
+ return new PSSentinelIncident()
+ {
+ Id = value.Id,
+ Name = value.Name,
+ Type = value.Type,
+ Etag = value.Etag,
+ AdditonalData = value.AdditionalData.ConvertToPSType(),
+ Classification = value.Classification,
+ ClassificationComment = value.ClassificationComment,
+ ClassificationReason = value.ClassificationReason,
+ CreatedTimeUTC = value.CreatedTimeUtc,
+ Description = value.Description,
+ FirstActivityTimeUtc = value.FirstActivityTimeUtc,
+ IncidentNumber = value.IncidentNumber,
+ IncidentUrl = value.IncidentUrl,
+ Labels = value.Labels.ConvertToPSType(),
+ LastActivityTimeUtc = value.LastActivityTimeUtc,
+ LastModifiedTimeUtc = value.LastModifiedTimeUtc,
+ Owner = value.Owner.ConvertToPSType(),
+ Severity = value.Severity,
+ Status = value.Status,
+ Title = value.Title
+ };
+ }
+
+ public static List ConvertToPSType(this IEnumerable value)
+ {
+ return value.Select(dss => dss.ConvertToPSType()).ToList();
+ }
+
+ public static PSSentinelIncidentAdditionalData ConvertToPSType(this IncidentAdditionalData value)
+ {
+ return new PSSentinelIncidentAdditionalData()
+ {
+ AlertProductNames = value.AlertProductNames,
+ AlertsCount = value.AlertsCount,
+ BookmarksCount = value.BookmarksCount,
+ CommentsCount = value.CommentsCount,
+ Tactics = value.Tactics
+ };
+ }
+
+ public static List ConvertToPSType(this IEnumerable value)
+ {
+ return value.Select(dss => dss.ConvertToPSType()).ToList();
+ }
+
+ public static PSSentinelIncidentLabel ConvertToPSType(this IncidentLabel value)
+ {
+ return new PSSentinelIncidentLabel()
+ {
+ LabelName = value.LabelName,
+ LabelType = value.LabelType
+ };
+ }
+
+ public static List ConvertToPSType(this IEnumerable value)
+ {
+ return value.Select(dss => dss.ConvertToPSType()).ToList();
+ }
+
+ public static PSSentinelIncidentOwner ConvertToPSType(this IncidentOwnerInfo value)
+ {
+ return new PSSentinelIncidentOwner()
+ {
+ AssignedTo = value.AssignedTo,
+ Email = value.Email,
+ ObjectId = value.ObjectId,
+ UserPrincipalName = value.UserPrincipalName
+ };
+ }
+
+ public static List ConvertToPSType(this IEnumerable value)
+ {
+ return value.Select(dss => dss.ConvertToPSType()).ToList();
+ }
+
+
+ public static IncidentLabel CreatePSType(this PSSentinelIncidentLabel value)
+ {
+ return new IncidentLabel()
+ {
+ LabelName = value.LabelName
+ };
+ }
+
+ public static List CreatePSType(this IEnumerable value)
+ {
+ return value.Select(rec => rec.CreatePSType()).ToList();
+ }
+
+ public static IncidentOwnerInfo CreatePSType(this PSSentinelIncidentOwner value)
+ {
+ return new IncidentOwnerInfo()
+ {
+ AssignedTo = value.AssignedTo,
+ Email = value.Email,
+ ObjectId = value.ObjectId,
+ UserPrincipalName = value.UserPrincipalName
+ };
+ }
+
+ public static List CreatePSType(this IEnumerable value)
+ {
+ return value.Select(rec => rec.CreatePSType()).ToList();
+ }
+
+ public static Incident CreatePSType(this PSSentinelIncident value)
+ {
+ return new Incident()
+ {
+ Etag = value.Etag,
+ Classification = value.Classification,
+ ClassificationComment = value.ClassificationComment,
+ ClassificationReason = value.ClassificationReason,
+ Description = value.Description,
+ FirstActivityTimeUtc = value.FirstActivityTimeUtc,
+ Labels = value.Labels.CreatePSType(),
+ LastActivityTimeUtc = value.LastActivityTimeUtc,
+ Owner = value.Owner.CreatePSType(),
+ Severity = value.Severity,
+ Status = value.Status,
+ Title = value.Title
+ };
+ }
+
+ public static List ConvertToPSType(this IEnumerable value)
+ {
+ return value.Select(rec => rec.CreatePSType()).ToList();
+ }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentLabel.cs b/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentLabel.cs
new file mode 100644
index 000000000000..a2b84299dc16
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentLabel.cs
@@ -0,0 +1,25 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.Incidents
+{
+ public class PSSentinelIncidentLabel
+ {
+ public string LabelName { get; set; }
+
+ public string LabelType { get; set; }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentOwner.cs b/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentOwner.cs
new file mode 100644
index 000000000000..131c0af41f98
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentOwner.cs
@@ -0,0 +1,30 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.Incidents
+{
+ public class PSSentinelIncidentOwner
+ {
+ public string AssignedTo { get; set; }
+
+ public string Email { get; set; }
+
+ public Guid? ObjectId { get; set; }
+
+ public string UserPrincipalName { get; set; }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Properties/AssemblyInfo.cs b/src/SecurityInsights/SecurityInsights/Properties/AssemblyInfo.cs
