diff --git a/.script/tests/KqlvalidationsTests/CustomTables/BoxEvents.json b/.script/tests/KqlvalidationsTests/CustomTables/BoxEvents.json index 959ff515d89..d10e1e0a9e2 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/BoxEvents.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/BoxEvents.json @@ -242,4 +242,4 @@ "Type": "Boolean" } ] -} \ No newline at end of file +} diff --git a/.script/tests/KqlvalidationsTests/CustomTables/BoxEventsV2_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/BoxEventsV2_CL.json new file mode 100644 index 00000000000..18093a9ab4d --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/BoxEventsV2_CL.json @@ -0,0 +1,157 @@ +{ + "Name": "BoxEventsV2_CL", + "Properties": [ + { + "name": "additional_details", + "type": "dynamic" + }, + { + "name": "created_at", + "type": "datetime" + }, + { + "name": "event_id", + "type": "string" + }, + { + "name": "EventEndTime", + "type": "string" + }, + { + "name": "event_type", + "type": "string" + }, + { + "name": "ip_address", + "type": "string" + }, + { + "name": "session_id", + "type": "dynamic" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "event_category", + "type": "string" + }, + { + "name": "source_user_email", + "type": "string" + }, + { + "name": "source_file_id", + "type": "string" + }, + { + "name": "source_file_name", + "type": "string" + }, + { + "name": "source_parent_name", + "type": "string" + }, + { + "name": "source_item_type", + "type": "string" + }, + { + "name": "source_item_id", + "type": "string" + }, + { + "name": "source_item_name", + "type": "string" + }, + { + "name": "source_parent_type", + "type": "string" + }, + { + "name": "source_parent_id", + "type": "string" + }, + { + "name": "source_owned_by_type", + "type": "string" + }, + { + "name": "source_owned_by_id", + "type": "string" + }, + { + "name": "source_owned_by_name", + "type": "string" + }, + { + "name": "source_owned_by_login", + "type": "string" + }, + { + "name": "created_by_type", + "type": "string" + }, + { + "name": "created_by_id", + "type": "string" + }, + { + "name": "created_by_name", + "type": "string" + }, + { + "name": "created_by_login", + "type": "string" + }, + { + "name": "source_type", + "type": "string" + }, + { + "name": "source_id", + "type": "string" + }, + { + "name": "source_name", + "type": "string" + }, + { + "name": "source_login", + "type": "string" + }, + { + "name": "source_folder_id", + "type": "string" + }, + { + "name": "source_folder_name", + "type": "string" + }, + { + "name": "source_user_id", + "type": "string" + }, + { + "name": "source_user_name", + "type": "string" + }, + { + "name": "accessible_by_type", + "type": "string" + }, + { + "name": "accessible_by_id", + "type": "string" + }, + { + "name": "accessible_by_name", + "type": "string" + }, + { + "name": "accessible_by_login", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json index f5419294fa3..93764d3a230 100644 --- a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json +++ b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json @@ -3084,6 +3084,11 @@ "templateName": "MESCheckVIP.yaml", "validationFailReason": "Temporarily Added for Parser KQL Queries validation" }, + { + "id": "231a04da-9a8d-4cd6-8a20-2da7ded173ba", + "templateName": "BoxEvents.yaml", + "validationFailReason": "Failing for missing coloumn which is already added to the Custom table Schema (EventEndTime)" + }, { "id": "600db9e0-1c11-4295-a88a-071c79434926", "templateName": "AccountElevatedtoNewRole.yaml", @@ -3631,4 +3636,4 @@ } // Temporarily adding Solution Parsers id's for Solution Parsers KQL Validations - End -] \ No newline at end of file +] diff --git a/Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_DCR.json b/Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_DCR.json new file mode 100644 index 00000000000..bad32f0bcd0 --- /dev/null +++ b/Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_DCR.json @@ -0,0 +1,82 @@ +[ + { + "name": "BoxEventsDCR", + "apiVersion": "2021-09-01-preview", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "{{location}}", + "properties": { + "dataCollectionEndpointId": "{{dataCollectionEndpointId}}", + "streamDeclarations": { + "Custom-Box_CL": { + "columns": [ + { + "name": "type", + "type": "string" + }, + { + "name": "event_id", + "type": "string" + }, + { + "name": "created_by", + "type": "dynamic" + }, + { + "name": "created_at", + "type": "datetime" + }, + { + "name": "recorded_at", + "type": "datetime" + }, + { + "name": "event_type", + "type": "string" + }, + { + "name": "session_id", + "type": "string" + }, + { + "name": "source", + "type": "dynamic" + }, + { + "name": "ip_address", + "type": "string" + }, + { + "name": "accessible_by", + "type": "dynamic" + }, + { + "name": "additional_details", + "type": "dynamic" + } + ] + } + }, + "dataSources": {}, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "4b0f6f0e10104aa5838b3c0b18702683" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-Box_CL" + ], + "destinations": [ + "4b0f6f0e10104aa5838b3c0b18702683" + ], + "transformKql": "source\n| extend TimeGenerated = created_at, event_category = type\n| extend\n source_user_email=tostring(source.user_email),\n source_file_id=tostring(source.file_id),\n source_file_name=tostring(source.file_name),\n source_parent_name=tostring(source.parent.name),\n source_item_type=tostring(source.item_type),\n source_item_id=tostring(source.item_id),\n source_item_name=tostring(source.item_name),\n source_parent_type=tostring(source.parent.type),\n source_parent_id=tostring(source.parent.id),\n source_owned_by_type=tostring(source.owned_by.type),\n source_owned_by_id=tostring(source.owned_by.type),\n source_owned_by_name=tostring(source.owned_by.name),\n source_owned_by_login=tostring(source.owned_by.login),\n created_by_type=tostring(created_by.type),\n created_by_id=tostring(created_by.id),\n created_by_name=tostring(created_by.name),\n created_by_login=tostring(created_by.login),\n source_type=tostring(source.type),\n source_id=tostring(source.id),\n source_name=tostring(source.name),\n source_login=tostring(source.login),\n source_folder_id=tostring(source.folder_id),\n source_folder_name=tostring(source.folder_name),\n source_user_id=tostring(source.user_id),\n source_user_name=tostring(source.user_name),\n accessible_by_type=tostring(accessible_by.type),\n accessible_by_id=tostring(accessible_by.id),\n accessible_by_name=tostring(accessible_by.name),\n accessible_by_login=tostring(accessible_by.login)\n| project-away type, accessible_by, created_by, source \n\n", + "outputStream": "Custom-BoxEventsV2_CL" + } + ] + } + } +] \ No newline at end of file diff --git a/Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_DataConnectorDefinition.json b/Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_DataConnectorDefinition.json new file mode 100644 index 00000000000..d3c6be1fb74 --- /dev/null +++ b/Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_DataConnectorDefinition.json @@ -0,0 +1,107 @@ +{ + "name": "BoxEventsCCPDefinition", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", + "location": "{{location}}", + "kind": "Customizable", + "id": "BoxEventsCCPDefinition", + "properties": { + "connectorUiConfig": { + "id": "BoxEventsCCPDefinition", + "title": "Box Events (CCP) (Preview)", + "publisher": "Microsoft", + "descriptionMarkdown": "The Box data connector provides the capability to ingest [Box enterprise's events](https://developer.box.com/guides/events/#admin-events) into Microsoft Sentinel using the Box REST API. Refer to [Box documentation](https://developer.box.com/guides/events/enterprise-events/for-enterprise/) for more information.", + "graphQueriesTableName": "BoxEventsV2_CL", + "graphQueries": [ + { + "metricName": "Events received", + "legend": "Box events received", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All Box events", + "query": "BoxEvents\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Box API credentials", + "description": "Box API requires a Box App client ID and client secret to authenticate. [See the documentation to learn more about Client Credentials grant](https://developer.box.com/guides/authentication/client-credentials/client-credentials-setup/)" + }, + { + "name": "Box Enterprise ID", + "description": "Box Enterprise ID is required to make the connection. See documentation to [find Enterprise ID](https://developer.box.com/platform/appendix/locating-values/)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Codeless Connecor Platform (CCP) to connect to the Box REST API to pull logs into Microsoft Sentinel." + }, + { + "description": ">**NOTE:** This connector depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution." + }, + { + "description": "**STEP 1 - Create Box Custom Application**\n\nSee documentation to [setup client credentials authentication](https://developer.box.com/guides/authentication/client-credentials/client-credentials-setup/)\n" + }, + { + "description": "**STEP 2 - Grab Client ID and Client Secret values**\n\nYou might need to setup 2FA to fetch the secret.\n" + }, + { + "description": "**STEP 3 - Grab Box Enterprise ID from Box Admin Console**\n\nSee documentation to [find Enterprise ID](https://developer.box.com/platform/appendix/locating-values/)\n" + }, + { + "description": "Provide the required values below:\n", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Box Enterprise ID", + "placeholder": "123456", + "type": "text", + "name": "boxEnterpriseId" + } + }, + { + "type": "OAuthForm", + "parameters": { + "clientIdLabel": "Client ID", + "clientSecretLabel": "Client Secret", + "connectButtonLabel": "Connect", + "disconnectButtonLabel": "Disconnect" + } + } + ], + "title": "Connect to Box to start collecting event logs to Microsoft Sentinel" + } + ] + } + } +} \ No newline at end of file diff --git a/Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_DataConnectorPoller.json b/Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_DataConnectorPoller.json new file mode 100644 index 00000000000..9c3a7606d3a --- /dev/null +++ b/Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_DataConnectorPoller.json @@ -0,0 +1,57 @@ +{ + "name": "BoxEventsCCPPolling", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "location": "{{location}}", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "BoxEventsCCPDefinition", + "dataType": "BoxEventsV2_CL", + "response": { + "eventsJsonPaths": [ + "$.entries" + ], + "format": "json" + }, + "paging": { + "pagingType": "PersistentToken", + "nextPageTokenJsonPath": "$.next_stream_position", + "nextPageParaName": "stream_position" + }, + "auth": { + "type": "OAuth2", + "clientSecret": "{{clientSecret}}", + "clientId": "{{clientId}}", + "grantType": "client_credentials", + "TokenEndpoint": "https://api.box.com/oauth2/token", + "TokenEndpointHeaders": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "tokenEndpointQueryParameters": { + "box_subject_type": "enterprise", + "box_subject_id": "{{boxEnterpriseId}}" + } + }, + "request": { + "apiEndpoint": "https://api.box.com/2.0/events", + "queryParameters": { + "stream_type": "admin_logs" + }, + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "retryCount": 3, + "timeoutInSeconds": 60, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "startTimeAttributeName": "created_after", + "headers": { + "Accept": "*/*" + } + }, + "dcrConfig": { + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}", + "streamName": "Custom-Box_CL" + } + } +} \ No newline at end of file diff --git a/Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_table.json b/Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_table.json new file mode 100644 index 00000000000..2567f9cdbcf --- /dev/null +++ b/Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_table.json @@ -0,0 +1,163 @@ +[ + { + "name": "BoxEventsV2_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "{{location}}", + "properties": { + "schema": { + "name": "BoxEventsV2_CL", + "columns": [ + { + "name": "additional_details", + "type": "dynamic" + }, + { + "name": "created_at", + "type": "datetime" + }, + { + "name": "event_id", + "type": "string" + }, + { + "name": "event_type", + "type": "string" + }, + { + "name": "ip_address", + "type": "string" + }, + { + "name": "session_id", + "type": "dynamic" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "event_category", + "type": "string" + }, + { + "name": "source_user_email", + "type": "string" + }, + { + "name": "source_file_id", + "type": "string" + }, + { + "name": "source_file_name", + "type": "string" + }, + { + "name": "source_parent_name", + "type": "string" + }, + { + "name": "source_item_type", + "type": "string" + }, + { + "name": "source_item_id", + "type": "string" + }, + { + "name": "source_item_name", + "type": "string" + }, + { + "name": "source_parent_type", + "type": "string" + }, + { + "name": "source_parent_id", + "type": "string" + }, + { + "name": "source_owned_by_type", + "type": "string" + }, + { + "name": "source_owned_by_id", + "type": "string" + }, + { + "name": "source_owned_by_name", + "type": "string" + }, + { + "name": "source_owned_by_login", + "type": "string" + }, + { + "name": "created_by_type", + "type": "string" + }, + { + "name": "created_by_id", + "type": "string" + }, + { + "name": "created_by_name", + "type": "string" + }, + { + "name": "created_by_login", + "type": "string" + }, + { + "name": "source_type", + "type": "string" + }, + { + "name": "source_id", + "type": "string" + }, + { + "name": "source_name", + "type": "string" + }, + { + "name": "source_login", + "type": "string" + }, + { + "name": "source_folder_id", + "type": "string" + }, + { + "name": "source_folder_name", + "type": "string" + }, + { + "name": "source_user_id", + "type": "string" + }, + { + "name": "source_user_name", + "type": "string" + }, + { + "name": "accessible_by_type", + "type": "string" + }, + { + "name": "accessible_by_id", + "type": "string" + }, + { + "name": "accessible_by_name", + "type": "string" + }, + { + "name": "accessible_by_login", + "type": "string" + } + ] + } + } + } +] \ No newline at end of file diff --git a/Solutions/Box/Data/Solution_Box.json b/Solutions/Box/Data/Solution_Box.json index f2e2f7c83ff..802a08f2fed 100644 --- a/Solutions/Box/Data/Solution_Box.json +++ b/Solutions/Box/Data/Solution_Box.json @@ -7,7 +7,7 @@ "Workbooks/Box.json" ], "Parsers": [ - "Parsers/BoxEvents" + "Parsers/BoxEvents.yaml" ], "Hunting Queries": [ "Hunting Queries/BoxAdminIpAddress.yaml", @@ -22,7 +22,8 @@ "Hunting Queries/BoxUsersWithOwnerPermissions.yaml" ], "Data Connectors": [ - "Data Connectors/Box_API_FunctionApp.json" + "Data Connectors/Box_API_FunctionApp.json", + "Data Connectors/BoxEvents_ccp/BoxEvents_DataConnectorDefinition.json" ], "Analytic Rules": [ "Analytic Rules/BoxAbnormalUserActivity.yaml", @@ -37,7 +38,7 @@ "Analytic Rules/BoxUserRoleChangedToOwner.yaml" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Box", - "Version": "3.0.1", + "Version": "3.1.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Box/Package/3.1.0.zip b/Solutions/Box/Package/3.1.0.zip new file mode 100644 index 00000000000..9c180113cef Binary files /dev/null and b/Solutions/Box/Package/3.1.0.zip differ diff --git a/Solutions/Box/Package/createUiDefinition.json b/Solutions/Box/Package/createUiDefinition.json index 4f2e9b5e5c1..bd8ac841aeb 100644 --- a/Solutions/Box/Package/createUiDefinition.json +++ b/Solutions/Box/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Box/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Box](https://developer.box.com/guides/events/enterprise-events/for-enterprise/) solution connector provides the capability to ingest [Box enterprise's events](https://developer.box.com/guides/events/#admin-events) into Microsoft Sentinel using the Box REST API. \r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r\n \r\n b. [Azure Functions ](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Box/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Box](https://developer.box.com/guides/events/enterprise-events/for-enterprise/) solution connector provides the capability to ingest [Box enterprise's events](https://developer.box.com/guides/events/#admin-events) into Microsoft Sentinel using the Box REST API \r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r\n \r\n b. [Azure Functions ](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,14 +60,14 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs the data connector for ingesting Box enterprise’s events into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Box. You can get Box custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { - "name": "dataconnectors-parser-text", + "name": "dataconnectors2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The solution also installs a parser that transforms ingested data. The transformed logs can be accessed using the BoxEvents Kusto Function alias." + "text": "This Solution installs the data connector for Box. You can get Box data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { diff --git a/Solutions/Box/Package/mainTemplate.json b/Solutions/Box/Package/mainTemplate.json index 632479d76a7..f275a635619 100644 --- a/Solutions/Box/Package/mainTemplate.json +++ b/Solutions/Box/Package/mainTemplate.json @@ -35,13 +35,27 @@ "metadata": { "description": "Name for the workbook" } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } } }, "variables": { "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Box", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.1.0", "solutionId": "azuresentinel.azure-sentinel-solution-box", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", @@ -51,75 +65,63 @@ "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", - "parserName1": "Box Data Parser", - "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", - "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", - "parserVersion1": "1.0.0", - "parserContentId1": "BoxEvents-Parser", - "_parserContentId1": "[variables('parserContentId1')]", - "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", - "huntingQueryVersion1": "1.0.0", - "huntingQuerycontentId1": "949aec39-304d-4fba-94b3-15337d05e3f1", - "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", - "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", - "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", - "huntingQueryVersion2": "1.0.0", - "huntingQuerycontentId2": "4b4a1802-8fcc-4eeb-9ccd-b5bb16f4b64b", - "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", - "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]", - "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", - "huntingQueryVersion3": "1.0.0", - "huntingQuerycontentId3": "d8ef8d5c-97f3-4552-afca-75d44339fa8f", - "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", - "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]", - "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]", - "huntingQueryVersion4": "1.0.0", - "huntingQuerycontentId4": "c0a4169e-c713-484b-95a9-d8f437b52d66", - "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", - "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]", - "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]", - "huntingQueryVersion5": "1.0.0", - "huntingQuerycontentId5": "c8e19aa5-3424-4b90-8594-79ee4613f429", - "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", - "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]", - "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]", - "huntingQueryVersion6": "1.0.0", - "huntingQuerycontentId6": "6b91dda7-d9c5-4197-9dea-0c41f7c55176", - "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]", - "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]", - "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]", - "huntingQueryVersion7": "1.0.0", - "huntingQuerycontentId7": "47e0a82d-fd66-4d6e-a64a-ac377f136426", - "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]", - "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]", - "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]", - "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]", - "huntingQueryVersion8": "1.0.0", - "huntingQuerycontentId8": "5ff08015-2d1e-4c2b-862f-2759e6132d0e", - "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]", - "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]", - "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]", - "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]", - "huntingQueryVersion9": "1.0.0", - "huntingQuerycontentId9": "484f9c1c-a8d6-4a78-b526-d38958ade100", - "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]", - "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]", - "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]", - "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]", - "huntingQueryVersion10": "1.0.0", - "huntingQuerycontentId10": "09fee766-d5ba-4e8c-8e9e-363915aee1f4", - "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]", - "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]", - "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]", - "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]", + "parserObject1": { + "_parserName1": "[concat(parameters('workspace'),'/','Box Data Parser')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Box Data Parser')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('BoxEvents-Parser')))]", + "parserVersion1": "2.0.0", + "parserContentId1": "BoxEvents-Parser" + }, + "huntingQueryObject1": { + "huntingQueryVersion1": "1.0.0", + "_huntingQuerycontentId1": "949aec39-304d-4fba-94b3-15337d05e3f1", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('949aec39-304d-4fba-94b3-15337d05e3f1')))]" + }, + "huntingQueryObject2": { + "huntingQueryVersion2": "1.0.0", + "_huntingQuerycontentId2": "4b4a1802-8fcc-4eeb-9ccd-b5bb16f4b64b", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4b4a1802-8fcc-4eeb-9ccd-b5bb16f4b64b')))]" + }, + "huntingQueryObject3": { + "huntingQueryVersion3": "1.0.0", + "_huntingQuerycontentId3": "d8ef8d5c-97f3-4552-afca-75d44339fa8f", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('d8ef8d5c-97f3-4552-afca-75d44339fa8f')))]" + }, + "huntingQueryObject4": { + "huntingQueryVersion4": "1.0.0", + "_huntingQuerycontentId4": "c0a4169e-c713-484b-95a9-d8f437b52d66", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('c0a4169e-c713-484b-95a9-d8f437b52d66')))]" + }, + "huntingQueryObject5": { + "huntingQueryVersion5": "1.0.0", + "_huntingQuerycontentId5": "c8e19aa5-3424-4b90-8594-79ee4613f429", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('c8e19aa5-3424-4b90-8594-79ee4613f429')))]" + }, + "huntingQueryObject6": { + "huntingQueryVersion6": "1.0.0", + "_huntingQuerycontentId6": "6b91dda7-d9c5-4197-9dea-0c41f7c55176", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('6b91dda7-d9c5-4197-9dea-0c41f7c55176')))]" + }, + "huntingQueryObject7": { + "huntingQueryVersion7": "1.0.0", + "_huntingQuerycontentId7": "47e0a82d-fd66-4d6e-a64a-ac377f136426", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('47e0a82d-fd66-4d6e-a64a-ac377f136426')))]" + }, + "huntingQueryObject8": { + "huntingQueryVersion8": "1.0.0", + "_huntingQuerycontentId8": "5ff08015-2d1e-4c2b-862f-2759e6132d0e", + "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('5ff08015-2d1e-4c2b-862f-2759e6132d0e')))]" + }, + "huntingQueryObject9": { + "huntingQueryVersion9": "1.0.0", + "_huntingQuerycontentId9": "484f9c1c-a8d6-4a78-b526-d38958ade100", + "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('484f9c1c-a8d6-4a78-b526-d38958ade100')))]" + }, + "huntingQueryObject10": { + "huntingQueryVersion10": "1.0.0", + "_huntingQuerycontentId10": "09fee766-d5ba-4e8c-8e9e-363915aee1f4", + "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('09fee766-d5ba-4e8c-8e9e-363915aee1f4')))]" + }, "uiConfigId1": "BoxDataConnector", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "BoxDataConnector", @@ -129,66 +131,84 @@ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "analyticRuleVersion1": "1.0.0", - "analyticRulecontentId1": "1139230c-cf10-45db-b616-fed0d1415c05", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", - "analyticRuleVersion2": "1.0.0", - "analyticRulecontentId2": "b91ec98d-5747-45c8-b2f6-a07bf47068f0", - "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", - "analyticRuleVersion3": "1.0.0", - "analyticRulecontentId3": "8889e69c-2161-412a-94a6-76c1b2d9daa7", - "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", - "analyticRuleVersion4": "1.0.0", - "analyticRulecontentId4": "edbf38d7-e170-4af2-ad50-1a05b374611b", - "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", - "analyticRuleVersion5": "1.0.0", - "analyticRulecontentId5": "3b803560-f8a6-4db4-89cb-617d89724ba1", - "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", - "analyticRuleVersion6": "1.0.0", - "analyticRulecontentId6": "1b212329-6f2c-46ca-9071-de3464f3d88d", - "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", - "analyticRuleVersion7": "1.0.0", - "analyticRulecontentId7": "fd36ac88-cd92-4137-aa23-37a3648621fa", - "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", - "analyticRuleVersion8": "1.0.0", - "analyticRulecontentId8": "266746ae-5eaf-4068-a980-5d630f435c46", - "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", - "analyticRuleVersion9": "1.0.0", - "analyticRulecontentId9": "b2197d7f-4731-483c-89de-d48606b872da", - "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]", - "analyticRuleVersion10": "1.0.0", - "analyticRulecontentId10": "174c31c9-22ec-42e5-8226-814391c08200", - "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", + "dataConnectorCCPVersion": "1.0.0", + "_dataConnectorContentIdConnectorDefinition2": "BoxEventsCCPDefinition", + "dataConnectorTemplateNameConnectorDefinition2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition2')))]", + "_dataConnectorContentIdConnections2": "BoxEventsCCPDefinitionConnections", + "dataConnectorTemplateNameConnections2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections2')))]", + "dataCollectionEndpointId2": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "blanks": "[replace('b', 'b', '')]", + "TemplateEmptyObject": "[json('{}')]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.0", + "_analyticRulecontentId1": "1139230c-cf10-45db-b616-fed0d1415c05", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1139230c-cf10-45db-b616-fed0d1415c05')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1139230c-cf10-45db-b616-fed0d1415c05')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1139230c-cf10-45db-b616-fed0d1415c05','-', '1.0.0')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.0", + "_analyticRulecontentId2": "b91ec98d-5747-45c8-b2f6-a07bf47068f0", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b91ec98d-5747-45c8-b2f6-a07bf47068f0')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b91ec98d-5747-45c8-b2f6-a07bf47068f0')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b91ec98d-5747-45c8-b2f6-a07bf47068f0','-', '1.0.0')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.0", + "_analyticRulecontentId3": "8889e69c-2161-412a-94a6-76c1b2d9daa7", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8889e69c-2161-412a-94a6-76c1b2d9daa7')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8889e69c-2161-412a-94a6-76c1b2d9daa7')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8889e69c-2161-412a-94a6-76c1b2d9daa7','-', '1.0.0')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.0", + "_analyticRulecontentId4": "edbf38d7-e170-4af2-ad50-1a05b374611b", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'edbf38d7-e170-4af2-ad50-1a05b374611b')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('edbf38d7-e170-4af2-ad50-1a05b374611b')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edbf38d7-e170-4af2-ad50-1a05b374611b','-', '1.0.0')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.0", + "_analyticRulecontentId5": "3b803560-f8a6-4db4-89cb-617d89724ba1", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3b803560-f8a6-4db4-89cb-617d89724ba1')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3b803560-f8a6-4db4-89cb-617d89724ba1')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3b803560-f8a6-4db4-89cb-617d89724ba1','-', '1.0.0')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "1.0.0", + "_analyticRulecontentId6": "1b212329-6f2c-46ca-9071-de3464f3d88d", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1b212329-6f2c-46ca-9071-de3464f3d88d')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1b212329-6f2c-46ca-9071-de3464f3d88d')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1b212329-6f2c-46ca-9071-de3464f3d88d','-', '1.0.0')))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "1.0.0", + "_analyticRulecontentId7": "fd36ac88-cd92-4137-aa23-37a3648621fa", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fd36ac88-cd92-4137-aa23-37a3648621fa')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fd36ac88-cd92-4137-aa23-37a3648621fa')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fd36ac88-cd92-4137-aa23-37a3648621fa','-', '1.0.0')))]" + }, + "analyticRuleObject8": { + "analyticRuleVersion8": "1.0.0", + "_analyticRulecontentId8": "266746ae-5eaf-4068-a980-5d630f435c46", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '266746ae-5eaf-4068-a980-5d630f435c46')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('266746ae-5eaf-4068-a980-5d630f435c46')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','266746ae-5eaf-4068-a980-5d630f435c46','-', '1.0.0')))]" + }, + "analyticRuleObject9": { + "analyticRuleVersion9": "1.0.0", + "_analyticRulecontentId9": "b2197d7f-4731-483c-89de-d48606b872da", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b2197d7f-4731-483c-89de-d48606b872da')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b2197d7f-4731-483c-89de-d48606b872da')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2197d7f-4731-483c-89de-d48606b872da','-', '1.0.0')))]" + }, + "analyticRuleObject10": { + "analyticRuleVersion10": "1.0.0", + "_analyticRulecontentId10": "174c31c9-22ec-42e5-8226-814391c08200", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '174c31c9-22ec-42e5-8226-814391c08200')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('174c31c9-22ec-42e5-8226-814391c08200')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','174c31c9-22ec-42e5-8226-814391c08200','-', '1.0.0')))]" + }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ @@ -201,7 +221,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxWorkbook Workbook with template version 3.0.1", + "description": "Box Workbook with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -219,7 +239,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This workbook depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"88aa96e3-fc48-4b04-836e-fc2ec8ebf37f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\" Time Range\",\"type\":4,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":3600000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events over time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"65\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where isnotempty(EventType)\\r\\n| summarize TotalEvents = count() by EventType\",\"size\":3,\"title\":\"Event Types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"rowLimit\":7,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"35\",\"name\":\"query - 3\"}]},\"customWidth\":\"80\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let user1 = BoxEvents\\r\\n| where isnotempty(SourceName)\\r\\n| summarize Users = dcount(SourceName) by SourceName\\r\\n| project Users, User = SourceName;\\r\\nlet user2 = BoxEvents\\r\\n| where isnotempty(SrcUserName)\\r\\n| summarize Users = count(SrcUserName) by SrcUserName\\r\\n| project Users, User = SrcUserName;\\r\\nlet user3 = BoxEvents\\r\\n| where isnotempty(AccessibleByName)\\r\\n| summarize Users = dcount(AccessibleByName) by AccessibleByName\\r\\n| project Users, User = AccessibleByName;\\r\\nlet users = union user1, user2, user3;\\r\\nusers\\r\\n| summarize Users = dcount(User)\",\"size\":3,\"title\":\"Unique Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 5\"}]},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr)\\r\\n\",\"size\":3,\"title\":\"Unique IPs\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalEvents\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blueGreen\"}},{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"turquoise\"}}],\"rowLimit\":10,\"labelSettings\":[{\"columnId\":\"TotalEvents\",\"label\":\"Total Events\"},{\"columnId\":\"Trend\"}]},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 6\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let file1 = BoxEvents\\r\\n| where isnotempty(SourceFileName)\\r\\n| summarize d_files = dcount(SourceFileName);\\r\\nlet file2 = BoxEvents\\r\\n| where isnotempty(SourceItemName)\\r\\n| summarize d_files = dcount(SourceItemName);\\r\\nlet files = union file1, file2;\\r\\nfiles\\r\\n| summarize sum(d_files)\\r\\n\",\"size\":3,\"title\":\"Unique files\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"titleContent\":{\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"}},\"leftContent\":{\"columnMatch\":\"sum_d_files\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"Unique files\",\"columnSettings\":[{\"columnName\":\"sum_d_files\",\"color\":\"blue\"}]}}},\"rightContent\":{\"columnMatch\":\"sum_d_files\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let files_1 = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where isnotempty(SourceFileName)\\r\\n| summarize TotalItems = dcount(SourceFileName) by SourceFileName\\r\\n| project TotalItems, FileName = SourceFileName;\\r\\nlet files_2 = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where isnotempty(SourceItemName)\\r\\n| summarize TotalItems = dcount(SourceItemName) by SourceItemName\\r\\n| project TotalItems, FileName = SourceItemName;\\r\\nlet known_files = (union files_1, files_2)\\r\\n| summarize makeset(FileName);\\r\\nBoxEvents\\r\\n| where TimeGenerated between (ago(24h) .. now())\\r\\n| where isnotempty(SourceFileName) \\r\\n| project FileName = SourceFileName\\r\\n| union (BoxEvents\\r\\n | where TimeGenerated between (ago(24h) .. now())\\r\\n | where isnotempty(SourceItemName)\\r\\n | project FileName = SourceItemName)\\r\\n| where FileName !in (known_files)\\r\\n| summarize dcount(FileName)\\r\\n\\r\\n\",\"size\":3,\"title\":\"New files (last 24h)\",\"noDataMessage\":\"No new files during last 24h\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\"},\"name\":\"query - 3\"}]},\"name\":\"group - 4\"}]},\"customWidth\":\"20\",\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize Username = dcount(SourceName) by SourceName\\r\\n| project SourceName\\r\\n\",\"size\":3,\"title\":\"Admin users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalEvents\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"}},{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SrcDvcHostname\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"25\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let admins = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize makeset(SourceName);\\r\\nlet adm_type1 = BoxEvents\\r\\n| where SourceName in (admins)\\r\\n| summarize TotalActions = count() by SourceName;\\r\\nlet adm_type2 = BoxEvents\\r\\n| where SrcUserName in (admins)\\r\\n| summarize TotalActions = count() by SrcUserName\\r\\n| project TotalActions, SourceName = SrcUserName; \\r\\nlet adm_activity = (union adm_type1, adm_type2);\\r\\nadm_activity\\r\\n| summarize TotalActions = sum(TotalActions) by SourceName\\r\\n| join kind = inner (BoxEvents\\r\\n | where SourceName in (admins) or SrcUserName in (admins)\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\\r\\n on SourceName\\r\\n| project SourceName, TotalActions, Trend\\r\\n| order by TotalActions\\r\\n\",\"size\":3,\"title\":\"Admin users activity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalActions\",\"formatter\":8,\"formatOptions\":{\"palette\":\"coldHot\"}},{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourceName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalActions\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"40\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let admins = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize makeset(SourceName);\\r\\nlet adm_type1 = BoxEvents\\r\\n| where SourceName in (admins)\\r\\n| summarize by EventType, SourceName\\r\\n| project Action = EventType, SourceName;\\r\\nlet adm_type2 = BoxEvents\\r\\n| where SrcUserName in (admins)\\r\\n| summarize max(TimeGenerated) by EventType, SrcUserName\\r\\n| project Action = EventType, SourceName = SrcUserName; \\r\\nlet adm_activity = (union adm_type1, adm_type2);\\r\\nadm_activity\\r\\n\",\"size\":1,\"title\":\"Latest admin activity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 2\"}]},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\n| where EventType == 'NEW_USER'\\n| project SourceName\\n\",\"size\":3,\"title\":\"New users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventCategory\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false,\"rowLimit\":10},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"TableName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"nodeIdField\":\"TableName\",\"sourceIdField\":\"TableName\",\"targetIdField\":\"count_\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"nodeSize\":\"\",\"staticNodeSize\":100,\"colorSettings\":\"\",\"hivesMargin\":5},\"chartSettings\":{\"xSettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}},\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"15\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'DELETE_USER'\\r\\n| project SourceName\",\"size\":3,\"title\":\"Deleted users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"15\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'LOGIN'\\r\\n| summarize LastLoginTime = max(TimeGenerated) by SourceName\\r\\n| where LastLoginTime > ago(90d)\",\"size\":0,\"title\":\"Inactive users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let user_act1 = BoxEvents\\r\\n| where isnotempty(SourceName)\\r\\n| summarize TotalActions = count() by SourceName;\\r\\nlet user_act2 = BoxEvents\\r\\n| where isnotempty(SrcUserName)\\r\\n| summarize TotalActions = count() by SrcUserName\\r\\n| project TotalActions, SourceName = SrcUserName; \\r\\nlet user_activity = (union user_act1, user_act2);\\r\\nuser_activity\\r\\n| join kind = inner (BoxEvents\\r\\n | where isnotempty(SourceName) or isnotempty(SrcUserName)\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\\r\\n on SourceName\\r\\n| project SourceName, TotalActions, Trend\\r\\n| order by TotalActions\",\"size\":0,\"title\":\"Users activity over time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalActions\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SourceName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalActions\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"35\",\"name\":\"query - 3\"}]},\"name\":\"group - 20\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| summarize Downloads = countif(EventType == \\\"DOWNLOAD\\\"), Uploads = countif(EventType == \\\"UPLOAD\\\") by bin_at(TimeGenerated, 1h, now())\",\"size\":3,\"title\":\"Downloads/Uploads comparison\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'DOWNLOAD'\\r\\n| where isnotempty(SourceItemName)\\r\\n| project FileName = SourceItemName, SrcUserName, TimeGenerated\\r\\n| top 100 by TimeGenerated desc\",\"size\":0,\"title\":\"Latest downloaded items\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"35ch\"}},{\"columnMatch\":\"SrcUserName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'UPLOAD'\\r\\n| where isnotempty(SourceItemName)\\r\\n| project FileName = SourceItemName, SrcUserName, TimeGenerated\\r\\n| top 100 by TimeGenerated desc\",\"size\":0,\"title\":\"Latest uploaded items\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"35ch\"}},{\"columnMatch\":\"SrcUserName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 6\"}],\"fromTemplateId\":\"sentinel-Box\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This workbook depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"88aa96e3-fc48-4b04-836e-fc2ec8ebf37f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\" Time Range\",\"type\":4,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":3600000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events over time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"65\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where isnotempty(EventType)\\r\\n| summarize TotalEvents = count() by EventType\",\"size\":3,\"title\":\"Event Types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"rowLimit\":7,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"EventSeverity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"35\",\"name\":\"query - 3\"}]},\"customWidth\":\"80\",\"name\":\"group - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let user1 = BoxEvents\\r\\n| where isnotempty(SourceName)\\r\\n| summarize Users = dcount(SourceName) by SourceName\\r\\n| project Users, User = SourceName;\\r\\nlet user2 = BoxEvents\\r\\n| where isnotempty(SrcUserName)\\r\\n| summarize Users = count(SrcUserName) by SrcUserName\\r\\n| project Users, User = SrcUserName;\\r\\nlet user3 = BoxEvents\\r\\n| where isnotempty(AccessibleByName)\\r\\n| summarize Users = dcount(AccessibleByName) by AccessibleByName\\r\\n| project Users, User = AccessibleByName;\\r\\nlet users = union user1, user2, user3;\\r\\nusers\\r\\n| summarize Users = dcount(User)\",\"size\":3,\"title\":\"Unique Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 5\"}]},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr)\\r\\n\",\"size\":3,\"title\":\"Unique IPs\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalEvents\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blueGreen\"}},{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"turquoise\"}}],\"rowLimit\":10,\"labelSettings\":[{\"columnId\":\"TotalEvents\",\"label\":\"Total Events\"},{\"columnId\":\"Trend\"}]},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 6\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let file1 = BoxEvents\\r\\n| where isnotempty(SourceFileName)\\r\\n| summarize d_files = dcount(SourceFileName);\\r\\nlet file2 = BoxEvents\\r\\n| where isnotempty(SourceItemName)\\r\\n| summarize d_files = dcount(SourceItemName);\\r\\nlet files = union file1, file2;\\r\\nfiles\\r\\n| summarize sum(d_files)\\r\\n\",\"size\":3,\"title\":\"Unique files\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"titleContent\":{\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"}},\"leftContent\":{\"columnMatch\":\"sum_d_files\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"Unique files\",\"columnSettings\":[{\"columnName\":\"sum_d_files\",\"color\":\"blue\"}]}}},\"rightContent\":{\"columnMatch\":\"sum_d_files\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let files_1 = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where isnotempty(SourceFileName)\\r\\n| summarize TotalItems = dcount(SourceFileName) by SourceFileName\\r\\n| project TotalItems, FileName = SourceFileName;\\r\\nlet files_2 = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where isnotempty(SourceItemName)\\r\\n| summarize TotalItems = dcount(SourceItemName) by SourceItemName\\r\\n| project TotalItems, FileName = SourceItemName;\\r\\nlet known_files = (union files_1, files_2)\\r\\n| summarize makeset(FileName);\\r\\nBoxEvents\\r\\n| where TimeGenerated between (ago(24h) .. now())\\r\\n| where isnotempty(SourceFileName) \\r\\n| project FileName = SourceFileName\\r\\n| union (BoxEvents\\r\\n | where TimeGenerated between (ago(24h) .. now())\\r\\n | where isnotempty(SourceItemName)\\r\\n | project FileName = SourceItemName)\\r\\n| where FileName !in (known_files)\\r\\n| summarize dcount(FileName)\\r\\n\\r\\n\",\"size\":3,\"title\":\"New files (last 24h)\",\"noDataMessage\":\"No new files during last 24h\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\"},\"name\":\"query - 3\"}]},\"name\":\"group - 4\"}]},\"customWidth\":\"20\",\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize Username = dcount(SourceName) by SourceName\\r\\n| project SourceName\\r\\n\",\"size\":3,\"title\":\"Admin users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalEvents\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"}},{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SrcDvcHostname\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"25\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let admins = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize makeset(SourceName);\\r\\nlet adm_type1 = BoxEvents\\r\\n| where SourceName in (admins)\\r\\n| summarize TotalActions = count() by SourceName;\\r\\nlet adm_type2 = BoxEvents\\r\\n| where SrcUserName in (admins)\\r\\n| summarize TotalActions = count() by SrcUserName\\r\\n| project TotalActions, SourceName = SrcUserName; \\r\\nlet adm_activity = (union adm_type1, adm_type2);\\r\\nadm_activity\\r\\n| summarize TotalActions = sum(TotalActions) by SourceName\\r\\n| join kind = inner (BoxEvents\\r\\n | where SourceName in (admins) or SrcUserName in (admins)\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\\r\\n on SourceName\\r\\n| project SourceName, TotalActions, Trend\\r\\n| order by TotalActions\\r\\n\",\"size\":3,\"title\":\"Admin users activity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalActions\",\"formatter\":8,\"formatOptions\":{\"palette\":\"coldHot\"}},{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SourceName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalActions\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"40\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let admins = BoxEvents\\r\\n| where TimeGenerated > ago(90d)\\r\\n| where EventType == 'ADMIN_LOGIN'\\r\\n| summarize makeset(SourceName);\\r\\nlet adm_type1 = BoxEvents\\r\\n| where SourceName in (admins)\\r\\n| summarize by EventType, SourceName\\r\\n| project Action = EventType, SourceName;\\r\\nlet adm_type2 = BoxEvents\\r\\n| where SrcUserName in (admins)\\r\\n| summarize max(TimeGenerated) by EventType, SrcUserName\\r\\n| project Action = EventType, SourceName = SrcUserName; \\r\\nlet adm_activity = (union adm_type1, adm_type2);\\r\\nadm_activity\\r\\n\",\"size\":1,\"title\":\"Latest admin activity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 2\"}]},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\n| where EventType == 'NEW_USER'\\n| project SourceName\\n\",\"size\":3,\"title\":\"New users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventCategory\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalEvents\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false,\"rowLimit\":10},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"TableName\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"nodeIdField\":\"TableName\",\"sourceIdField\":\"TableName\",\"targetIdField\":\"count_\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"hivesMargin\":5},\"chartSettings\":{\"xSettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}},\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"15\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'DELETE_USER'\\r\\n| project SourceName\",\"size\":3,\"title\":\"Deleted users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"header\"}},\"customWidth\":\"15\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'LOGIN'\\r\\n| summarize LastLoginTime = max(TimeGenerated) by SourceName\\r\\n| where LastLoginTime > ago(90d)\",\"size\":0,\"title\":\"Inactive users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let user_act1 = BoxEvents\\r\\n| where isnotempty(SourceName)\\r\\n| summarize TotalActions = count() by SourceName;\\r\\nlet user_act2 = BoxEvents\\r\\n| where isnotempty(SrcUserName)\\r\\n| summarize TotalActions = count() by SrcUserName\\r\\n| project TotalActions, SourceName = SrcUserName; \\r\\nlet user_activity = (union user_act1, user_act2);\\r\\nuser_activity\\r\\n| join kind = inner (BoxEvents\\r\\n | where isnotempty(SourceName) or isnotempty(SrcUserName)\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceName)\\r\\n on SourceName\\r\\n| project SourceName, TotalActions, Trend\\r\\n| order by TotalActions\",\"size\":0,\"title\":\"Users activity over time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TotalActions\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"SourceName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalActions\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"35\",\"name\":\"query - 3\"}]},\"name\":\"group - 20\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| summarize Downloads = countif(EventType == \\\"DOWNLOAD\\\"), Uploads = countif(EventType == \\\"UPLOAD\\\") by bin_at(TimeGenerated, 1h, now())\",\"size\":3,\"title\":\"Downloads/Uploads comparison\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'DOWNLOAD'\\r\\n| where isnotempty(SourceItemName)\\r\\n| project FileName = SourceItemName, SrcUserName, TimeGenerated\\r\\n| top 100 by TimeGenerated desc\",\"size\":0,\"title\":\"Latest downloaded items\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"35ch\"}},{\"columnMatch\":\"SrcUserName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"BoxEvents\\r\\n| where EventType == 'UPLOAD'\\r\\n| where isnotempty(SourceItemName)\\r\\n| project FileName = SourceItemName, SrcUserName, TimeGenerated\\r\\n| top 100 by TimeGenerated desc\",\"size\":0,\"title\":\"Latest uploaded items\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"35ch\"}},{\"columnMatch\":\"SrcUserName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 6\"}],\"fromTemplateId\":\"sentinel-Box\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -283,36 +303,36 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('parserTemplateSpecName1')]", + "name": "[variables('parserObject1').parserTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxEvents Data Parser with template version 3.0.1", + "description": "BoxEvents Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserVersion1')]", + "contentVersion": "[variables('parserObject1').parserVersion1]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[variables('_parserName1')]", + "name": "[variables('parserObject1')._parserName1]", "apiVersion": "2022-10-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", "displayName": "Box Data Parser", - "category": "Samples", + "category": "Microsoft Sentinel Parser", "functionAlias": "BoxEvents", - "query": "\nBoxEvents_CL\r\n| extend\r\n additional_details_annotation_id_d=column_ifexists('additional_details_annotation_id_d', ''),\r\n additional_details_group_id_s=column_ifexists('additional_details_group_id_s', ''),\r\n additional_details_group_name_s=column_ifexists('additional_details_group_name_s', ''),\r\n source_user_email_s=column_ifexists('source_user_email_s', ''),\r\n additional_details_comment_id_d=column_ifexists('additional_details_comment_id_d', ''),\r\n additional_details_message_s=column_ifexists('additional_details_message_s', ''),\r\n additional_details_task_id_d=column_ifexists('additional_details_task_id_d', ''),\r\n additional_details_task_message_s=column_ifexists('additional_details_task_message_s', ''),\r\n additional_details_task_created_by_id_d=column_ifexists('additional_details_task_created_by_id_d', ''),\r\n additional_details_task_created_by_login_s=column_ifexists('additional_details_task_created_by_login_s', ''),\r\n additional_details_task_assignment_assigned_to_id_d=column_ifexists('additional_details_task_assignment_assigned_to_id_d', ''),\r\n additional_details_task_assignment_assigned_to_login_s=column_ifexists('additional_details_task_assignment_assigned_to_login_s', ''),\r\n additional_details_task_assignment_status_s=column_ifexists('additional_details_task_assignment_status_s', ''),\r\n additional_details_task_assignment_message_s=column_ifexists('additional_details_task_assignment_message_s', ''),\r\n source_file_id_s=column_ifexists('source_file_id_s', ''),\r\n source_file_name_s=column_ifexists('source_file_name_s', ''),\r\n source_parent_name_g=column_ifexists('source_parent_name_g', ''),\r\n source_item_type_s=column_ifexists('source_item_type_s', ''),\r\n source_item_id_s=column_ifexists('source_item_id_s', ''),\r\n source_item_name_s=column_ifexists('source_item_name_s', ''),\r\n source_parent_type_s=column_ifexists('source_parent_type_s', ''),\r\n source_parent_name_s=column_ifexists('source_parent_name_s', ''),\r\n source_parent_id_s=column_ifexists('source_parent_id_s', ''),\r\n source_owned_by_type_s=column_ifexists('source_owned_by_type_s', ''),\r\n source_owned_by_id_s=column_ifexists('source_owned_by_id_s', ''),\r\n source_owned_by_name_s=column_ifexists('source_owned_by_name_s', ''),\r\n source_owned_by_login_s=column_ifexists('source_owned_by_login_s', ''),\r\n created_by_type_s=column_ifexists('created_by_type_s', ''),\r\n created_by_id_s=column_ifexists('created_by_id_s', ''),\r\n created_by_name_s=column_ifexists('created_by_name_s', ''),\r\n created_by_login_s=column_ifexists('created_by_login_s', ''),\r\n created_at_t=column_ifexists('created_at_t', ''),\r\n event_id_g=column_ifexists('event_id_g', ''),\r\n event_type_s=column_ifexists('event_type_s', ''),\r\n ip_address_s=column_ifexists('ip_address_s', ''),\r\n type_s=column_ifexists('type_s', ''),\r\n additional_details_size_d=column_ifexists('additional_details_size_d', ''),\r\n additional_details_ekm_id_g=column_ifexists('additional_details_ekm_id_g', ''),\r\n additional_details_version_id_s=column_ifexists('additional_details_version_id_s', ''),\r\n additional_details_service_id_s=column_ifexists('additional_details_service_id_s', ''),\r\n additional_details_service_name_s=column_ifexists('additional_details_service_name_s', ''),\r\n source_type_s=column_ifexists('source_type_s', ''),\r\n source_id_s=column_ifexists('source_id_s', ''),\r\n source_name_s=column_ifexists('source_name_s', ''),\r\n source_login_s=column_ifexists('source_login_s', ''),\r\n additional_details_access_token_identifier_s=column_ifexists('additional_details_access_token_identifier_s', ''),\r\n additional_details_shared_link_id_s=column_ifexists('additional_details_shared_link_id_s', ''),\r\n source_folder_id_s=column_ifexists('source_folder_id_s', ''),\r\n source_folder_name_s=column_ifexists('source_folder_name_s', ''),\r\n source_user_id_s=column_ifexists('source_user_id_s', ''),\r\n source_user_name_s=column_ifexists('source_user_name_s', ''),\r\n accessible_by_type_s=column_ifexists('accessible_by_type_s', ''),\r\n accessible_by_id_s=column_ifexists('accessible_by_id_s', ''),\r\n accessible_by_name_s=column_ifexists('accessible_by_name_s', ''),\r\n accessible_by_login_s=column_ifexists('accessible_by_login_s', ''),\r\n additional_details_type_s=column_ifexists('additional_details_type_s', ''),\r\n additional_details_collab_id_s=column_ifexists('additional_details_collab_id_s', ''),\r\n additional_details_role_s=column_ifexists('additional_details_role_s', ''),\r\n additional_details_is_performed_by_admin_b=column_ifexists('additional_details_is_performed_by_admin_b', ''),\r\n session_id_s=column_ifexists('session_id_s', '')\r\n| project-rename\r\n AdditionalDetailsAnnotationId=additional_details_annotation_id_d,\r\n AdditionalDetailsGroupId=additional_details_group_id_s,\r\n AdditionalDetailsGroupName=additional_details_group_name_s,\r\n SourceUserEmail=source_user_email_s,\r\n AdditionalDetailsCommentId=additional_details_comment_id_d,\r\n AdditionalDetailsMessage=additional_details_message_s,\r\n AdditionalDetailsTaskId=additional_details_task_id_d,\r\n AdditionalDetailsTaskMessage=additional_details_task_message_s,\r\n AdditionalDetailsTaskCreatedById=additional_details_task_created_by_id_d,\r\n AdditionalDetailsTaskCreatedByLogin=additional_details_task_created_by_login_s,\r\n AdditionalDetailsTaskAssignmentAssignedToId=additional_details_task_assignment_assigned_to_id_d,\r\n AdditionalDetailsTaskAssignmentAssignedToLogin=additional_details_task_assignment_assigned_to_login_s,\r\n AdditionalDetailsTaskAssignmentStatus=additional_details_task_assignment_status_s,\r\n AdditionalDetailsTaskAssignmentMessage=additional_details_task_assignment_message_s,\r\n SourceFileId=source_file_id_s,\r\n SourceFileName=source_file_name_s,\r\n SourceParentName=source_parent_name_g,\r\n SourceItemType=source_item_type_s,\r\n SourceItemId=source_item_id_s,\r\n SourceItemName=source_item_name_s,\r\n SourceParentType=source_parent_type_s,\r\n FileDirectory=source_parent_name_s,\r\n SourceParentId=source_parent_id_s,\r\n SourceOwnedByType=source_owned_by_type_s,\r\n SourceOwnedById=source_owned_by_id_s,\r\n SourceOwnedByName=source_owned_by_name_s,\r\n SourceOwnedByLogin=source_owned_by_login_s,\r\n CreatedByType=created_by_type_s,\r\n SrcUserSid=created_by_id_s,\r\n SrcUserName=created_by_name_s,\r\n SrcUserUpn=created_by_login_s,\r\n EventEndTime=created_at_t,\r\n EventId=event_id_g,\r\n EventType=event_type_s,\r\n SrcIpAddr=ip_address_s,\r\n BoxType=type_s,\r\n FileSize=additional_details_size_d,\r\n AdditionalDetailsEkmId=additional_details_ekm_id_g,\r\n AdditionalDetailsVersionId=additional_details_version_id_s,\r\n AdditionalDetailsServiceId=additional_details_service_id_s,\r\n AdditionalDetailsServiceName=additional_details_service_name_s,\r\n SourceType=source_type_s,\r\n SourceId=source_id_s,\r\n SourceName=source_name_s,\r\n SourceLogin=source_login_s,\r\n AdditionalDetailsAccessTokenIdentifier=additional_details_access_token_identifier_s,\r\n AdditionalDetailsSharedLinkId=additional_details_shared_link_id_s,\r\n SourceFolderId=source_folder_id_s,\r\n SourceFolderName=source_folder_name_s,\r\n SourceUserId=source_user_id_s,\r\n SourceUserName=source_user_name_s,\r\n AccessibleByType=accessible_by_type_s,\r\n AccessibleById=accessible_by_id_s,\r\n AccessibleByName=accessible_by_name_s,\r\n AccessibleByLogin=accessible_by_login_s,\r\n AdditionalDetailsType=additional_details_type_s,\r\n AdditionalDetailsCollabId=additional_details_collab_id_s,\r\n AdditionalDetailsRole=additional_details_role_s,\r\n AdditionalDetailsIsPerformedByAdmin=additional_details_is_performed_by_admin_b,\r\n UserSessionId=session_id_s", + "query": "let BoxEventsv1_empty = datatable(\n additional_details_annotation_id_d:double,\n additional_details_group_id_s:string,\n additional_details_group_name_s:string,\n source_user_email_s:string,\n