new file mode 100644
index 000000000000..cfdbc347519d
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Properties/AssemblyInfo.cs
@@ -0,0 +1,49 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("Commands.SecurityInsights")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("Commands.SecurityInsights")]
+[assembly: AssemblyCopyright("Copyright © 2018")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components. If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("C03DF84D-3C56-45E6-8CB3-73A0D242F3BD")]
+
+// Version information for an assembly consists of the following four values:
+//
+// Major Version
+// Minor Version
+// Build Number
+// Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+[assembly: AssemblyVersion("0.1.0")]
+[assembly: AssemblyFileVersion("0.1.0")]
diff --git a/src/SecurityInsights/SecurityInsights/SecurityInsights.csproj b/src/SecurityInsights/SecurityInsights/SecurityInsights.csproj
new file mode 100644
index 000000000000..d80faa055de9
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/SecurityInsights.csproj
@@ -0,0 +1,13 @@
+
+
+
+ SecurityInsights
+
+
+
+
+
+
+
+
+
diff --git a/src/SecurityInsights/SecurityInsights/SecurityInsightsCmdletBase.cs b/src/SecurityInsights/SecurityInsights/SecurityInsightsCmdletBase.cs
new file mode 100644
index 000000000000..06f298b925d7
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/SecurityInsightsCmdletBase.cs
@@ -0,0 +1,45 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Common.Authentication;
+using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
+using Microsoft.Azure.Commands.ResourceManager.Common;
+using Microsoft.Azure.Management.SecurityInsights;
+
+namespace Microsoft.Azure.Commands.SecurityInsights
+{
+ public abstract class SecurityInsightsCmdletBase : AzureRMCmdlet
+ {
+ ///
+ /// Security Insights client
+ ///
+ private ISecurityInsightsClient _securityInsightsClient;
+
+ ///
+ /// Gets or sets the policy insights client
+ ///
+ public ISecurityInsightsClient SecurityInsightsClient
+ {
+ get
+ {
+ return _securityInsightsClient ??
+ (_securityInsightsClient = AzureSession.Instance.ClientFactory.CreateArmClient(DefaultContext, AzureEnvironment.Endpoint.ResourceManager));
+ }
+ set
+ {
+ _securityInsightsClient = value;
+ }
+ }
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/help/Az.SecurityInsights.md b/src/SecurityInsights/SecurityInsights/help/Az.SecurityInsights.md
new file mode 100644
index 000000000000..6f2b87d1b46b
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/help/Az.SecurityInsights.md
@@ -0,0 +1,84 @@
+---
+Module Name: Az.SecurityInsights
+Module Guid: 453d4fb9-65ec-4cf1-8358-6a0fbd995d19
+Download Help Link: https://docs.microsoft.com/en-us/powershell/module/az.securityinsights
+Help Version: 0.1.0
+Locale: en-US
+---
+
+# Az.SecurityInsights Module
+## Description
+Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
+
+## Az.SecurityInsights Cmdlets
+### [Get-AzSentinelAlertRule](Get-AzSentinelAlertRule.md)
+Gets an Analytic (Alert Rule).
+
+### [Get-AzSentinelAlertRuleAction](Get-AzSentinelAlertRuleAction.md)
+Get an Automated Response (Alert Rule Action).
+
+### [Get-AzSentinelAlertRuleTemplate](Get-AzSentinelAlertRuleTemplate.md)
+Get Analytic Rule Template.
+
+### [Get-AzSentinelBookmark](Get-AzSentinelBookmark.md)
+Get a Bookmark.
+
+### [Get-AzSentinelDataConnector](Get-AzSentinelDataConnector.md)
+Get a Data Connector.
+
+### [Get-AzSentinelIncident](Get-AzSentinelIncident.md)
+Get an Incident.
+
+### [Get-AzSentinelIncidentComment](Get-AzSentinelIncidentComment.md)
+Get an Incident Comment.
+
+### [New-AzSentinelAlertRule](New-AzSentinelAlertRule.md)
+Create an Analytic (Alert Rule).
+
+### [New-AzSentinelAlertRuleAction](New-AzSentinelAlertRuleAction.md)
+Add an Automated Response to an Analatic.
+
+### [New-AzSentinelBookmark](New-AzSentinelBookmark.md)
+Create a Bookmark.
+
+### [New-AzSentinelDataConnector](New-AzSentinelDataConnector.md)
+Create a Data Connector.
+
+### [New-AzSentinelIncident](New-AzSentinelIncident.md)
+Create an Incident.
+
+### [New-AzSentinelIncidentComment](New-AzSentinelIncidentComment.md)
+Add an Incident Comment to an Incident.
+
+### [New-AzSentinelIncidentOwner](New-AzSentinelIncidentOwner.md)
+Create Incident Owner object to update an incident owner.
+
+### [Remove-AzSentinelAlertRule](Remove-AzSentinelAlertRule.md)
+Delete an Analytic.
+
+### [Remove-AzSentinelAlertRuleAction](Remove-AzSentinelAlertRuleAction.md)
+Remove an Automated Response from an Analytic.
+
+### [Remove-AzSentinelBookmark](Remove-AzSentinelBookmark.md)
+Delete a Bookmark.