additional_details_comment_id_d:double,\n additional_details_message_s:string,\n additional_details_task_id_d:double,\n additional_details_task_message_s:string,\n additional_details_task_created_by_id_d:double,\n additional_details_task_created_by_login_s:string,\n additional_details_task_assignment_assigned_to_id_d:double,\n additional_details_task_assignment_assigned_to_login_s:string,\n additional_details_task_assignment_status_s:string,\n additional_details_task_assignment_message_s:string,\n source_file_id_s:string,\n source_file_name_s:string,\n source_parent_name_g:guid,\n source_item_type_s:string,\n source_item_id_s:string,\n source_item_name_s:string,\n source_parent_type_s:string,\n source_parent_name_s:string,\n source_parent_id_s:string,\n source_owned_by_type_s:string,\n source_owned_by_id_s:string,\n source_owned_by_name_s:string,\n source_owned_by_login_s:string,\n created_by_type_s:string,\n created_by_id_s:string,\n created_by_name_s:string,\n created_by_login_s:string,\n created_at_t:datetime,\n event_id_g:guid,\n event_type_s:string,\n ip_address_s:string,\n type_s:string,\n additional_details_size_d:double,\n additional_details_ekm_id_g:guid,\n additional_details_version_id_s:string,\n additional_details_service_id_s:string,\n additional_details_service_name_s:string,\n source_type_s:string,\n source_id_s:string,\n source_name_s:string,\n source_login_s:string,\n additional_details_access_token_identifier_s:string,\n additional_details_shared_link_id_s:string,\n source_folder_id_s:string,\n source_folder_name_s:string,\n source_user_id_s:string,\n source_user_name_s:string,\n accessible_by_type_s:string,\n accessible_by_id_s:string,\n accessible_by_name_s:string,\n accessible_by_login_s:string,\n additional_details_type_s:string,\n additional_details_collab_id_s:string,\n additional_details_role_s:string,\n additional_details_is_performed_by_admin_b:bool,\n session_id_s:string\n)[]; let BoxEventsv1 = union isfuzzy=true BoxEvents_CL, BoxEventsv1_empty\n | extend\n additional_details_annotation_id_s=column_ifexists('additional_details_annotation_id_s', ''),\n additional_details_group_id_s=column_ifexists('additional_details_group_id_s', ''),\n additional_details_group_name_s=column_ifexists('additional_details_group_name_s', ''),\n source_user_email_s=column_ifexists('source_user_email_s', ''),\n additional_details_comment_id_d=column_ifexists('additional_details_comment_id_d', ''),\n additional_details_message_s=column_ifexists('additional_details_message_s', ''),\n additional_details_task_id_d=column_ifexists('additional_details_task_id_d', ''),\n additional_details_task_message_s=column_ifexists('additional_details_task_message_s', ''),\n additional_details_task_created_by_id_d=column_ifexists('additional_details_task_created_by_id_d', ''),\n additional_details_task_created_by_login_s=column_ifexists('additional_details_task_created_by_login_s', ''),\n additional_details_task_assignment_assigned_to_id_d=column_ifexists('additional_details_task_assignment_assigned_to_id_d', ''),\n additional_details_task_assignment_assigned_to_login_s=column_ifexists('additional_details_task_assignment_assigned_to_login_s', ''),\n additional_details_task_assignment_status_s=column_ifexists('additional_details_task_assignment_status_s', ''),\n additional_details_task_assignment_message_s=column_ifexists('additional_details_task_assignment_message_s', ''),\n source_file_id_s=column_ifexists('source_file_id_s', ''),\n source_file_name_s=column_ifexists('source_file_name_s', ''),\n source_parent_name_g=column_ifexists('source_parent_name_g', ''),\n source_item_type_s=column_ifexists('source_item_type_s', ''),\n source_item_id_s=column_ifexists('source_item_id_s', ''),\n source_item_name_s=column_ifexists('source_item_name_s', ''),\n source_parent_type_s=column_ifexists('source_parent_type_s', ''),\n source_parent_name_s=column_ifexists('source_parent_name_s', ''),\n source_parent_id_s=column_ifexists('source_parent_id_s', ''),\n source_owned_by_type_s=column_ifexists('source_owned_by_type_s', ''),\n source_owned_by_id_s=column_ifexists('source_owned_by_id_s', ''),\n source_owned_by_name_s=column_ifexists('source_owned_by_name_s', ''),\n source_owned_by_login_s=column_ifexists('source_owned_by_login_s', ''),\n created_by_type_s=column_ifexists('created_by_type_s', ''),\n created_by_id_s=column_ifexists('created_by_id_s', ''),\n created_by_name_s=column_ifexists('created_by_name_s', ''),\n created_by_login_s=column_ifexists('created_by_login_s', ''),\n created_at_t=column_ifexists('created_at_t', ''),\n event_id_g=column_ifexists('event_id_g', ''),\n event_type_s=column_ifexists('event_type_s', ''),\n ip_address_s=column_ifexists('ip_address_s', ''),\n type_s=column_ifexists('type_s', ''),\n additional_details_size_d=column_ifexists('additional_details_size_d', ''),\n additional_details_ekm_id_g=column_ifexists('additional_details_ekm_id_g', ''),\n additional_details_version_id_s=column_ifexists('additional_details_version_id_s', ''),\n additional_details_service_id_s=column_ifexists('additional_details_service_id_s', ''),\n additional_details_service_name_s=column_ifexists('additional_details_service_name_s', ''),\n source_type_s=column_ifexists('source_type_s', ''),\n source_id_s=column_ifexists('source_id_s', ''),\n source_name_s=column_ifexists('source_name_s', ''),\n source_login_s=column_ifexists('source_login_s', ''),\n additional_details_access_token_identifier_s=column_ifexists('additional_details_access_token_identifier_s', ''),\n additional_details_shared_link_id_s=column_ifexists('additional_details_shared_link_id_s', ''),\n source_folder_id_s=column_ifexists('source_folder_id_s', ''),\n source_folder_name_s=column_ifexists('source_folder_name_s', ''),\n source_user_id_s=column_ifexists('source_user_id_s', ''),\n source_user_name_s=column_ifexists('source_user_name_s', ''),\n accessible_by_type_s=column_ifexists('accessible_by_type_s', ''),\n accessible_by_id_s=column_ifexists('accessible_by_id_s', ''),\n accessible_by_name_s=column_ifexists('accessible_by_name_s', ''),\n accessible_by_login_s=column_ifexists('accessible_by_login_s', ''),\n additional_details_type_s=column_ifexists('additional_details_type_s', ''),\n additional_details_collab_id_s=column_ifexists('additional_details_collab_id_s', ''),\n additional_details_role_s=column_ifexists('additional_details_role_s', ''),\n additional_details_is_performed_by_admin_b=column_ifexists('additional_details_is_performed_by_admin_b', ''),\n session_id_s=column_ifexists('session_id_s', '')\n | project-rename\n AdditionalDetailsAnnotationId=additional_details_annotation_id_s,\n AdditionalDetailsGroupId=additional_details_group_id_s,\n AdditionalDetailsGroupName=additional_details_group_name_s,\n SourceUserEmail=source_user_email_s,\n AdditionalDetailsCommentId=additional_details_comment_id_d,\n AdditionalDetailsMessage=additional_details_message_s,\n AdditionalDetailsTaskId=additional_details_task_id_d,\n AdditionalDetailsTaskMessage=additional_details_task_message_s,\n AdditionalDetailsTaskCreatedById=additional_details_task_created_by_id_d,\n AdditionalDetailsTaskCreatedByLogin=additional_details_task_created_by_login_s,\n AdditionalDetailsTaskAssignmentAssignedToId=additional_details_task_assignment_assigned_to_id_d,\n AdditionalDetailsTaskAssignmentAssignedToLogin=additional_details_task_assignment_assigned_to_login_s,\n AdditionalDetailsTaskAssignmentStatus=additional_details_task_assignment_status_s,\n AdditionalDetailsTaskAssignmentMessage=additional_details_task_assignment_message_s,\n SourceFileId=source_file_id_s,\n SourceFileName=source_file_name_s,\n SourceParentName=source_parent_name_g,\n SourceItemType=source_item_type_s,\n SourceItemId=source_item_id_s,\n SourceItemName=source_item_name_s,\n SourceParentType=source_parent_type_s,\n FileDirectory=source_parent_name_s,\n SourceParentId=source_parent_id_s,\n SourceOwnedByType=source_owned_by_type_s,\n SourceOwnedById=source_owned_by_id_s,\n SourceOwnedByName=source_owned_by_name_s,\n SourceOwnedByLogin=source_owned_by_login_s,\n CreatedByType=created_by_type_s,\n SrcUserSid=created_by_id_s,\n SrcUserName=created_by_name_s,\n SrcUserUpn=created_by_login_s,\n EventEndTime=created_at_t,\n EventId=event_id_g,\n EventType=event_type_s,\n SrcIpAddr=ip_address_s,\n BoxType=type_s,\n FileSize=additional_details_size_d,\n AdditionalDetailsEkmId=additional_details_ekm_id_g,\n AdditionalDetailsVersionId=additional_details_version_id_s,\n AdditionalDetailsServiceId=additional_details_service_id_s,\n AdditionalDetailsServiceName=additional_details_service_name_s,\n SourceType=source_type_s,\n SourceId=source_id_s,\n SourceName=source_name_s,\n SourceLogin=source_login_s,\n AdditionalDetailsAccessTokenIdentifier=additional_details_access_token_identifier_s,\n AdditionalDetailsSharedLinkId=additional_details_shared_link_id_s,\n SourceFolderId=source_folder_id_s,\n SourceFolderName=source_folder_name_s,\n SourceUserId=source_user_id_s,\n SourceUserName=source_user_name_s,\n AccessibleByType=accessible_by_type_s,\n AccessibleById=accessible_by_id_s,\n AccessibleByName=accessible_by_name_s,\n AccessibleByLogin=accessible_by_login_s,\n AdditionalDetailsType=additional_details_type_s,\n AdditionalDetailsCollabId=additional_details_collab_id_s,\n AdditionalDetailsRole=additional_details_role_s,\n AdditionalDetailsIsPerformedByAdmin=additional_details_is_performed_by_admin_b,\n UserSessionId=session_id_s;\n let BoxEventsv2 = union isfuzzy=true BoxEventsv1_empty, BoxEventsV2_CL |\n extend additional_details_annotation_id_s=tostring(additional_details.annotation_id),\n additional_details_group_id_s=tostring(additional_details.group_id),\n additional_details_group_name_s=tostring(additional_details.group_name),\n source_user_email_s=source_user_email,\n additional_details_comment_id_d=todouble(additional_details.comment_id),\n additional_details_message_s=tostring(additional_details.message),\n additional_details_task_id_d=todouble(additional_details.task.id),\n additional_details_task_message_s=tostring(additional_details.task.message),\n additional_details_task_created_by_id_d=todouble(additional_details.task.created_by.id),\n additional_details_task_created_by_login_s=tostring(additional_details.task.created_by.login),\n additional_details_task_assignment_assigned_to_id_d=todouble(additional_details.task_assignment.assigned_to.id),\n additional_details_task_assignment_assigned_to_login_s=tostring(additional_details.task_assignment.assigned_to.login),\n additional_details_task_assignment_status_s=tostring(additional_details.task_assignment.status),\n additional_details_task_assignment_message_s=tostring(additional_details.task_assignment.message),\n source_file_id_s=source_file_id,\n source_file_name_s=source_file_name,\n source_parent_name_g=source_parent_name,\n source_item_type_s=source_item_type,\n source_item_id_s=source_item_id,\n source_item_name_s=source_item_name,\n source_parent_type_s=source_parent_type,\n source_parent_name_s=source_parent_name,\n source_parent_id_s=source_parent_id,\n source_owned_by_type_s=source_owned_by_type,\n source_owned_by_id_s=source_owned_by_id,\n source_owned_by_name_s=source_owned_by_name,\n source_owned_by_login_s=source_owned_by_login,\n created_by_type_s=created_by_type,\n created_by_id_s=created_by_id,\n created_by_name_s=created_by_name,\n created_by_login_s=created_by_login,\n created_at_t=created_at,\n event_id_g=event_id,\n event_type_s=event_type,\n ip_address_s=ip_address,\n type_s=event_type,\n additional_details_size_d=todouble(additional_details.size),\n additional_details_ekm_id_g=toguid(additional_details.ekm_id),\n additional_details_version_id_s=tostring(additional_details.version_id),\n additional_details_service_id_s=tostring(additional_details.service_id),\n additional_details_service_name_s=tostring(additional_details.service_name),\n source_type_s=source_type,\n source_id_s=source_id,\n source_name_s=source_name,\n source_login_s=source_login,\n additional_details_access_token_identifier_s=tostring(additional_details.access_token_identifier),\n additional_details_shared_link_id_s=tostring(additional_details.shared_link_id),\n source_folder_id_s=source_folder_id,\n source_folder_name_s=source_folder_name,\n source_user_id_s=source_user_id,\n source_user_name_s=source_user_name,\n accessible_by_type_s=accessible_by_type,\n accessible_by_id_s=accessible_by_id,\n accessible_by_name_s=accessible_by_name,\n accessible_by_login_s=accessible_by_login,\n additional_details_type_s=tostring(additional_details.type),\n additional_details_collab_id_s=tostring(additional_details.collab_id),\n additional_details_role_s=tostring(additional_details.role),\n additional_details_is_performed_by_admin_b=toboolean(additional_details.is_performed_by_admin),\n session_id_s=session_id\n | project-rename\n AdditionalDetailsAnnotationId=additional_details_annotation_id_s,\n AdditionalDetailsGroupId=additional_details_group_id_s,\n AdditionalDetailsGroupName=additional_details_group_name_s,\n SourceUserEmail=source_user_email_s,\n AdditionalDetailsCommentId=additional_details_comment_id_d,\n AdditionalDetailsMessage=additional_details_message_s,\n AdditionalDetailsTaskId=additional_details_task_id_d,\n AdditionalDetailsTaskMessage=additional_details_task_message_s,\n AdditionalDetailsTaskCreatedById=additional_details_task_created_by_id_d,\n AdditionalDetailsTaskCreatedByLogin=additional_details_task_created_by_login_s,\n AdditionalDetailsTaskAssignmentAssignedToId=additional_details_task_assignment_assigned_to_id_d,\n AdditionalDetailsTaskAssignmentAssignedToLogin=additional_details_task_assignment_assigned_to_login_s,\n AdditionalDetailsTaskAssignmentStatus=additional_details_task_assignment_status_s,\n AdditionalDetailsTaskAssignmentMessage=additional_details_task_assignment_message_s,\n SourceFileId=source_file_id_s,\n SourceFileName=source_file_name_s,\n SourceParentName=source_parent_name_g,\n SourceItemType=source_item_type_s,\n SourceItemId=source_item_id_s,\n SourceItemName=source_item_name_s,\n SourceParentType=source_parent_type_s,\n FileDirectory=source_parent_name_s,\n SourceParentId=source_parent_id_s,\n SourceOwnedByType=source_owned_by_type_s,\n SourceOwnedById=source_owned_by_id_s,\n SourceOwnedByName=source_owned_by_name_s,\n SourceOwnedByLogin=source_owned_by_login_s,\n CreatedByType=created_by_type_s,\n SrcUserSid=created_by_id_s,\n SrcUserName=created_by_name_s,\n SrcUserUpn=created_by_login_s,\n EventEndTime=TimeGenerated,\n EventId=event_id_g,\n EventType=event_type_s,\n SrcIpAddr=ip_address_s,\n BoxType=type_s,\n FileSize=additional_details_size_d,\n AdditionalDetailsEkmId=additional_details_ekm_id_g,\n AdditionalDetailsVersionId=additional_details_version_id_s,\n AdditionalDetailsServiceId=additional_details_service_id_s,\n AdditionalDetailsServiceName=additional_details_service_name_s,\n SourceType=source_type_s,\n SourceId=source_id_s,\n SourceName=source_name_s,\n SourceLogin=source_login_s,\n AdditionalDetailsAccessTokenIdentifier=additional_details_access_token_identifier_s,\n AdditionalDetailsSharedLinkId=additional_details_shared_link_id_s,\n SourceFolderId=source_folder_id_s,\n SourceFolderName=source_folder_name_s,\n SourceUserId=source_user_id_s,\n SourceUserName=source_user_name_s,\n AccessibleByType=accessible_by_type_s,\n AccessibleById=accessible_by_id_s,\n AccessibleByName=accessible_by_name_s,\n AccessibleByLogin=accessible_by_login_s,\n AdditionalDetailsType=additional_details_type_s,\n AdditionalDetailsCollabId=additional_details_collab_id_s,\n AdditionalDetailsRole=additional_details_role_s,\n AdditionalDetailsIsPerformedByAdmin=additional_details_is_performed_by_admin_b,\n UserSessionId=session_id_s\n | project-away created_at, event_category, additional_details*, event_id, event_type, ip_address, source*, created_by*, accessible_by*, created_at_t;\n union isfuzzy=true BoxEventsv2, BoxEventsv1\n | project-reorder EventEndTime, Source*\n", "functionParameters": "", - "version": 1, + "version": 2, "tags": [ { "name": "description", - "value": "Box Data Parser" + "value": "" } ] } @@ -320,15 +340,15 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", "dependsOn": [ - "[variables('_parserName1')]" + "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Box Data Parser')]", + "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", - "version": "[variables('parserVersion1')]", + "version": "[variables('parserObject1').parserVersion1]", "source": { "name": "Box", "kind": "Solution", @@ -353,31 +373,31 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_parserContentId1')]", + "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", "displayName": "Box Data Parser", - "contentProductId": "[variables('_parsercontentProductId1')]", - "id": "[variables('_parsercontentProductId1')]", - "version": "[variables('parserVersion1')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '2.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '2.0.0')))]", + "version": "[variables('parserObject1').parserVersion1]" } }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "apiVersion": "2022-10-01", - "name": "[variables('_parserName1')]", + "name": "[variables('parserObject1')._parserName1]", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", "displayName": "Box Data Parser", - "category": "Samples", + "category": "Microsoft Sentinel Parser", "functionAlias": "BoxEvents", - "query": "\nBoxEvents_CL\r\n| extend\r\n additional_details_annotation_id_d=column_ifexists('additional_details_annotation_id_d', ''),\r\n additional_details_group_id_s=column_ifexists('additional_details_group_id_s', ''),\r\n additional_details_group_name_s=column_ifexists('additional_details_group_name_s', ''),\r\n source_user_email_s=column_ifexists('source_user_email_s', ''),\r\n additional_details_comment_id_d=column_ifexists('additional_details_comment_id_d', ''),\r\n additional_details_message_s=column_ifexists('additional_details_message_s', ''),\r\n additional_details_task_id_d=column_ifexists('additional_details_task_id_d', ''),\r\n additional_details_task_message_s=column_ifexists('additional_details_task_message_s', ''),\r\n additional_details_task_created_by_id_d=column_ifexists('additional_details_task_created_by_id_d', ''),\r\n additional_details_task_created_by_login_s=column_ifexists('additional_details_task_created_by_login_s', ''),\r\n additional_details_task_assignment_assigned_to_id_d=column_ifexists('additional_details_task_assignment_assigned_to_id_d', ''),\r\n additional_details_task_assignment_assigned_to_login_s=column_ifexists('additional_details_task_assignment_assigned_to_login_s', ''),\r\n additional_details_task_assignment_status_s=column_ifexists('additional_details_task_assignment_status_s', ''),\r\n additional_details_task_assignment_message_s=column_ifexists('additional_details_task_assignment_message_s', ''),\r\n source_file_id_s=column_ifexists('source_file_id_s', ''),\r\n source_file_name_s=column_ifexists('source_file_name_s', ''),\r\n source_parent_name_g=column_ifexists('source_parent_name_g', ''),\r\n source_item_type_s=column_ifexists('source_item_type_s', ''),\r\n source_item_id_s=column_ifexists('source_item_id_s', ''),\r\n source_item_name_s=column_ifexists('source_item_name_s', ''),\r\n source_parent_type_s=column_ifexists('source_parent_type_s', ''),\r\n source_parent_name_s=column_ifexists('source_parent_name_s', ''),\r\n source_parent_id_s=column_ifexists('source_parent_id_s', ''),\r\n source_owned_by_type_s=column_ifexists('source_owned_by_type_s', ''),\r\n source_owned_by_id_s=column_ifexists('source_owned_by_id_s', ''),\r\n source_owned_by_name_s=column_ifexists('source_owned_by_name_s', ''),\r\n source_owned_by_login_s=column_ifexists('source_owned_by_login_s', ''),\r\n created_by_type_s=column_ifexists('created_by_type_s', ''),\r\n created_by_id_s=column_ifexists('created_by_id_s', ''),\r\n created_by_name_s=column_ifexists('created_by_name_s', ''),\r\n created_by_login_s=column_ifexists('created_by_login_s', ''),\r\n created_at_t=column_ifexists('created_at_t', ''),\r\n event_id_g=column_ifexists('event_id_g', ''),\r\n event_type_s=column_ifexists('event_type_s', ''),\r\n ip_address_s=column_ifexists('ip_address_s', ''),\r\n type_s=column_ifexists('type_s', ''),\r\n additional_details_size_d=column_ifexists('additional_details_size_d', ''),\r\n additional_details_ekm_id_g=column_ifexists('additional_details_ekm_id_g', ''),\r\n additional_details_version_id_s=column_ifexists('additional_details_version_id_s', ''),\r\n additional_details_service_id_s=column_ifexists('additional_details_service_id_s', ''),\r\n additional_details_service_name_s=column_ifexists('additional_details_service_name_s', ''),\r\n source_type_s=column_ifexists('source_type_s', ''),\r\n source_id_s=column_ifexists('source_id_s', ''),\r\n source_name_s=column_ifexists('source_name_s', ''),\r\n source_login_s=column_ifexists('source_login_s', ''),\r\n additional_details_access_token_identifier_s=column_ifexists('additional_details_access_token_identifier_s', ''),\r\n additional_details_shared_link_id_s=column_ifexists('additional_details_shared_link_id_s', ''),\r\n source_folder_id_s=column_ifexists('source_folder_id_s', ''),\r\n source_folder_name_s=column_ifexists('source_folder_name_s', ''),\r\n source_user_id_s=column_ifexists('source_user_id_s', ''),\r\n source_user_name_s=column_ifexists('source_user_name_s', ''),\r\n accessible_by_type_s=column_ifexists('accessible_by_type_s', ''),\r\n accessible_by_id_s=column_ifexists('accessible_by_id_s', ''),\r\n accessible_by_name_s=column_ifexists('accessible_by_name_s', ''),\r\n accessible_by_login_s=column_ifexists('accessible_by_login_s', ''),\r\n additional_details_type_s=column_ifexists('additional_details_type_s', ''),\r\n additional_details_collab_id_s=column_ifexists('additional_details_collab_id_s', ''),\r\n additional_details_role_s=column_ifexists('additional_details_role_s', ''),\r\n additional_details_is_performed_by_admin_b=column_ifexists('additional_details_is_performed_by_admin_b', ''),\r\n session_id_s=column_ifexists('session_id_s', '')\r\n| project-rename\r\n AdditionalDetailsAnnotationId=additional_details_annotation_id_d,\r\n AdditionalDetailsGroupId=additional_details_group_id_s,\r\n AdditionalDetailsGroupName=additional_details_group_name_s,\r\n SourceUserEmail=source_user_email_s,\r\n AdditionalDetailsCommentId=additional_details_comment_id_d,\r\n AdditionalDetailsMessage=additional_details_message_s,\r\n AdditionalDetailsTaskId=additional_details_task_id_d,\r\n AdditionalDetailsTaskMessage=additional_details_task_message_s,\r\n AdditionalDetailsTaskCreatedById=additional_details_task_created_by_id_d,\r\n AdditionalDetailsTaskCreatedByLogin=additional_details_task_created_by_login_s,\r\n AdditionalDetailsTaskAssignmentAssignedToId=additional_details_task_assignment_assigned_to_id_d,\r\n AdditionalDetailsTaskAssignmentAssignedToLogin=additional_details_task_assignment_assigned_to_login_s,\r\n AdditionalDetailsTaskAssignmentStatus=additional_details_task_assignment_status_s,\r\n AdditionalDetailsTaskAssignmentMessage=additional_details_task_assignment_message_s,\r\n SourceFileId=source_file_id_s,\r\n SourceFileName=source_file_name_s,\r\n SourceParentName=source_parent_name_g,\r\n SourceItemType=source_item_type_s,\r\n SourceItemId=source_item_id_s,\r\n SourceItemName=source_item_name_s,\r\n SourceParentType=source_parent_type_s,\r\n FileDirectory=source_parent_name_s,\r\n SourceParentId=source_parent_id_s,\r\n SourceOwnedByType=source_owned_by_type_s,\r\n SourceOwnedById=source_owned_by_id_s,\r\n SourceOwnedByName=source_owned_by_name_s,\r\n SourceOwnedByLogin=source_owned_by_login_s,\r\n CreatedByType=created_by_type_s,\r\n SrcUserSid=created_by_id_s,\r\n SrcUserName=created_by_name_s,\r\n SrcUserUpn=created_by_login_s,\r\n EventEndTime=created_at_t,\r\n EventId=event_id_g,\r\n EventType=event_type_s,\r\n SrcIpAddr=ip_address_s,\r\n BoxType=type_s,\r\n FileSize=additional_details_size_d,\r\n AdditionalDetailsEkmId=additional_details_ekm_id_g,\r\n AdditionalDetailsVersionId=additional_details_version_id_s,\r\n AdditionalDetailsServiceId=additional_details_service_id_s,\r\n AdditionalDetailsServiceName=additional_details_service_name_s,\r\n SourceType=source_type_s,\r\n SourceId=source_id_s,\r\n SourceName=source_name_s,\r\n SourceLogin=source_login_s,\r\n AdditionalDetailsAccessTokenIdentifier=additional_details_access_token_identifier_s,\r\n AdditionalDetailsSharedLinkId=additional_details_shared_link_id_s,\r\n SourceFolderId=source_folder_id_s,\r\n SourceFolderName=source_folder_name_s,\r\n SourceUserId=source_user_id_s,\r\n SourceUserName=source_user_name_s,\r\n AccessibleByType=accessible_by_type_s,\r\n AccessibleById=accessible_by_id_s,\r\n AccessibleByName=accessible_by_name_s,\r\n AccessibleByLogin=accessible_by_login_s,\r\n AdditionalDetailsType=additional_details_type_s,\r\n AdditionalDetailsCollabId=additional_details_collab_id_s,\r\n AdditionalDetailsRole=additional_details_role_s,\r\n AdditionalDetailsIsPerformedByAdmin=additional_details_is_performed_by_admin_b,\r\n UserSessionId=session_id_s", + "query": "let BoxEventsv1_empty = datatable(\n additional_details_annotation_id_d:double,\n additional_details_group_id_s:string,\n additional_details_group_name_s:string,\n source_user_email_s:string,\n additional_details_comment_id_d:double,\n additional_details_message_s:string,\n additional_details_task_id_d:double,\n additional_details_task_message_s:string,\n additional_details_task_created_by_id_d:double,\n additional_details_task_created_by_login_s:string,\n additional_details_task_assignment_assigned_to_id_d:double,\n additional_details_task_assignment_assigned_to_login_s:string,\n additional_details_task_assignment_status_s:string,\n additional_details_task_assignment_message_s:string,\n source_file_id_s:string,\n source_file_name_s:string,\n source_parent_name_g:guid,\n source_item_type_s:string,\n source_item_id_s:string,\n source_item_name_s:string,\n source_parent_type_s:string,\n source_parent_name_s:string,\n source_parent_id_s:string,\n source_owned_by_type_s:string,\n source_owned_by_id_s:string,\n source_owned_by_name_s:string,\n source_owned_by_login_s:string,\n created_by_type_s:string,\n created_by_id_s:string,\n created_by_name_s:string,\n created_by_login_s:string,\n created_at_t:datetime,\n event_id_g:guid,\n event_type_s:string,\n ip_address_s:string,\n type_s:string,\n additional_details_size_d:double,\n additional_details_ekm_id_g:guid,\n additional_details_version_id_s:string,\n additional_details_service_id_s:string,\n additional_details_service_name_s:string,\n source_type_s:string,\n source_id_s:string,\n source_name_s:string,\n source_login_s:string,\n additional_details_access_token_identifier_s:string,\n additional_details_shared_link_id_s:string,\n source_folder_id_s:string,\n source_folder_name_s:string,\n source_user_id_s:string,\n source_user_name_s:string,\n accessible_by_type_s:string,\n accessible_by_id_s:string,\n accessible_by_name_s:string,\n accessible_by_login_s:string,\n additional_details_type_s:string,\n additional_details_collab_id_s:string,\n additional_details_role_s:string,\n additional_details_is_performed_by_admin_b:bool,\n session_id_s:string\n)[]; let BoxEventsv1 = union isfuzzy=true BoxEvents_CL, BoxEventsv1_empty\n | extend\n additional_details_annotation_id_s=column_ifexists('additional_details_annotation_id_s', ''),\n additional_details_group_id_s=column_ifexists('additional_details_group_id_s', ''),\n additional_details_group_name_s=column_ifexists('additional_details_group_name_s', ''),\n source_user_email_s=column_ifexists('source_user_email_s', ''),\n additional_details_comment_id_d=column_ifexists('additional_details_comment_id_d', ''),\n additional_details_message_s=column_ifexists('additional_details_message_s', ''),\n additional_details_task_id_d=column_ifexists('additional_details_task_id_d', ''),\n additional_details_task_message_s=column_ifexists('additional_details_task_message_s', ''),\n additional_details_task_created_by_id_d=column_ifexists('additional_details_task_created_by_id_d', ''),\n additional_details_task_created_by_login_s=column_ifexists('additional_details_task_created_by_login_s', ''),\n additional_details_task_assignment_assigned_to_id_d=column_ifexists('additional_details_task_assignment_assigned_to_id_d', ''),\n additional_details_task_assignment_assigned_to_login_s=column_ifexists('additional_details_task_assignment_assigned_to_login_s', ''),\n additional_details_task_assignment_status_s=column_ifexists('additional_details_task_assignment_status_s', ''),\n additional_details_task_assignment_message_s=column_ifexists('additional_details_task_assignment_message_s', ''),\n source_file_id_s=column_ifexists('source_file_id_s', ''),\n source_file_name_s=column_ifexists('source_file_name_s', ''),\n source_parent_name_g=column_ifexists('source_parent_name_g', ''),\n source_item_type_s=column_ifexists('source_item_type_s', ''),\n source_item_id_s=column_ifexists('source_item_id_s', ''),\n source_item_name_s=column_ifexists('source_item_name_s', ''),\n source_parent_type_s=column_ifexists('source_parent_type_s', ''),\n source_parent_name_s=column_ifexists('source_parent_name_s', ''),\n source_parent_id_s=column_ifexists('source_parent_id_s', ''),\n source_owned_by_type_s=column_ifexists('source_owned_by_type_s', ''),\n source_owned_by_id_s=column_ifexists('source_owned_by_id_s', ''),\n source_owned_by_name_s=column_ifexists('source_owned_by_name_s', ''),\n source_owned_by_login_s=column_ifexists('source_owned_by_login_s', ''),\n created_by_type_s=column_ifexists('created_by_type_s', ''),\n created_by_id_s=column_ifexists('created_by_id_s', ''),\n created_by_name_s=column_ifexists('created_by_name_s', ''),\n created_by_login_s=column_ifexists('created_by_login_s', ''),\n created_at_t=column_ifexists('created_at_t', ''),\n event_id_g=column_ifexists('event_id_g', ''),\n event_type_s=column_ifexists('event_type_s', ''),\n ip_address_s=column_ifexists('ip_address_s', ''),\n type_s=column_ifexists('type_s', ''),\n additional_details_size_d=column_ifexists('additional_details_size_d', ''),\n additional_details_ekm_id_g=column_ifexists('additional_details_ekm_id_g', ''),\n additional_details_version_id_s=column_ifexists('additional_details_version_id_s', ''),\n additional_details_service_id_s=column_ifexists('additional_details_service_id_s', ''),\n additional_details_service_name_s=column_ifexists('additional_details_service_name_s', ''),\n source_type_s=column_ifexists('source_type_s', ''),\n source_id_s=column_ifexists('source_id_s', ''),\n source_name_s=column_ifexists('source_name_s', ''),\n source_login_s=column_ifexists('source_login_s', ''),\n additional_details_access_token_identifier_s=column_ifexists('additional_details_access_token_identifier_s', ''),\n additional_details_shared_link_id_s=column_ifexists('additional_details_shared_link_id_s', ''),\n source_folder_id_s=column_ifexists('source_folder_id_s', ''),\n source_folder_name_s=column_ifexists('source_folder_name_s', ''),\n source_user_id_s=column_ifexists('source_user_id_s', ''),\n source_user_name_s=column_ifexists('source_user_name_s', ''),\n accessible_by_type_s=column_ifexists('accessible_by_type_s', ''),\n accessible_by_id_s=column_ifexists('accessible_by_id_s', ''),\n accessible_by_name_s=column_ifexists('accessible_by_name_s', ''),\n accessible_by_login_s=column_ifexists('accessible_by_login_s', ''),\n additional_details_type_s=column_ifexists('additional_details_type_s', ''),\n additional_details_collab_id_s=column_ifexists('additional_details_collab_id_s', ''),\n additional_details_role_s=column_ifexists('additional_details_role_s', ''),\n additional_details_is_performed_by_admin_b=column_ifexists('additional_details_is_performed_by_admin_b', ''),\n session_id_s=column_ifexists('session_id_s', '')\n | project-rename\n AdditionalDetailsAnnotationId=additional_details_annotation_id_s,\n AdditionalDetailsGroupId=additional_details_group_id_s,\n AdditionalDetailsGroupName=additional_details_group_name_s,\n SourceUserEmail=source_user_email_s,\n AdditionalDetailsCommentId=additional_details_comment_id_d,\n AdditionalDetailsMessage=additional_details_message_s,\n AdditionalDetailsTaskId=additional_details_task_id_d,\n AdditionalDetailsTaskMessage=additional_details_task_message_s,\n AdditionalDetailsTaskCreatedById=additional_details_task_created_by_id_d,\n AdditionalDetailsTaskCreatedByLogin=additional_details_task_created_by_login_s,\n AdditionalDetailsTaskAssignmentAssignedToId=additional_details_task_assignment_assigned_to_id_d,\n AdditionalDetailsTaskAssignmentAssignedToLogin=additional_details_task_assignment_assigned_to_login_s,\n AdditionalDetailsTaskAssignmentStatus=additional_details_task_assignment_status_s,\n AdditionalDetailsTaskAssignmentMessage=additional_details_task_assignment_message_s,\n SourceFileId=source_file_id_s,\n SourceFileName=source_file_name_s,\n SourceParentName=source_parent_name_g,\n SourceItemType=source_item_type_s,\n SourceItemId=source_item_id_s,\n SourceItemName=source_item_name_s,\n SourceParentType=source_parent_type_s,\n FileDirectory=source_parent_name_s,\n SourceParentId=source_parent_id_s,\n SourceOwnedByType=source_owned_by_type_s,\n SourceOwnedById=source_owned_by_id_s,\n SourceOwnedByName=source_owned_by_name_s,\n SourceOwnedByLogin=source_owned_by_login_s,\n CreatedByType=created_by_type_s,\n SrcUserSid=created_by_id_s,\n SrcUserName=created_by_name_s,\n SrcUserUpn=created_by_login_s,\n EventEndTime=created_at_t,\n EventId=event_id_g,\n EventType=event_type_s,\n SrcIpAddr=ip_address_s,\n BoxType=type_s,\n FileSize=additional_details_size_d,\n AdditionalDetailsEkmId=additional_details_ekm_id_g,\n AdditionalDetailsVersionId=additional_details_version_id_s,\n AdditionalDetailsServiceId=additional_details_service_id_s,\n AdditionalDetailsServiceName=additional_details_service_name_s,\n SourceType=source_type_s,\n SourceId=source_id_s,\n SourceName=source_name_s,\n SourceLogin=source_login_s,\n AdditionalDetailsAccessTokenIdentifier=additional_details_access_token_identifier_s,\n AdditionalDetailsSharedLinkId=additional_details_shared_link_id_s,\n SourceFolderId=source_folder_id_s,\n SourceFolderName=source_folder_name_s,\n SourceUserId=source_user_id_s,\n SourceUserName=source_user_name_s,\n AccessibleByType=accessible_by_type_s,\n AccessibleById=accessible_by_id_s,\n AccessibleByName=accessible_by_name_s,\n AccessibleByLogin=accessible_by_login_s,\n AdditionalDetailsType=additional_details_type_s,\n AdditionalDetailsCollabId=additional_details_collab_id_s,\n AdditionalDetailsRole=additional_details_role_s,\n AdditionalDetailsIsPerformedByAdmin=additional_details_is_performed_by_admin_b,\n UserSessionId=session_id_s;\n let BoxEventsv2 = union isfuzzy=true BoxEventsv1_empty, BoxEventsV2_CL |\n extend additional_details_annotation_id_s=tostring(additional_details.annotation_id),\n additional_details_group_id_s=tostring(additional_details.group_id),\n additional_details_group_name_s=tostring(additional_details.group_name),\n source_user_email_s=source_user_email,\n additional_details_comment_id_d=todouble(additional_details.comment_id),\n additional_details_message_s=tostring(additional_details.message),\n additional_details_task_id_d=todouble(additional_details.task.id),\n additional_details_task_message_s=tostring(additional_details.task.message),\n additional_details_task_created_by_id_d=todouble(additional_details.task.created_by.id),\n additional_details_task_created_by_login_s=tostring(additional_details.task.created_by.login),\n additional_details_task_assignment_assigned_to_id_d=todouble(additional_details.task_assignment.assigned_to.id),\n additional_details_task_assignment_assigned_to_login_s=tostring(additional_details.task_assignment.assigned_to.login),\n additional_details_task_assignment_status_s=tostring(additional_details.task_assignment.status),\n additional_details_task_assignment_message_s=tostring(additional_details.task_assignment.message),\n source_file_id_s=source_file_id,\n source_file_name_s=source_file_name,\n source_parent_name_g=source_parent_name,\n source_item_type_s=source_item_type,\n source_item_id_s=source_item_id,\n source_item_name_s=source_item_name,\n source_parent_type_s=source_parent_type,\n source_parent_name_s=source_parent_name,\n source_parent_id_s=source_parent_id,\n source_owned_by_type_s=source_owned_by_type,\n source_owned_by_id_s=source_owned_by_id,\n source_owned_by_name_s=source_owned_by_name,\n source_owned_by_login_s=source_owned_by_login,\n created_by_type_s=created_by_type,\n created_by_id_s=created_by_id,\n created_by_name_s=created_by_name,\n created_by_login_s=created_by_login,\n created_at_t=created_at,\n event_id_g=event_id,\n event_type_s=event_type,\n ip_address_s=ip_address,\n type_s=event_type,\n additional_details_size_d=todouble(additional_details.size),\n additional_details_ekm_id_g=toguid(additional_details.ekm_id),\n additional_details_version_id_s=tostring(additional_details.version_id),\n additional_details_service_id_s=tostring(additional_details.service_id),\n additional_details_service_name_s=tostring(additional_details.service_name),\n source_type_s=source_type,\n source_id_s=source_id,\n source_name_s=source_name,\n source_login_s=source_login,\n additional_details_access_token_identifier_s=tostring(additional_details.access_token_identifier),\n additional_details_shared_link_id_s=tostring(additional_details.shared_link_id),\n source_folder_id_s=source_folder_id,\n source_folder_name_s=source_folder_name,\n source_user_id_s=source_user_id,\n source_user_name_s=source_user_name,\n accessible_by_type_s=accessible_by_type,\n accessible_by_id_s=accessible_by_id,\n accessible_by_name_s=accessible_by_name,\n accessible_by_login_s=accessible_by_login,\n additional_details_type_s=tostring(additional_details.type),\n additional_details_collab_id_s=tostring(additional_details.collab_id),\n additional_details_role_s=tostring(additional_details.role),\n additional_details_is_performed_by_admin_b=toboolean(additional_details.is_performed_by_admin),\n session_id_s=session_id\n | project-rename\n AdditionalDetailsAnnotationId=additional_details_annotation_id_s,\n AdditionalDetailsGroupId=additional_details_group_id_s,\n AdditionalDetailsGroupName=additional_details_group_name_s,\n SourceUserEmail=source_user_email_s,\n AdditionalDetailsCommentId=additional_details_comment_id_d,\n AdditionalDetailsMessage=additional_details_message_s,\n AdditionalDetailsTaskId=additional_details_task_id_d,\n AdditionalDetailsTaskMessage=additional_details_task_message_s,\n AdditionalDetailsTaskCreatedById=additional_details_task_created_by_id_d,\n AdditionalDetailsTaskCreatedByLogin=additional_details_task_created_by_login_s,\n AdditionalDetailsTaskAssignmentAssignedToId=additional_details_task_assignment_assigned_to_id_d,\n