+
+### [Remove-AzSentinelDataConnector](Remove-AzSentinelDataConnector.md)
+Remove a Data Connector.
+
+### [Remove-AzSentinelIncident](Remove-AzSentinelIncident.md)
+Delete an Incident.
+
+### [Update-AzSentinelAlertRule](Update-AzSentinelAlertRule.md)
+Updata an Analtyic.
+
+### [Update-AzSentinelAlertRuleAction](Update-AzSentinelAlertRuleAction.md)
+Update an Automated Response (Alert Rule Action).
+
+### [Update-AzSentinelBookmark](Update-AzSentinelBookmark.md)
+Updata a Bookmark.
+
+### [Update-AzSentinelDataConnector](Update-AzSentinelDataConnector.md)
+Updata a Data Connector.
+
+### [Update-AzSentinelIncident](Update-AzSentinelIncident.md)
+Updata an Incident.
diff --git a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRule.md b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRule.md
new file mode 100644
index 000000000000..d7bf4730e4cf
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRule.md
@@ -0,0 +1,142 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll-Help.xml
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/en-us/powershell/module/az.securityinsights/get-azsentinelalertrule
+schema: 2.0.0
+---
+
+# Get-AzSentinelAlertRule
+
+## SYNOPSIS
+Gets an Analytic (Alert Rule).
+
+## SYNTAX
+
+### WorkspaceScope (Default)
+```
+Get-AzSentinelAlertRule -ResourceGroupName -WorkspaceName
+ [-DefaultProfile ] []
+```
+
+### AlertRuleId
+```
+Get-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -AlertRuleId
+ [-DefaultProfile ] []
+```
+
+### ResourceId
+```
+Get-AzSentinelAlertRule -ResourceId [-DefaultProfile ] []
+```
+
+## DESCRIPTION
+The **Get-AzSentinelAlertRule** cmdlet gets an Analytic (Alert Rule) from the specified workspace.
+If you specify the *AlertRuleId* parameter, a single **AlertRule** object is returned.
+If you do not specify the *AlertRuleId* parameter, an array containing all of the Alert Rules in the specified workspace are returned.
+You can use the **AlertRule** object to update the AlertRule, for example you can disable the **AlertRule**.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+PS C:\> $AlertRules = Get-AzSentinelAlertRule -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName"
+```
+
+This example gets all of the **AlertRules** in the specified workspace, and then stores it in the $AlertRules variable.
+
+### Example 2
+```powershell
+PS C:\> $AlertRule = Get-AzSentinelAlertRule -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "MyAlertRuleId"
+```
+
+This example gets an **AlertRule** in the specified workspace, and then stores it in the $AlertRule variable.
+
+## PARAMETERS
+
+### -AlertRuleId
+Alert Rule Id.
+
+```yaml
+Type: System.String
+Parameter Sets: AlertRuleId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+Resource group name.
+
+```yaml
+Type: System.String
+Parameter Sets: WorkspaceScope, AlertRuleId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceId
+Resource Id.
+
+```yaml
+Type: System.String
+Parameter Sets: ResourceId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+Workspace Name.
+
+```yaml
+Type: System.String
+Parameter Sets: WorkspaceScope, AlertRuleId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### System.String
+## OUTPUTS
+
+### Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule
+## NOTES
+
+## RELATED LINKS
diff --git a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRuleAction.md b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRuleAction.md
new file mode 100644
index 000000000000..0075d81bcd50
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRuleAction.md
@@ -0,0 +1,137 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll-Help.xml
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/en-us/powershell/module/az.securityinsights/get-azsentinelalertruleaction
+schema: 2.0.0
+---
+
+# Get-AzSentinelAlertRuleAction
+
+## SYNOPSIS
+Get an Automated Response (Alert Rule Action).
+
+## SYNTAX
+
+### AlertRuleId (Default)
+```
+Get-AzSentinelAlertRuleAction -ResourceGroupName -WorkspaceName -AlertRuleId
+ [-DefaultProfile ] []
+```
+
+### ActionId
+```
+Get-AzSentinelAlertRuleAction -ResourceGroupName -WorkspaceName -AlertRuleId
+ -ActionId [-DefaultProfile ] []
+```
+
+## DESCRIPTION
+The **Get-AzSentinelAlertRuleAction** cmdlet gets an Automated Response (Alert Rule Action) from the specified workspace.
+If you specify the *ActionId* and *AlertRuleId* parameters, a single **AlertRuleAction** object is returned.
+If you do not specify the *ActionId* parameter, an array containing all of the Actions for the specificed Alert Rule in the specified workspace are returned.
+You can use the **Action** object to update the Action, for example you can change the the **Action** for an Alert Rule.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+PS C:\> $AlertRuleActions = Get-AzSentinelAlertRuleAction -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "MyAlertRuleId"
+```
+
+This example gets all of the **Actions** for the specified Alert Rule in the specified workspace, and then stores it in the $AlertRuleActions variable.
+
+### Example 2
+```powershell
+PS C:\> $AlertRuleAction = Get-AzSentinelAlertRuleAction -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "MyAlertRuleId" -ActionId "MyActionId"
+```
+
+This example gets an **AlertRuleAction** for the specified Alert Rule in the specified workspace, and then stores it in the $AlertRuleAction variable.