AdditionalDetailsTaskAssignmentAssignedToLogin=additional_details_task_assignment_assigned_to_login_s,\n AdditionalDetailsTaskAssignmentStatus=additional_details_task_assignment_status_s,\n AdditionalDetailsTaskAssignmentMessage=additional_details_task_assignment_message_s,\n SourceFileId=source_file_id_s,\n SourceFileName=source_file_name_s,\n SourceParentName=source_parent_name_g,\n SourceItemType=source_item_type_s,\n SourceItemId=source_item_id_s,\n SourceItemName=source_item_name_s,\n SourceParentType=source_parent_type_s,\n FileDirectory=source_parent_name_s,\n SourceParentId=source_parent_id_s,\n SourceOwnedByType=source_owned_by_type_s,\n SourceOwnedById=source_owned_by_id_s,\n SourceOwnedByName=source_owned_by_name_s,\n SourceOwnedByLogin=source_owned_by_login_s,\n CreatedByType=created_by_type_s,\n SrcUserSid=created_by_id_s,\n SrcUserName=created_by_name_s,\n SrcUserUpn=created_by_login_s,\n EventEndTime=TimeGenerated,\n EventId=event_id_g,\n EventType=event_type_s,\n SrcIpAddr=ip_address_s,\n BoxType=type_s,\n FileSize=additional_details_size_d,\n AdditionalDetailsEkmId=additional_details_ekm_id_g,\n AdditionalDetailsVersionId=additional_details_version_id_s,\n AdditionalDetailsServiceId=additional_details_service_id_s,\n AdditionalDetailsServiceName=additional_details_service_name_s,\n SourceType=source_type_s,\n SourceId=source_id_s,\n SourceName=source_name_s,\n SourceLogin=source_login_s,\n AdditionalDetailsAccessTokenIdentifier=additional_details_access_token_identifier_s,\n AdditionalDetailsSharedLinkId=additional_details_shared_link_id_s,\n SourceFolderId=source_folder_id_s,\n SourceFolderName=source_folder_name_s,\n SourceUserId=source_user_id_s,\n SourceUserName=source_user_name_s,\n AccessibleByType=accessible_by_type_s,\n AccessibleById=accessible_by_id_s,\n AccessibleByName=accessible_by_name_s,\n AccessibleByLogin=accessible_by_login_s,\n AdditionalDetailsType=additional_details_type_s,\n AdditionalDetailsCollabId=additional_details_collab_id_s,\n AdditionalDetailsRole=additional_details_role_s,\n AdditionalDetailsIsPerformedByAdmin=additional_details_is_performed_by_admin_b,\n UserSessionId=session_id_s\n | project-away created_at, event_category, additional_details*, event_id, event_type, ip_address, source*, created_by*, accessible_by*, created_at_t;\n union isfuzzy=true BoxEventsv2, BoxEventsv1\n | project-reorder EventEndTime, Source*\n", "functionParameters": "", - "version": 1, + "version": 2, "tags": [ { "name": "description", - "value": "Box Data Parser" + "value": "" } ] } @@ -386,15 +406,15 @@ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", "dependsOn": [ - "[variables('_parserId1')]" + "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Box Data Parser')]", + "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", - "version": "[variables('parserVersion1')]", + "version": "[variables('parserObject1').parserVersion1]", "source": { "kind": "Solution", "name": "Box", @@ -415,16 +435,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName1')]", + "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxAdminIpAddress_HuntingQueries Hunting Query with template version 3.0.1", + "description": "BoxAdminIpAddress_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion1')]", + "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", "parameters": {}, "variables": {}, "resources": [ @@ -458,13 +478,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", "properties": { "description": "Box Hunting Query 1", - "parentId": "[variables('huntingQueryId1')]", - "contentId": "[variables('_huntingQuerycontentId1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion1')]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", "source": { "kind": "Solution", "name": "Box", @@ -489,27 +509,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId1')]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "contentKind": "HuntingQuery", "displayName": "Box - IP list for admin users", - "contentProductId": "[variables('_huntingQuerycontentProductId1')]", - "id": "[variables('_huntingQuerycontentProductId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName2')]", + "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxDeletedUsers_HuntingQueries Hunting Query with template version 3.0.1", + "description": "BoxDeletedUsers_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion2')]", + "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", "parameters": {}, "variables": {}, "resources": [ @@ -543,13 +563,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", "properties": { "description": "Box Hunting Query 2", - "parentId": "[variables('huntingQueryId2')]", - "contentId": "[variables('_huntingQuerycontentId2')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion2')]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", "source": { "kind": "Solution", "name": "Box", @@ -574,27 +594,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId2')]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "contentKind": "HuntingQuery", "displayName": "Box - Deleted users", - "contentProductId": "[variables('_huntingQuerycontentProductId2')]", - "id": "[variables('_huntingQuerycontentProductId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName3')]", + "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxInactiveAdmins_HuntingQueries Hunting Query with template version 3.0.1", + "description": "BoxInactiveAdmins_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion3')]", + "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", "parameters": {}, "variables": {}, "resources": [ @@ -628,13 +648,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", "properties": { "description": "Box Hunting Query 3", - "parentId": "[variables('huntingQueryId3')]", - "contentId": "[variables('_huntingQuerycontentId3')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion3')]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", "source": { "kind": "Solution", "name": "Box", @@ -659,27 +679,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId3')]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", "contentKind": "HuntingQuery", "displayName": "Box - Inactive admin users", - "contentProductId": "[variables('_huntingQuerycontentProductId3')]", - "id": "[variables('_huntingQuerycontentProductId3')]", - "version": "[variables('huntingQueryVersion3')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName4')]", + "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxInactiveUsers_HuntingQueries Hunting Query with template version 3.0.1", + "description": "BoxInactiveUsers_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion4')]", + "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", "parameters": {}, "variables": {}, "resources": [ @@ -713,13 +733,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]", "properties": { "description": "Box Hunting Query 4", - "parentId": "[variables('huntingQueryId4')]", - "contentId": "[variables('_huntingQuerycontentId4')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion4')]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]", "source": { "kind": "Solution", "name": "Box", @@ -744,27 +764,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId4')]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", "contentKind": "HuntingQuery", "displayName": "Box - Inactive users", - "contentProductId": "[variables('_huntingQuerycontentProductId4')]", - "id": "[variables('_huntingQuerycontentProductId4')]", - "version": "[variables('huntingQueryVersion4')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName5')]", + "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxNewUsers_HuntingQueries Hunting Query with template version 3.0.1", + "description": "BoxNewUsers_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion5')]", + "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", "parameters": {}, "variables": {}, "resources": [ @@ -798,13 +818,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]", "properties": { "description": "Box Hunting Query 5", - "parentId": "[variables('huntingQueryId5')]", - "contentId": "[variables('_huntingQuerycontentId5')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion5')]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]", "source": { "kind": "Solution", "name": "Box", @@ -829,27 +849,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId5')]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", "contentKind": "HuntingQuery", "displayName": "Box - New users", - "contentProductId": "[variables('_huntingQuerycontentProductId5')]", - "id": "[variables('_huntingQuerycontentProductId5')]", - "version": "[variables('huntingQueryVersion5')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName6')]", + "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxSuspiciousFiles_HuntingQueries Hunting Query with template version 3.0.1", + "description": "BoxSuspiciousFiles_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion6')]", + "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", "parameters": {}, "variables": {}, "resources": [ @@ -883,13 +903,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]", "properties": { "description": "Box Hunting Query 6", - "parentId": "[variables('huntingQueryId6')]", - "contentId": "[variables('_huntingQuerycontentId6')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion6')]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]", "source": { "kind": "Solution", "name": "Box", @@ -914,27 +934,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId6')]", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", "contentKind": "HuntingQuery", "displayName": "Box - Suspicious or sensitive files", - "contentProductId": "[variables('_huntingQuerycontentProductId6')]", - "id": "[variables('_huntingQuerycontentProductId6')]", - "version": "[variables('huntingQueryVersion6')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName7')]", + "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxUserDownloadsByVolume_HuntingQueries Hunting Query with template version 3.0.1", + "description": "BoxUserDownloadsByVolume_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion7')]", + "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", "parameters": {}, "variables": {}, "resources": [ @@ -968,13 +988,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]", "properties": { "description": "Box Hunting Query 7", - "parentId": "[variables('huntingQueryId7')]", - "contentId": "[variables('_huntingQuerycontentId7')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion7')]", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]", "source": { "kind": "Solution", "name": "Box", @@ -999,27 +1019,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId7')]", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", "contentKind": "HuntingQuery", "displayName": "Box - Downloaded data volume per user", - "contentProductId": "[variables('_huntingQuerycontentProductId7')]", - "id": "[variables('_huntingQuerycontentProductId7')]", - "version": "[variables('huntingQueryVersion7')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName8')]", + "name": "[variables('huntingQueryObject8').huntingQueryTemplateSpecName8]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxUserGroupChanges_HuntingQueries Hunting Query with template version 3.0.1", + "description": "BoxUserGroupChanges_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion8')]", + "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", "parameters": {}, "variables": {}, "resources": [ @@ -1053,13 +1073,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8),'/'))))]", "properties": { "description": "Box Hunting Query 8", - "parentId": "[variables('huntingQueryId8')]", - "contentId": "[variables('_huntingQuerycontentId8')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8)]", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion8')]", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]", "source": { "kind": "Solution", "name": "Box", @@ -1084,27 +1104,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId8')]", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", "contentKind": "HuntingQuery", "displayName": "Box - New users", - "contentProductId": "[variables('_huntingQuerycontentProductId8')]", - "id": "[variables('_huntingQuerycontentProductId8')]", - "version": "[variables('huntingQueryVersion8')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName9')]", + "name": "[variables('huntingQueryObject9').huntingQueryTemplateSpecName9]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxUserUploadsByVolume_HuntingQueries Hunting Query with template version 3.0.1", + "description": "BoxUserUploadsByVolume_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion9')]", + "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", "parameters": {}, "variables": {}, "resources": [ @@ -1138,13 +1158,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9),'/'))))]", "properties": { "description": "Box Hunting Query 9", - "parentId": "[variables('huntingQueryId9')]", - "contentId": "[variables('_huntingQuerycontentId9')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9)]", + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion9')]", + "version": "[variables('huntingQueryObject9').huntingQueryVersion9]", "source": { "kind": "Solution", "name": "Box", @@ -1169,27 +1189,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId9')]", + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", "contentKind": "HuntingQuery", "displayName": "Box - Uploaded data volume per user", - "contentProductId": "[variables('_huntingQuerycontentProductId9')]", - "id": "[variables('_huntingQuerycontentProductId9')]", - "version": "[variables('huntingQueryVersion9')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName10')]", + "name": "[variables('huntingQueryObject10').huntingQueryTemplateSpecName10]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxUsersWithOwnerPermissions_HuntingQueries Hunting Query with template version 3.0.1", + "description": "BoxUsersWithOwnerPermissions_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion10')]", + "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", "parameters": {}, "variables": {}, "resources": [ @@ -1223,13 +1243,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10),'/'))))]", "properties": { "description": "Box Hunting Query 10", - "parentId": "[variables('huntingQueryId10')]", - "contentId": "[variables('_huntingQuerycontentId10')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10)]", + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion10')]", + "version": "[variables('huntingQueryObject10').huntingQueryVersion10]", "source": { "kind": "Solution", "name": "Box", @@ -1254,12 +1274,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId10')]", + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", "contentKind": "HuntingQuery", "displayName": "Box - Users with owner permissions", - "contentProductId": "[variables('_huntingQuerycontentProductId10')]", - "id": "[variables('_huntingQuerycontentProductId10')]", - "version": "[variables('huntingQueryVersion10')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", + "version": "1.0.0" } }, { @@ -1271,7 +1291,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Box data connector with template version 3.0.1", + "description": "Box data connector with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -1660,23 +1680,728 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName1')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition2'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "displayName": "Box Events (CCP) (Preview)", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "BoxEventsCCPDefinition", + "title": "Box Events (CCP) (Preview)", + "publisher": "Microsoft", + "descriptionMarkdown": "The Box data connector provides the capability to ingest [Box enterprise's events](https://developer.box.com/guides/events/#admin-events) into Microsoft Sentinel using the Box REST API. Refer to [Box documentation](https://developer.box.com/guides/events/enterprise-events/for-enterprise/) for more information.", + "graphQueriesTableName": "BoxEventsV2_CL", + "graphQueries": [ + { + "metricName": "Events received", + "legend": "Box events received", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All Box events", + "query": "BoxEvents\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Box API credentials", + "description": "Box API requires a Box App client ID and client secret to authenticate. [See the documentation to learn more about Client Credentials grant](https://developer.box.com/guides/authentication/client-credentials/client-credentials-setup/)" + }, + { + "name": "Box Enterprise ID", + "description": "Box Enterprise ID is required to make the connection. See documentation to [find Enterprise ID](https://developer.box.com/platform/appendix/locating-values/)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Codeless Connecor Platform (CCP) to connect to the Box REST API to pull logs into Microsoft Sentinel." + }, + { + "description": ">**NOTE:** This connector depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution." + }, + { + "description": "**STEP 1 - Create Box Custom Application**\n\nSee documentation to [setup client credentials authentication](https://developer.box.com/guides/authentication/client-credentials/client-credentials-setup/)\n" + }, + { + "description": "**STEP 2 - Grab Client ID and Client Secret values**\n\nYou might need to setup 2FA to fetch the secret.