+
+## PARAMETERS
+
+### -ActionId
+Action Id.
+
+```yaml
+Type: System.String
+Parameter Sets: ActionId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AlertRuleId
+Alert Rule Id.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+Resource group name.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+Workspace Name.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### None
+## OUTPUTS
+
+### Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse
+## NOTES
+
+## RELATED LINKS
diff --git a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRuleTemplate.md b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRuleTemplate.md
new file mode 100644
index 000000000000..a4109cf01824
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRuleTemplate.md
@@ -0,0 +1,143 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll-Help.xml
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/en-us/powershell/module/az.securityinsights/get-azsentinelalertruletemplate
+schema: 2.0.0
+---
+
+# Get-AzSentinelAlertRuleTemplate
+
+## SYNOPSIS
+Get Analytic Rule Template.
+
+## SYNTAX
+
+### WorkspaceScope (Default)
+```
+Get-AzSentinelAlertRuleTemplate -ResourceGroupName -WorkspaceName
+ [-DefaultProfile ] []
+```
+
+### AlertRuleTemplateId
+```
+Get-AzSentinelAlertRuleTemplate -ResourceGroupName -WorkspaceName
+ -AlertRuleTemplateId [-DefaultProfile ] []
+```
+
+### ResourceId
+```
+Get-AzSentinelAlertRuleTemplate -ResourceId [-DefaultProfile ]
+ []
+```
+
+## DESCRIPTION
+The **Get-AzSentinelAlertRuleTemplate** cmdlet gets an Alert Rule Template from the specified workspace.
+If you specify the *AlertRuleTemplateId* parameter, a single **AlertRuleTemplate** object is returned.
+If you do not specify the *AlertRuleTemplateId* parameter, an array containing all of the Alert Rule Templates in the specified workspace are returned.
+You can use the **AlertRuleTemplate** object to create a new Alert Rule.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+PS C:\> $AlertRuleTemplates = Get-AzSentinelAlertRuleTemplate -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName"
+```
+
+This example gets all of the **AlertRuleTemplates** in the specified workspace, and then stores it in the $AlertRuleTemplates variable.
+
+### Example 2
+```powershell
+PS C:\> $AlertRuleTemplate = Get-AzSentinelAlertRuleTemplate -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleTemplateId "MyAlertRuleTemplateId"
+```
+
+This example gets an **AlertRuleTemplate** in the specified workspace, and then stores it in the $AlertRuleTemplate variable.
+
+## PARAMETERS
+
+### -AlertRuleTemplateId
+Template Alert Rule Id.
+
+```yaml
+Type: System.String
+Parameter Sets: AlertRuleTemplateId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+Resource group name.
+
+```yaml
+Type: System.String
+Parameter Sets: WorkspaceScope, AlertRuleTemplateId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceId
+Resource Id.
+
+```yaml
+Type: System.String
+Parameter Sets: ResourceId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+Workspace Name.
+
+```yaml
+Type: System.String
+Parameter Sets: WorkspaceScope, AlertRuleTemplateId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### System.String
+## OUTPUTS
+
+### Microsoft.Azure.Commands.SecurityInsights.Models.AlertRuleTemplates.PSSentinelAlertRuleTemplate
+## NOTES
+
+## RELATED LINKS
diff --git a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelBookmark.md b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelBookmark.md
new file mode 100644
index 000000000000..95866aacd920
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelBookmark.md
@@ -0,0 +1,142 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll-Help.xml
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/en-us/powershell/module/az.securityinsights/get-azsentinelbookmark
+schema: 2.0.0
+---
+
+# Get-AzSentinelBookmark
+
+## SYNOPSIS
+Get a Bookmark.
+
+## SYNTAX
+
+### WorkspaceScope (Default)
+```
+Get-AzSentinelBookmark -ResourceGroupName -WorkspaceName
+ [-DefaultProfile ] []
+```
+
+### BookmarkId.
+```
+Get-AzSentinelBookmark -ResourceGroupName -WorkspaceName -BookmarkId
+ [-DefaultProfile ] []
+```
+
+### ResourceId
+```
+Get-AzSentinelBookmark -ResourceId [-DefaultProfile ] []
+```
+
+## DESCRIPTION
+The **Get-AzSentinelBookmark** cmdlet gets a Bookmark from the specified workspace.
+If you specify the *BookmarkId* parameter, a single **Bookmark** object is returned.
+If you do not specify the *BookmarkId* parameter, an array containing all of the Bookmarks in the specified workspace are returned.
+You can use the **Bookmark** object to update the Bookmark, for example you can add Notes the **Bookmark**.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+PS C:\> $Bookmarks = Get-AzSentinelBookmark -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName"
+```
+
+This example gets all of the **Bookmarks** in the specified workspace, and then stores it in the $Bookmarks variable.
+
+### Example 2
+```powershell
+PS C:\> $Bookmark = Get-AzSentinelBookmark -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -BookmarkId "MyBookmarkId"
+```
+
+This example gets an **Bookmark** in the specified workspace, and then stores it in the $Bookmark variable.
+
+## PARAMETERS
+
+### -BookmarkId
+Bookmark Id,
+
+```yaml
+Type: System.String
+Parameter Sets: BookmarkId.
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+Resource group name.
+
+```yaml
+Type: System.String
+Parameter Sets: WorkspaceScope, BookmarkId.
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceId
+Resource Id.
+
+```yaml
+Type: System.String
+Parameter Sets: ResourceId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+Workspace Name.
+
+```yaml
+Type: System.String
+Parameter Sets: WorkspaceScope, BookmarkId.
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### System.String
+## OUTPUTS
+
+### Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark
+## NOTES
+
+## RELATED LINKS
diff --git a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelDataConnector.md b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelDataConnector.md
new file mode 100644
index 000000000000..1aa83f73a84a
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelDataConnector.md
@@ -0,0 +1,143 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll-Help.xml
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/en-us/powershell/module/az.securityinsights/get-azsentineldataconnector
+schema: 2.0.0
+---
+
+# Get-AzSentinelDataConnector
+
+## SYNOPSIS
+Get a Data Connector.
+
+## SYNTAX
+
+### WorkspaceScope (Default)
+```
+Get-AzSentinelDataConnector -ResourceGroupName -WorkspaceName
+ [-DefaultProfile ] []
+```
+
+### DataConnectorId
+```
+Get-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -DataConnectorId
+ [-DefaultProfile ] []
+```
+
+### ResourceId
+```
+Get-AzSentinelDataConnector -ResourceId [-DefaultProfile ]
+ []
+```
+
+## DESCRIPTION
+The **Get-AzSentinelDataConnector** cmdlet gets a Data Connector from the specified workspace.
+If you specify the *DataConnectorId* parameter, a single **DataConnector** object is returned.
+If you do not specify the *DataConnectorId* parameter, an array containing all of the Data Connectors in the specified workspace are returned.
+You can use the **DataConnector** object to update the Data Connector, for example you can disable the **DataConnector**.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+PS C:\> $DataConnectors = Get-AzSentinelDataConnector -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName"
+```
+
+This example gets all of the **DataConnectors** in the specified workspace, and then stores it in the $DataConnectors variable.
+
+### Example 2
+```powershell
+PS C:\> $DataConnector = Get-AzSentinelDataConnector -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -DataConnectorId "MyDataConnectorId"
+```
+
+This example gets an **DataConnector** in the specified workspace, and then stores it in the $DataConnector variable.
+
+## PARAMETERS
+
+### -DataConnectorId
+Data Connector Id.
+
+```yaml
+Type: System.String
+Parameter Sets: DataConnectorId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+Resource group name.
+
+```yaml
+Type: System.String
+Parameter Sets: WorkspaceScope, DataConnectorId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceId
+Resource Id.
+
+```yaml
+Type: System.String
+Parameter Sets: ResourceId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+Workspace Name.
+
+```yaml
+Type: System.String
+Parameter Sets: WorkspaceScope, DataConnectorId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### System.String
+## OUTPUTS
+
+### Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector
+## NOTES
+
+## RELATED LINKS
diff --git a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncident.md b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncident.md
new file mode 100644
index 000000000000..d82bb547102d
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncident.md
@@ -0,0 +1,142 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll-Help.xml
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/en-us/powershell/module/az.securityinsights/get-azsentinelincident
+schema: 2.0.0
+---
+
+# Get-AzSentinelIncident
+
+## SYNOPSIS
+Get an Incident.
+
+## SYNTAX
+
+### WorkspaceScope (Default)
+```
+Get-AzSentinelIncident -ResourceGroupName -WorkspaceName
+ [-DefaultProfile ] []
+```
+
+### IncidentId
+```
+Get-AzSentinelIncident -ResourceGroupName -WorkspaceName [-IncidentId ]
+ [-DefaultProfile ] []
+```
+
+### ResourceId
+```
+Get-AzSentinelIncident -ResourceId [-DefaultProfile ] []
+```
+
+## DESCRIPTION
+The **Get-AzSentinelIncident** cmdlet gets an Incident from the specified workspace.
+If you specify the *IncidentId* parameter, a single **Incident** object is returned.
+If you do not specify the *IncidentId* parameter, an array containing all of the Incidents in the specified workspace are returned.
+You can use the **Incident** object to update the Incident, for example you can add Notes the **Incident**.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+PS C:\> $Incidents = Get-AzSentinelIncident -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName"
+```
+
+This example gets all of the **Incidents** in the specified workspace, and then stores it in the $Incidents variable.
+
+### Example 2
+```powershell
+PS C:\> $Incident = Get-AzSentinelIncident -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -IncidentId "MyIncidentId"
+```
+
+This example gets an **Incident** in the specified workspace, and then stores it in the $Incident variable.
+
+## PARAMETERS
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -IncidentId
+Incident Id.
+
+```yaml
+Type: System.String
+Parameter Sets: IncidentId
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+Resource group name.
+
+```yaml
+Type: System.String
+Parameter Sets: WorkspaceScope, IncidentId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceId
+Resource Id.
+
+```yaml
+Type: System.String
+Parameter Sets: ResourceId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+Workspace Name.