\n" + }, + { + "description": "**STEP 3 - Grab Box Enterprise ID from Box Admin Console**\n\nSee documentation to [find Enterprise ID](https://developer.box.com/platform/appendix/locating-values/)\n" + }, + { + "description": "Provide the required values below:\n", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Box Enterprise ID", + "placeholder": "123456", + "type": "text", + "name": "boxEnterpriseId" + } + }, + { + "type": "OAuthForm", + "parameters": { + "clientIdLabel": "Client ID", + "clientSecretLabel": "Client Secret", + "connectButtonLabel": "Connect", + "disconnectButtonLabel": "Disconnect" + } + } + ], + "title": "Connect to Box to start collecting event logs to Microsoft Sentinel" + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "BoxEventsDCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId2')]", + "streamDeclarations": { + "Custom-Box_CL": { + "columns": [ + { + "name": "type", + "type": "string" + }, + { + "name": "event_id", + "type": "string" + }, + { + "name": "created_by", + "type": "dynamic" + }, + { + "name": "created_at", + "type": "datetime" + }, + { + "name": "recorded_at", + "type": "datetime" + }, + { + "name": "event_type", + "type": "string" + }, + { + "name": "session_id", + "type": "string" + }, + { + "name": "source", + "type": "dynamic" + }, + { + "name": "ip_address", + "type": "string" + }, + { + "name": "accessible_by", + "type": "dynamic" + }, + { + "name": "additional_details", + "type": "dynamic" + } + ] + } + }, + "dataSources": "[variables('TemplateEmptyObject')]", + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "4b0f6f0e10104aa5838b3c0b18702683" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-Box_CL" + ], + "destinations": [ + "4b0f6f0e10104aa5838b3c0b18702683" + ], + "transformKql": "source\n| extend TimeGenerated = created_at, event_category = type\n| extend\n source_user_email=tostring(source.user_email),\n source_file_id=tostring(source.file_id),\n source_file_name=tostring(source.file_name),\n source_parent_name=tostring(source.parent.name),\n source_item_type=tostring(source.item_type),\n source_item_id=tostring(source.item_id),\n source_item_name=tostring(source.item_name),\n source_parent_type=tostring(source.parent.type),\n source_parent_id=tostring(source.parent.id),\n source_owned_by_type=tostring(source.owned_by.type),\n source_owned_by_id=tostring(source.owned_by.type),\n source_owned_by_name=tostring(source.owned_by.name),\n source_owned_by_login=tostring(source.owned_by.login),\n created_by_type=tostring(created_by.type),\n created_by_id=tostring(created_by.id),\n created_by_name=tostring(created_by.name),\n created_by_login=tostring(created_by.login),\n source_type=tostring(source.type),\n source_id=tostring(source.id),\n source_name=tostring(source.name),\n source_login=tostring(source.login),\n source_folder_id=tostring(source.folder_id),\n source_folder_name=tostring(source.folder_name),\n source_user_id=tostring(source.user_id),\n source_user_name=tostring(source.user_name),\n accessible_by_type=tostring(accessible_by.type),\n accessible_by_id=tostring(accessible_by.id),\n accessible_by_name=tostring(accessible_by.name),\n accessible_by_login=tostring(accessible_by.login)\n| project-away type, accessible_by, created_by, source \n\n", + "outputStream": "Custom-BoxEventsV2_CL" + } + ] + } + }, + { + "name": "BoxEventsV2_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "BoxEventsV2_CL", + "columns": [ + { + "name": "additional_details", + "type": "dynamic" + }, + { + "name": "created_at", + "type": "datetime" + }, + { + "name": "event_id", + "type": "string" + }, + { + "name": "event_type", + "type": "string" + }, + { + "name": "ip_address", + "type": "string" + }, + { + "name": "session_id", + "type": "dynamic" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "event_category", + "type": "string" + }, + { + "name": "source_user_email", + "type": "string" + }, + { + "name": "source_file_id", + "type": "string" + }, + { + "name": "source_file_name", + "type": "string" + }, + { + "name": "source_parent_name", + "type": "string" + }, + { + "name": "source_item_type", + "type": "string" + }, + { + "name": "source_item_id", + "type": "string" + }, + { + "name": "source_item_name", + "type": "string" + }, + { + "name": "source_parent_type", + "type": "string" + }, + { + "name": "source_parent_id", + "type": "string" + }, + { + "name": "source_owned_by_type", + "type": "string" + }, + { + "name": "source_owned_by_id", + "type": "string" + }, + { + "name": "source_owned_by_name", + "type": "string" + }, + { + "name": "source_owned_by_login", + "type": "string" + }, + { + "name": "created_by_type", + "type": "string" + }, + { + "name": "created_by_id", + "type": "string" + }, + { + "name": "created_by_name", + "type": "string" + }, + { + "name": "created_by_login", + "type": "string" + }, + { + "name": "source_type", + "type": "string" + }, + { + "name": "source_id", + "type": "string" + }, + { + "name": "source_name", + "type": "string" + }, + { + "name": "source_login", + "type": "string" + }, + { + "name": "source_folder_id", + "type": "string" + }, + { + "name": "source_folder_name", + "type": "string" + }, + { + "name": "source_user_id", + "type": "string" + }, + { + "name": "source_user_name", + "type": "string" + }, + { + "name": "accessible_by_type", + "type": "string" + }, + { + "name": "accessible_by_id", + "type": "string" + }, + { + "name": "accessible_by_name", + "type": "string" + }, + { + "name": "accessible_by_login", + "type": "string" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition2'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "BoxEventsCCPDefinition", + "title": "Box Events (CCP) (Preview)", + "publisher": "Microsoft", + "descriptionMarkdown": "The Box data connector provides the capability to ingest [Box enterprise's events](https://developer.box.com/guides/events/#admin-events) into Microsoft Sentinel using the Box REST API. Refer to [Box documentation](https://developer.box.com/guides/events/enterprise-events/for-enterprise/) for more information.", + "graphQueriesTableName": "BoxEventsV2_CL", + "graphQueries": [ + { + "metricName": "Events received", + "legend": "Box events received", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All Box events", + "query": "BoxEvents\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Box API credentials", + "description": "Box API requires a Box App client ID and client secret to authenticate. [See the documentation to learn more about Client Credentials grant](https://developer.box.com/guides/authentication/client-credentials/client-credentials-setup/)" + }, + { + "name": "Box Enterprise ID", + "description": "Box Enterprise ID is required to make the connection. See documentation to [find Enterprise ID](https://developer.box.com/platform/appendix/locating-values/)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Codeless Connecor Platform (CCP) to connect to the Box REST API to pull logs into Microsoft Sentinel." + }, + { + "description": ">**NOTE:** This connector depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution." + }, + { + "description": "**STEP 1 - Create Box Custom Application**\n\nSee documentation to [setup client credentials authentication](https://developer.box.com/guides/authentication/client-credentials/client-credentials-setup/)\n" + }, + { + "description": "**STEP 2 - Grab Client ID and Client Secret values**\n\nYou might need to setup 2FA to fetch the secret.\n" + }, + { + "description": "**STEP 3 - Grab Box Enterprise ID from Box Admin Console**\n\nSee documentation to [find Enterprise ID](https://developer.box.com/platform/appendix/locating-values/)\n" + }, + { + "description": "Provide the required values below:\n", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Box Enterprise ID", + "placeholder": "123456", + "type": "text", + "name": "boxEnterpriseId" + } + }, + { + "type": "OAuthForm", + "parameters": { + "clientIdLabel": "Client ID", + "clientSecretLabel": "Client Secret", + "connectButtonLabel": "Connect", + "disconnectButtonLabel": "Disconnect" + } + } + ], + "title": "Connect to Box to start collecting event logs to Microsoft Sentinel" + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections2'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "displayName": "Box Events (CCP) (Preview)", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "ClientId": { + "defaultValue": "-NA-", + "type": "securestring", + "minLength": 1 + }, + "ClientSecret": { + "defaultValue": "-NA-", + "type": "securestring", + "minLength": 1 + }, + "connectorDefinitionName": { + "defaultValue": "Box Events (CCP) (Preview)", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "boxEnterpriseId": { + "defaultValue": "boxEnterpriseId", + "type": "string", + "minLength": 1 + }, + "AuthorizationCode": { + "defaultValue": "-NA-", + "type": "securestring", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections2": "[variables('_dataConnectorContentIdConnections2')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections2'))]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'BoxEventsCCPPolling')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "BoxEventsCCPDefinition", + "dataType": "BoxEventsV2_CL", + "response": { + "eventsJsonPaths": [ + "$.entries" + ], + "format": "json" + }, + "paging": { + "pagingType": "PersistentToken", + "nextPageTokenJsonPath": "$.next_stream_position", + "nextPageParaName": "stream_position" + }, + "auth": { + "type": "OAuth2", + "clientSecret": "[[parameters('ClientSecret')]", + "clientId": "[[parameters('ClientId')]", + "grantType": "client_credentials", + "TokenEndpoint": "https://api.box.com/oauth2/token", + "TokenEndpointHeaders": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "tokenEndpointQueryParameters": { + "box_subject_type": "enterprise", + "box_subject_id": "[[parameters('boxEnterpriseId']]" + } + }, + "request": { + "apiEndpoint": "https://api.box.com/2.0/events", + "queryParameters": { + "stream_type": "admin_logs" + }, + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "httpMethod": "GET", + "retryCount": 3, + "timeoutInSeconds": 60, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "startTimeAttributeName": "created_after", + "headers": { + "Accept": "*/*" + } + }, + "dcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "streamName": "Custom-Box_CL" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections2'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxAbnormalUserActivity_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "BoxAbnormalUserActivity_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId1')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -1708,13 +2433,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -1722,13 +2447,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", "properties": { "description": "Box Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", "source": { "kind": "Solution", "name": "Box", @@ -1753,34 +2478,34 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId1')]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "contentKind": "AnalyticsRule", "displayName": "Box - Abmormal user activity", - "contentProductId": "[variables('_analyticRulecontentProductId1')]", - "id": "[variables('_analyticRulecontentProductId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName2')]", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxBinaryFile_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "BoxBinaryFile_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId2')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -1812,13 +2537,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1826,13 +2551,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", "properties": { "description": "Box Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", "source": { "kind": "Solution", "name": "Box", @@ -1857,34 +2582,34 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId2')]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "contentKind": "AnalyticsRule", "displayName": "Box - Executable file in folder", - "contentProductId": "[variables('_analyticRulecontentProductId2')]", - "id": "[variables('_analyticRulecontentProductId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName3')]", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxDownloadForbiddenFiles_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "BoxDownloadForbiddenFiles_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId3')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -1916,22 +2641,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "FullName" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1939,13 +2664,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", "properties": { "description": "Box Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", "source": { "kind": "Solution", "name": "Box", @@ -1970,34 +2695,34 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId3')]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "contentKind": "AnalyticsRule", "displayName": "Box - Forbidden file type downloaded", - "contentProductId": "[variables('_analyticRulecontentProductId3')]", - "id": "[variables('_analyticRulecontentProductId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName4')]", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxInactiveUserLogin_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "BoxInactiveUserLogin_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId4')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -2029,13 +2754,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -2043,13 +2768,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", "properties": { "description": "Box Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", "source": { "kind": "Solution", "name": "Box", @@ -2074,34 +2799,34 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId4')]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "contentKind": "AnalyticsRule", "displayName": "Box - Inactive user login", - "contentProductId": "[variables('_analyticRulecontentProductId4')]", - "id": "[variables('_analyticRulecontentProductId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName5')]", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxItemSharedToExternalUser_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "BoxItemSharedToExternalUser_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion5')]", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId5')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -2133,13 +2858,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -2147,13 +2872,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", "properties": { "description": "Box Analytics Rule 5", - "parentId": "[variables('analyticRuleId5')]", - "contentId": "[variables('_analyticRulecontentId5')]", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion5')]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", "source": { "kind": "Solution", "name": "Box", @@ -2178,34 +2903,34 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId5')]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "contentKind": "AnalyticsRule", "displayName": "Box - Item shared to external entity", - "contentProductId": "[variables('_analyticRulecontentProductId5')]", - "id": "[variables('_analyticRulecontentProductId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName6')]", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxMultipleItemsDeletedByUser_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "BoxMultipleItemsDeletedByUser_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion6')]", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId6')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -2237,13 +2962,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -2251,13 +2976,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", "properties": { "description": "Box Analytics Rule 6", - "parentId": "[variables('analyticRuleId6')]", - "contentId": "[variables('_analyticRulecontentId6')]", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion6')]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", "source": { "kind": "Solution", "name": "Box", @@ -2282,34 +3007,34 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId6')]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "contentKind": "AnalyticsRule", "displayName": "Box - Many items deleted by user", - "contentProductId": "[variables('_analyticRulecontentProductId6')]", - "id": "[variables('_analyticRulecontentProductId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName7')]", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxNewExternalUser_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "BoxNewExternalUser_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion7')]", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId7')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -2342,22 +3067,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "FullName" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -2365,13 +3090,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", "properties": { "description": "Box Analytics Rule 7", - "parentId": "[variables('analyticRuleId7')]", - "contentId": "[variables('_analyticRulecontentId7')]", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion7')]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", "source": { "kind": "Solution", "name": "Box", @@ -2396,34 +3121,34 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId7')]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "contentKind": "AnalyticsRule", "displayName": "Box - New external user", - "contentProductId": "[variables('_analyticRulecontentProductId7')]", - "id": "[variables('_analyticRulecontentProductId7')]", - "version": "[variables('analyticRuleVersion7')]" + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName8')]", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxSensitiveFile_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "BoxSensitiveFile_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion8')]", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId8')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -2455,22 +3180,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "FullName" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -2478,13 +3203,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", "properties": { "description": "Box Analytics Rule 8", - "parentId": "[variables('analyticRuleId8')]", - "contentId": "[variables('_analyticRulecontentId8')]", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion8')]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", "source": { "kind": "Solution", "name": "Box", @@ -2509,34 +3234,34 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId8')]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "contentKind": "AnalyticsRule", "displayName": "Box - File containing sensitive data", - "contentProductId": "[variables('_analyticRulecontentProductId8')]", - "id": "[variables('_analyticRulecontentProductId8')]", - "version": "[variables('analyticRuleVersion8')]" + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName9')]", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxUserLoginAsAdmin_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "BoxUserLoginAsAdmin_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion9')]", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId9')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -2568,22 +3293,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "FullName" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -2591,13 +3316,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", "properties": { "description": "Box Analytics Rule 9", - "parentId": "[variables('analyticRuleId9')]", - "contentId": "[variables('_analyticRulecontentId9')]", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion9')]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", "source": { "kind": "Solution", "name": "Box", @@ -2622,34 +3347,34 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId9')]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "contentKind": "AnalyticsRule", "displayName": "Box - User logged in as admin", - "contentProductId": "[variables('_analyticRulecontentProductId9')]", - "id": "[variables('_analyticRulecontentProductId9')]", - "version": "[variables('analyticRuleVersion9')]" + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName10')]", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BoxUserRoleChangedToOwner_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "BoxUserRoleChangedToOwner_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion10')]", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId10')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -2681,13 +3406,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -2695,13 +3420,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", "properties": { "description": "Box Analytics Rule 10", - "parentId": "[variables('analyticRuleId10')]", - "contentId": "[variables('_analyticRulecontentId10')]", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion10')]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", "source": { "kind": "Solution", "name": "Box", @@ -2726,12 +3451,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId10')]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "contentKind": "AnalyticsRule", "displayName": "Box - User role changed to owner", - "contentProductId": "[variables('_analyticRulecontentProductId10')]", - "id": "[variables('_analyticRulecontentProductId10')]", - "version": "[variables('analyticRuleVersion10')]" + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" } }, { @@ -2739,12 +3464,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.1.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Box", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Box solution connector provides the capability to ingest Box enterprise's events into Microsoft Sentinel using the Box REST API