+
+```yaml
+Type: System.String
+Parameter Sets: WorkspaceScope, IncidentId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### System.String
+## OUTPUTS
+
+### Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncident
+## NOTES
+
+## RELATED LINKS
diff --git a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncidentComment.md b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncidentComment.md
new file mode 100644
index 000000000000..04d8a77b6db5
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncidentComment.md
@@ -0,0 +1,157 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll-Help.xml
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/en-us/powershell/module/az.securityinsights/get-azsentinelincidentcomment
+schema: 2.0.0
+---
+
+# Get-AzSentinelIncidentComment
+
+## SYNOPSIS
+Get an Incident Comment.
+
+## SYNTAX
+
+### IncidentId (Default)
+```
+Get-AzSentinelIncidentComment -ResourceGroupName -WorkspaceName -IncidentId
+ [-DefaultProfile ] []
+```
+
+### IncidentCommentId
+```
+Get-AzSentinelIncidentComment -ResourceGroupName -WorkspaceName -IncidentId
+ -IncidentCommentId [-DefaultProfile ] []
+```
+
+### ResourceId
+```
+Get-AzSentinelIncidentComment -ResourceId [-DefaultProfile ]
+ []
+```
+
+## DESCRIPTION
+The **Get-AzSentinelIncidentComment** cmdlet gets a Incident Comment from the specified workspace.
+If you specify the *IncidentCommentId* and *IncidentId* parameters, a single **IncidentComment** object is returned.
+If you do not specify the *IncidentCommentId* parameter, an array containing all of the Incident Comments for the specified Incident in the specified workspace are returned.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+PS C:\> $IncidentComments = Get-AzSentinelIncidentComment -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -IncidentId "MyIncidentId"
+```
+
+This example gets all of the **IncidentComments** for the specified Incident in the specified workspace, and then stores it in the $IncidentComments variable.
+
+### Example 2
+```powershell
+PS C:\> $IncidentComment = Get-AzSentinelIncidentComment -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -IncidentId "MyIncidentId" -IncidentCommentId "MyIncidentCommentId"
+```
+
+This example gets an **IncidentComment** for the specified Incident in the specified workspace, and then stores it in the $IncidentComment variable.
+
+## PARAMETERS
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -IncidentCommentId
+Incident Comment Id.
+
+```yaml
+Type: System.String
+Parameter Sets: IncidentCommentId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -IncidentId
+Incident Id.
+
+```yaml
+Type: System.String
+Parameter Sets: IncidentId, IncidentCommentId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+Resource group name.
+
+```yaml
+Type: System.String
+Parameter Sets: IncidentId, IncidentCommentId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceId
+Resource Id.
+
+```yaml
+Type: System.String
+Parameter Sets: ResourceId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+Workspace Name.
+
+```yaml
+Type: System.String
+Parameter Sets: IncidentId, IncidentCommentId
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### System.String
+## OUTPUTS
+
+### Microsoft.Azure.Commands.SecurityInsights.Models.IncidentComments.PSSentinelIncidentComment
+## NOTES
+
+## RELATED LINKS
diff --git a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelAlertRule.md b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelAlertRule.md
new file mode 100644
index 000000000000..07e4fcde5d97
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelAlertRule.md
@@ -0,0 +1,491 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll-Help.xml
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/en-us/powershell/module/az.securityinsights/new-azsentinelalertrule
+schema: 2.0.0
+---
+
+# New-AzSentinelAlertRule
+
+## SYNOPSIS
+Create an Analytic (Alert Rule).
+
+## SYNTAX
+
+### ScheduledAlertRule (Default)
+```
+New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName [-Scheduled]
+ [-AlertRuleId ] [-AlertRuleTemplateName ] [-Enabled] -DisplayName
+ [-Description ] [-SuppressionDuration ] [-SuppressionEnabled] -Query
+ -QueryFrequency -QueryPeriod -Severity
+ [-Tactics ] [-TriggerOperator ]
+ -TriggerThreshold [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+### FusionAlertRule
+```
+New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName [-Fusion] [-AlertRuleId ]
+ -AlertRuleTemplateName [-Enabled] [-DefaultProfile ] [-WhatIf] [-Confirm]
+ []
+```
+
+### MicrosoftSecurityIncidentCreationRule
+```
+New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName
+ [-MicrosoftSecurityIncidentCreation] [-AlertRuleId ] [-AlertRuleTemplateName ] [-Enabled]
+ -DisplayName -ProductFilter [-Description ]
+ [-DisplayNamesExcludeFilter ]
+ [-DisplayNamesFilter ]
+ [-SeveritiesFilter ]
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+## DESCRIPTION
+The **New-AzSentinelAlertRule** cmdlet creates an Analytic (Alert Rule) in the specified workspace.
+You must specify one of the three parameters, *Fusion*, *Scheduled* or *MicrosoftSecurityIncidentCreation*, to specify the kind of Alert rule to create. Each Kind has different required paramaters.
+You can use the *Confirm* parameter and $ConfirmPreference Windows PowerShell variable to control whether the cmdlet prompts you for confirmation.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+PS C:\>$AlertRuleTemplateName = "f71aba3d-28fb-450b-b192-4e76a83015c8"
+PS C:\>$AlertRule = New-AzSentinelAlertRule -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -Fusion -Enabled -AlertRuleTemplateName $AlertRuleTemplateName
+```
+
+This example creates a **AlertRule** of the *Fusion* kind based on the Template for *Advanced Multistage Attack Detection*, and then stores it in the $AlertRule variable.
+
+### Example 2
+```powershell
+PS C:\> $AlertRuleTemplateName = "a2e0eb51-1f11-461a-999b-cd0ebe5c7a72"
+PS C:\> $AlertRule = New-AzSentinelAlertRule -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -MicrosoftSecurityIncidentCreation -Enabled -AlertRuleTemplateName $AlertRuleTemplateName -DisplayName "Create incidents based on Azure Security Center for IoT" -ProductFilter "Azure Security Center for IoT"
+```
+
+This example creates a **AlertRule** of the *MicrosoftSecurityIncidentCreation* kind based on the template for *Create incidents based on Azure Security Center for IoT alerts*, and then stores it in the $AlertRule varaible.
+
+### Example 2
+```powershell
+PS C:\> $AlertRule = New-AzSentinelAlertRule -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10
+```
+
+This example creates a **DataConnector** of the *Scheduled* kind, and then stores it in the $AlertRule varaible.
+
+## PARAMETERS
+
+### -AlertRuleId
+Alert Rule Id.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AlertRuleTemplateName
+Alert Rule Template.
+
+```yaml
+Type: System.String
+Parameter Sets: ScheduledAlertRule, MicrosoftSecurityIncidentCreationRule
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+```yaml
+Type: System.String
+Parameter Sets: FusionAlertRule
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Description
+Description.
+
+```yaml
+Type: System.String
+Parameter Sets: ScheduledAlertRule, MicrosoftSecurityIncidentCreationRule
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DisplayName
+Alert Rule Display Name.
+
+```yaml
+Type: System.String
+Parameter Sets: ScheduledAlertRule, MicrosoftSecurityIncidentCreationRule
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DisplayNamesExcludeFilter
+Alert Rule Display Names Exclude Filter.
+
+```yaml
+Type: System.Collections.Generic.IList`1[System.String]
+Parameter Sets: MicrosoftSecurityIncidentCreationRule
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DisplayNamesFilter
+Alert Rule Display Names Filter.
+
+```yaml
+Type: System.Collections.Generic.IList`1[System.String]
+Parameter Sets: MicrosoftSecurityIncidentCreationRule
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Enabled
+Alert Rule Enabled.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Fusion
+Alert Rule Kind.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: FusionAlertRule
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -MicrosoftSecurityIncidentCreation
+Alert Rule Kind.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: MicrosoftSecurityIncidentCreationRule
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ProductFilter
+Alert Rule Product Filter.
+
+```yaml
+Type: System.String
+Parameter Sets: MicrosoftSecurityIncidentCreationRule
+Aliases:
+Accepted values: Azure Active Directory Identity Protection, Azure Advanced Threat Protection, Azure Security Center, Azure Security Center for IoT, Microsoft Cloud App Security, Microsoft Defender Advanced Threat Protection, Office 365 Advanced Threat Protection
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Query
+Alert Rule Query.
+
+```yaml
+Type: System.String
+Parameter Sets: ScheduledAlertRule
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -QueryFrequency
+Alert Rule Query Frequency.
+
+```yaml
+Type: System.Nullable`1[System.TimeSpan]
+Parameter Sets: ScheduledAlertRule
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -QueryPeriod
+Alert Rule Query Period.
+
+```yaml
+Type: System.Nullable`1[System.TimeSpan]
+Parameter Sets: ScheduledAlertRule
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+Resource group name.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Scheduled
+Alert Rule Kind.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: ScheduledAlertRule
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SeveritiesFilter
+Alert Rule Severities Filter.
+
+```yaml
+Type: System.Collections.Generic.IList`1[System.String]
+Parameter Sets: MicrosoftSecurityIncidentCreationRule
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Severity
+Incident Severity.
+
+```yaml
+Type: System.String
+Parameter Sets: ScheduledAlertRule
+Aliases:
+Accepted values: High, Informational, Low, Medium
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SuppressionDuration
+Alert Rule Suppression Duration.
+
+```yaml
+Type: System.TimeSpan
+Parameter Sets: ScheduledAlertRule
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SuppressionEnabled
+Alert Rule Suppression Enabled.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: ScheduledAlertRule
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tactics
+Alert Rule Tactics.
+
+```yaml
+Type: System.Collections.Generic.IList`1[System.String]
+Parameter Sets: ScheduledAlertRule
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TriggerOperator
+Alert Rule Trigger Operator.
+
+```yaml
+Type: Microsoft.Azure.Management.SecurityInsights.Models.TriggerOperator
+Parameter Sets: ScheduledAlertRule
+Aliases:
+Accepted values: Equal, GreaterThan, LessThan, NotEqual
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TriggerThreshold
+Alert Rule Trigger Threshold.
+
+```yaml
+Type: System.Nullable`1[System.Int32]
+Parameter Sets: ScheduledAlertRule
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+Workspace Name.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs. The cmdlet is not run.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### None
+## OUTPUTS
+
+### Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule
+## NOTES
+
+## RELATED LINKS
diff --git a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelAlertRuleAction.md b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelAlertRuleAction.md
new file mode 100644
index 000000000000..8e26b6435a20
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelAlertRuleAction.md
@@ -0,0 +1,185 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll-Help.xml
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/en-us/powershell/module/az.securityinsights/new-azsentinelalertruleaction
+schema: 2.0.0
+---
+
+# New-AzSentinelAlertRuleAction
+
+## SYNOPSIS
+Add an Automated Response to an Analatic.
+
+## SYNTAX
+
+```
+New-AzSentinelAlertRuleAction -ResourceGroupName -WorkspaceName -AlertRuleId
+ [-ActionId ] -LogicAppResourceId -TriggerUri
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+## DESCRIPTION
+The **New-AzSentinelAlertRuleAction** cmdlet creates an Automated Response for an Alert Rule in the specified workspace.
+You must provide the Logic App Resorce Id and Trigger Uri which can be found using the Logic App module.
+You can use the *Confirm* parameter and $ConfirmPreference Windows PowerShell variable to control whether the cmdlet prompts you for confirmation.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+PS C:\>$LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "MyResourceGroup" -Name "Reset-AADPassword"
+PS C:\>$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "MyResourceGroup" -Name "Reset-AADPassword" -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered"
+PS C:\>$AlertRuleAction = New-AzSentinelAlertRuleAction -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "MyAlertRuleId" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
+```
+
+This example creates an **AlertRuleAction** for the specified Alert Rule using properties of the Logic App, and then stores it in the $AlertRuleAction variable.
+
+## PARAMETERS
+
+### -ActionId
+Action Id.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AlertRuleId
+Alert Rule Id.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LogicAppResourceId
+Action Logic App Resource Id.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+Resource group name.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TriggerUri
+Action Logic App Trigger Uri.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+Workspace Name.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs. The cmdlet is not run.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### None
+## OUTPUTS
+
+### Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse
+## NOTES
+
+## RELATED LINKS
diff --git a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelBookmark.md b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelBookmark.md
new file mode 100644
index 000000000000..233565abaeab
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelBookmark.md
@@ -0,0 +1,228 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll-Help.xml
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/en-us/powershell/module/az.securityinsights/new-azsentinelbookmark
+schema: 2.0.0
+---
+
+# New-AzSentinelBookmark
+
+## SYNOPSIS
+Create a Bookmark.
+
+## SYNTAX
+
+```
+New-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-BookmarkId ]
+ -DisplayName [-IncidentInfo ]
+ [-Label ] [-Notes ] -Query
+ [-QueryResult ] [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+## DESCRIPTION
+The **New-AzSentinelBookmark** cmdlet creates a Bookmark from the specified workspace.
+You can use the *Confirm* parameter and $ConfirmPreference Windows PowerShell variable to control whether the cmdlet prompts you for confirmation.
+
+## EXAMPLES
+
+### Example 1
+```powershell
+PS C:\> $Bookmark = New-AzSentinelBookmark -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -DisplayName "MyBookmark" -Query "SecurityAlert | take 1"
+```
+
+This example creates a **Bookmark** in the specified workspace, and then stores it in the $Bookmark variable.
+
+## PARAMETERS
+
+### -BookmarkId
+Bookmark Id,
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Parameter Sets: (All)
+Aliases: AzContext, AzureRmContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DisplayName
+Bookmark Rule Display Name.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -IncidentInfo
+Bookmark Incident Info.
+
+```yaml
+Type: Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmarkIncidentInfo
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Label
+Incident Labels.
+
+```yaml
+Type: System.Collections.Generic.IList`1[System.String]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Notes
+Bookmark Notes.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Query
+Bookmark Query.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -QueryResult
+Bookmark Query Result.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+Resource group name.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+Workspace Name.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs. The cmdlet is not run.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmarkIncidentInfo
+## OUTPUTS
+
+### Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark
+## NOTES
+
+## RELATED LINKS
diff --git a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelDataConnector.md b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelDataConnector.md
new file mode 100644
index 000000000000..890a2bbe2786
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelDataConnector.md
@@ -0,0 +1,442 @@
+---
+external help file: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll-Help.xml
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/en-us/powershell/module/az.securityinsights/new-azsentineldataconnector
+schema: 2.0.0
+---
+
+# New-AzSentinelDataConnector
+
+## SYNOPSIS
+Create a Data Connector.
+
+## SYNTAX
+
+### AzureActiveDirectory (Default)
+```
+New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName [-DataConnectorId ]
+ [-AzureActiveDirectory] -Alerts [-DefaultProfile ] [-WhatIf] [-Confirm]
+ []
+```
+
+### AzureAdvancedThreatProtection
+```
+New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName [-DataConnectorId ]
+ [-AzureAdvancedThreatProtection] -Alerts [-DefaultProfile ] [-WhatIf]
+ [-Confirm] []
+```
+
+### AzureSecurityCenter
+```
+New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName [-DataConnectorId ]
+ [-AzureSecurityCenter] -Alerts -SubscriptionId [-DefaultProfile ]
+ [-WhatIf] [-Confirm] []
+```
+
+### AmazonWebServicesCloudTrail
+```
+New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName [-DataConnectorId ]
+ [-AmazonWebServicesCloudTrail] -AwsRoleArn -Logs [-DefaultProfile ]
+ [-WhatIf] [-Confirm] []
+```
+
+### MicrosoftCloudAppSecurity
+```
+New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName [-DataConnectorId