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Box solution connector provides the capability to ingest Box enterprise's events into Microsoft Sentinel using the Box REST API

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2776,113 +3501,118 @@ }, { "kind": "Parser", - "contentId": "[variables('_parserContentId1')]", - "version": "[variables('parserVersion1')]" + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId3')]", - "version": "[variables('huntingQueryVersion3')]" + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId4')]", - "version": "[variables('huntingQueryVersion4')]" + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId5')]", - "version": "[variables('huntingQueryVersion5')]" + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId6')]", - "version": "[variables('huntingQueryVersion6')]" + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId7')]", - "version": "[variables('huntingQueryVersion7')]" + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId8')]", - "version": "[variables('huntingQueryVersion8')]" + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId9')]", - "version": "[variables('huntingQueryVersion9')]" + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", + "version": "[variables('huntingQueryObject9').huntingQueryVersion9]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId10')]", - "version": "[variables('huntingQueryVersion10')]" + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", + "version": "[variables('huntingQueryObject10').huntingQueryVersion10]" }, { "kind": "DataConnector", "contentId": "[variables('_dataConnectorContentId1')]", "version": "[variables('dataConnectorVersion1')]" }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId7')]", - "version": "[variables('analyticRuleVersion7')]" + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId8')]", - "version": "[variables('analyticRuleVersion8')]" + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId9')]", - "version": "[variables('analyticRuleVersion9')]" + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId10')]", - "version": "[variables('analyticRuleVersion10')]" + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" } ] }, diff --git a/Solutions/Box/Package/testParameters.json b/Solutions/Box/Package/testParameters.json new file mode 100644 index 00000000000..9bbe6f89d7c --- /dev/null +++ b/Solutions/Box/Package/testParameters.json @@ -0,0 +1,46 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Box", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/Box/Parsers/BoxEvents.yaml b/Solutions/Box/Parsers/BoxEvents.yaml index edf84d6dbf1..b23dc793433 100644 --- a/Solutions/Box/Parsers/BoxEvents.yaml +++ b/Solutions/Box/Parsers/BoxEvents.yaml @@ -1,132 +1,320 @@ -id: 231a04da-9a8d-4cd6-8a20-2da7ded173ba -Function: - Title: Parser for BoxEvents - Version: '1.0.0' - LastUpdated: '2023-08-23' -Category: Microsoft Sentinel Parser -FunctionName: BoxEvents -FunctionAlias: BoxEvents -FunctionQuery: | - BoxEvents_CL - | extend - additional_details_annotation_id_d=column_ifexists('additional_details_annotation_id_d', ''), - additional_details_group_id_s=column_ifexists('additional_details_group_id_s', ''), - additional_details_group_name_s=column_ifexists('additional_details_group_name_s', ''), - source_user_email_s=column_ifexists('source_user_email_s', ''), - additional_details_comment_id_d=column_ifexists('additional_details_comment_id_d', ''), - additional_details_message_s=column_ifexists('additional_details_message_s', ''), - additional_details_task_id_d=column_ifexists('additional_details_task_id_d', ''), - additional_details_task_message_s=column_ifexists('additional_details_task_message_s', ''), - additional_details_task_created_by_id_d=column_ifexists('additional_details_task_created_by_id_d', ''), - additional_details_task_created_by_login_s=column_ifexists('additional_details_task_created_by_login_s', ''), - additional_details_task_assignment_assigned_to_id_d=column_ifexists('additional_details_task_assignment_assigned_to_id_d', ''), - additional_details_task_assignment_assigned_to_login_s=column_ifexists('additional_details_task_assignment_assigned_to_login_s', ''), - additional_details_task_assignment_status_s=column_ifexists('additional_details_task_assignment_status_s', ''), - additional_details_task_assignment_message_s=column_ifexists('additional_details_task_assignment_message_s', ''), - source_file_id_s=column_ifexists('source_file_id_s', ''), - source_file_name_s=column_ifexists('source_file_name_s', ''), - source_parent_name_g=column_ifexists('source_parent_name_g', ''), - source_item_type_s=column_ifexists('source_item_type_s', ''), - source_item_id_s=column_ifexists('source_item_id_s', ''), - source_item_name_s=column_ifexists('source_item_name_s', ''), - source_parent_type_s=column_ifexists('source_parent_type_s', ''), - source_parent_name_s=column_ifexists('source_parent_name_s', ''), - source_parent_id_s=column_ifexists('source_parent_id_s', ''), - source_owned_by_type_s=column_ifexists('source_owned_by_type_s', ''), - source_owned_by_id_s=column_ifexists('source_owned_by_id_s', ''), - source_owned_by_name_s=column_ifexists('source_owned_by_name_s', ''), - source_owned_by_login_s=column_ifexists('source_owned_by_login_s', ''), - created_by_type_s=column_ifexists('created_by_type_s', ''), - created_by_id_s=column_ifexists('created_by_id_s', ''), - created_by_name_s=column_ifexists('created_by_name_s', ''), - created_by_login_s=column_ifexists('created_by_login_s', ''), - created_at_t=column_ifexists('created_at_t', ''), - event_id_g=column_ifexists('event_id_g', ''), - event_type_s=column_ifexists('event_type_s', ''), - ip_address_s=column_ifexists('ip_address_s', ''), - type_s=column_ifexists('type_s', ''), - additional_details_size_d=column_ifexists('additional_details_size_d', ''), - additional_details_ekm_id_g=column_ifexists('additional_details_ekm_id_g', ''), - additional_details_version_id_s=column_ifexists('additional_details_version_id_s', ''), - additional_details_service_id_s=column_ifexists('additional_details_service_id_s', ''), - additional_details_service_name_s=column_ifexists('additional_details_service_name_s', ''), - source_type_s=column_ifexists('source_type_s', ''), - source_id_s=column_ifexists('source_id_s', ''), - source_name_s=column_ifexists('source_name_s', ''), - source_login_s=column_ifexists('source_login_s', ''), - additional_details_access_token_identifier_s=column_ifexists('additional_details_access_token_identifier_s', ''), - additional_details_shared_link_id_s=column_ifexists('additional_details_shared_link_id_s', ''), - source_folder_id_s=column_ifexists('source_folder_id_s', ''), - source_folder_name_s=column_ifexists('source_folder_name_s', ''), - source_user_id_s=column_ifexists('source_user_id_s', ''), - source_user_name_s=column_ifexists('source_user_name_s', ''), - accessible_by_type_s=column_ifexists('accessible_by_type_s', ''), - accessible_by_id_s=column_ifexists('accessible_by_id_s', ''), - accessible_by_name_s=column_ifexists('accessible_by_name_s', ''), - accessible_by_login_s=column_ifexists('accessible_by_login_s', ''), - additional_details_type_s=column_ifexists('additional_details_type_s', ''), - additional_details_collab_id_s=column_ifexists('additional_details_collab_id_s', ''), - additional_details_role_s=column_ifexists('additional_details_role_s', ''), - additional_details_is_performed_by_admin_b=column_ifexists('additional_details_is_performed_by_admin_b', ''), - session_id_s=column_ifexists('session_id_s', '') - | project-rename - AdditionalDetailsAnnotationId=additional_details_annotation_id_d, - AdditionalDetailsGroupId=additional_details_group_id_s, - AdditionalDetailsGroupName=additional_details_group_name_s, - SourceUserEmail=source_user_email_s, - AdditionalDetailsCommentId=additional_details_comment_id_d, - AdditionalDetailsMessage=additional_details_message_s, - AdditionalDetailsTaskId=additional_details_task_id_d, - AdditionalDetailsTaskMessage=additional_details_task_message_s, - AdditionalDetailsTaskCreatedById=additional_details_task_created_by_id_d, - AdditionalDetailsTaskCreatedByLogin=additional_details_task_created_by_login_s, - AdditionalDetailsTaskAssignmentAssignedToId=additional_details_task_assignment_assigned_to_id_d, - AdditionalDetailsTaskAssignmentAssignedToLogin=additional_details_task_assignment_assigned_to_login_s, - AdditionalDetailsTaskAssignmentStatus=additional_details_task_assignment_status_s, - AdditionalDetailsTaskAssignmentMessage=additional_details_task_assignment_message_s, - SourceFileId=source_file_id_s, - SourceFileName=source_file_name_s, - SourceParentName=source_parent_name_g, - SourceItemType=source_item_type_s, - SourceItemId=source_item_id_s, - SourceItemName=source_item_name_s, - SourceParentType=source_parent_type_s, - FileDirectory=source_parent_name_s, - SourceParentId=source_parent_id_s, - SourceOwnedByType=source_owned_by_type_s, - SourceOwnedById=source_owned_by_id_s, - SourceOwnedByName=source_owned_by_name_s, - SourceOwnedByLogin=source_owned_by_login_s, - CreatedByType=created_by_type_s, - SrcUserSid=created_by_id_s, - SrcUserName=created_by_name_s, - SrcUserUpn=created_by_login_s, - EventEndTime=created_at_t, - EventId=event_id_g, - EventType=event_type_s, - SrcIpAddr=ip_address_s, - BoxType=type_s, - FileSize=additional_details_size_d, - AdditionalDetailsEkmId=additional_details_ekm_id_g, - AdditionalDetailsVersionId=additional_details_version_id_s, - AdditionalDetailsServiceId=additional_details_service_id_s, - AdditionalDetailsServiceName=additional_details_service_name_s, - SourceType=source_type_s, - SourceId=source_id_s, - SourceName=source_name_s, - SourceLogin=source_login_s, - AdditionalDetailsAccessTokenIdentifier=additional_details_access_token_identifier_s, - AdditionalDetailsSharedLinkId=additional_details_shared_link_id_s, - SourceFolderId=source_folder_id_s, - SourceFolderName=source_folder_name_s, - SourceUserId=source_user_id_s, - SourceUserName=source_user_name_s, - AccessibleByType=accessible_by_type_s, - AccessibleById=accessible_by_id_s, - AccessibleByName=accessible_by_name_s, - AccessibleByLogin=accessible_by_login_s, - AdditionalDetailsType=additional_details_type_s, - AdditionalDetailsCollabId=additional_details_collab_id_s, - AdditionalDetailsRole=additional_details_role_s, - AdditionalDetailsIsPerformedByAdmin=additional_details_is_performed_by_admin_b, - UserSessionId=session_id_s \ No newline at end of file +--- + id: 231a04da-9a8d-4cd6-8a20-2da7ded173ba + Function: + Title: Parser for BoxEvents + Version: 2.0.0 + LastUpdated: 2024-09-24 + Category: Microsoft Sentinel Parser + FunctionName: BoxEvents + FunctionAlias: BoxEvents + FunctionQuery: > + let BoxEventsv1_empty = datatable( + additional_details_annotation_id_d:double, + additional_details_group_id_s:string, + additional_details_group_name_s:string, + source_user_email_s:string, + additional_details_comment_id_d:double, + additional_details_message_s:string, + additional_details_task_id_d:double, + additional_details_task_message_s:string, + additional_details_task_created_by_id_d:double, + additional_details_task_created_by_login_s:string, + additional_details_task_assignment_assigned_to_id_d:double, + additional_details_task_assignment_assigned_to_login_s:string, + additional_details_task_assignment_status_s:string, + additional_details_task_assignment_message_s:string, + source_file_id_s:string, + source_file_name_s:string, + source_parent_name_g:guid, + source_item_type_s:string, + source_item_id_s:string, + source_item_name_s:string, + source_parent_type_s:string, + source_parent_name_s:string, + source_parent_id_s:string, + source_owned_by_type_s:string, + source_owned_by_id_s:string, + source_owned_by_name_s:string, + source_owned_by_login_s:string, + created_by_type_s:string, + created_by_id_s:string, + created_by_name_s:string, + created_by_login_s:string, + created_at_t:datetime, + event_id_g:guid, + event_type_s:string, + ip_address_s:string, + type_s:string, + additional_details_size_d:double, + additional_details_ekm_id_g:guid, + additional_details_version_id_s:string, + additional_details_service_id_s:string, + additional_details_service_name_s:string, + source_type_s:string, + source_id_s:string, + source_name_s:string, + source_login_s:string, + additional_details_access_token_identifier_s:string, + additional_details_shared_link_id_s:string, + source_folder_id_s:string, + source_folder_name_s:string, + source_user_id_s:string, + source_user_name_s:string, + accessible_by_type_s:string, + accessible_by_id_s:string, + accessible_by_name_s:string, + accessible_by_login_s:string, + additional_details_type_s:string, + additional_details_collab_id_s:string, + additional_details_role_s:string, + additional_details_is_performed_by_admin_b:bool, + session_id_s:string + )[]; + let BoxEventsv1 = union isfuzzy=true BoxEvents_CL, BoxEventsv1_empty + | extend + additional_details_annotation_id_s=column_ifexists('additional_details_annotation_id_s', ''), + additional_details_group_id_s=column_ifexists('additional_details_group_id_s', ''), + additional_details_group_name_s=column_ifexists('additional_details_group_name_s', ''), + source_user_email_s=column_ifexists('source_user_email_s', ''), + additional_details_comment_id_d=column_ifexists('additional_details_comment_id_d', ''), + additional_details_message_s=column_ifexists('additional_details_message_s', ''), + additional_details_task_id_d=column_ifexists('additional_details_task_id_d', ''), + additional_details_task_message_s=column_ifexists('additional_details_task_message_s', ''), + additional_details_task_created_by_id_d=column_ifexists('additional_details_task_created_by_id_d', ''), + additional_details_task_created_by_login_s=column_ifexists('additional_details_task_created_by_login_s', ''), + additional_details_task_assignment_assigned_to_id_d=column_ifexists('additional_details_task_assignment_assigned_to_id_d', ''), + additional_details_task_assignment_assigned_to_login_s=column_ifexists('additional_details_task_assignment_assigned_to_login_s', ''), + additional_details_task_assignment_status_s=column_ifexists('additional_details_task_assignment_status_s', ''), + additional_details_task_assignment_message_s=column_ifexists('additional_details_task_assignment_message_s', ''), + source_file_id_s=column_ifexists('source_file_id_s', ''), + source_file_name_s=column_ifexists('source_file_name_s', ''), + source_parent_name_g=column_ifexists('source_parent_name_g', ''), + source_item_type_s=column_ifexists('source_item_type_s', ''), + source_item_id_s=column_ifexists('source_item_id_s', ''), + source_item_name_s=column_ifexists('source_item_name_s', ''), + source_parent_type_s=column_ifexists('source_parent_type_s', ''), + source_parent_name_s=column_ifexists('source_parent_name_s', ''), + source_parent_id_s=column_ifexists('source_parent_id_s', ''), + source_owned_by_type_s=column_ifexists('source_owned_by_type_s', ''), + source_owned_by_id_s=column_ifexists('source_owned_by_id_s', ''), + source_owned_by_name_s=column_ifexists('source_owned_by_name_s', ''), + source_owned_by_login_s=column_ifexists('source_owned_by_login_s', ''), + created_by_type_s=column_ifexists('created_by_type_s', ''), + created_by_id_s=column_ifexists('created_by_id_s', ''), + created_by_name_s=column_ifexists('created_by_name_s', ''), + created_by_login_s=column_ifexists('created_by_login_s', ''), + created_at_t=column_ifexists('created_at_t', ''), + event_id_g=column_ifexists('event_id_g', ''), + event_type_s=column_ifexists('event_type_s', ''), + ip_address_s=column_ifexists('ip_address_s', ''), + type_s=column_ifexists('type_s', ''), + additional_details_size_d=column_ifexists('additional_details_size_d', ''), + additional_details_ekm_id_g=column_ifexists('additional_details_ekm_id_g', ''), + additional_details_version_id_s=column_ifexists('additional_details_version_id_s', ''), + additional_details_service_id_s=column_ifexists('additional_details_service_id_s', ''), + additional_details_service_name_s=column_ifexists('additional_details_service_name_s', ''), + source_type_s=column_ifexists('source_type_s', ''), + source_id_s=column_ifexists('source_id_s', ''), + source_name_s=column_ifexists('source_name_s', ''), + source_login_s=column_ifexists('source_login_s', ''), + additional_details_access_token_identifier_s=column_ifexists('additional_details_access_token_identifier_s', ''), + additional_details_shared_link_id_s=column_ifexists('additional_details_shared_link_id_s', ''), + source_folder_id_s=column_ifexists('source_folder_id_s', ''), + source_folder_name_s=column_ifexists('source_folder_name_s', ''), + source_user_id_s=column_ifexists('source_user_id_s', ''), + source_user_name_s=column_ifexists('source_user_name_s', ''), + accessible_by_type_s=column_ifexists('accessible_by_type_s', ''), + accessible_by_id_s=column_ifexists('accessible_by_id_s', ''), + accessible_by_name_s=column_ifexists('accessible_by_name_s', ''), + accessible_by_login_s=column_ifexists('accessible_by_login_s', ''), + additional_details_type_s=column_ifexists('additional_details_type_s', ''), + additional_details_collab_id_s=column_ifexists('additional_details_collab_id_s', ''), + additional_details_role_s=column_ifexists('additional_details_role_s', ''), + additional_details_is_performed_by_admin_b=column_ifexists('additional_details_is_performed_by_admin_b', ''), + session_id_s=column_ifexists('session_id_s', '') + | project-rename + AdditionalDetailsAnnotationId=additional_details_annotation_id_s, + AdditionalDetailsGroupId=additional_details_group_id_s, + AdditionalDetailsGroupName=additional_details_group_name_s, + SourceUserEmail=source_user_email_s, + AdditionalDetailsCommentId=additional_details_comment_id_d, + AdditionalDetailsMessage=additional_details_message_s, + AdditionalDetailsTaskId=additional_details_task_id_d, + AdditionalDetailsTaskMessage=additional_details_task_message_s, + AdditionalDetailsTaskCreatedById=additional_details_task_created_by_id_d, + AdditionalDetailsTaskCreatedByLogin=additional_details_task_created_by_login_s, + AdditionalDetailsTaskAssignmentAssignedToId=additional_details_task_assignment_assigned_to_id_d, + AdditionalDetailsTaskAssignmentAssignedToLogin=additional_details_task_assignment_assigned_to_login_s, + AdditionalDetailsTaskAssignmentStatus=additional_details_task_assignment_status_s, + AdditionalDetailsTaskAssignmentMessage=additional_details_task_assignment_message_s, + SourceFileId=source_file_id_s, + SourceFileName=source_file_name_s, + SourceParentName=source_parent_name_g, + SourceItemType=source_item_type_s, + SourceItemId=source_item_id_s, + SourceItemName=source_item_name_s, + SourceParentType=source_parent_type_s, + FileDirectory=source_parent_name_s, + SourceParentId=source_parent_id_s, + SourceOwnedByType=source_owned_by_type_s, + SourceOwnedById=source_owned_by_id_s, + SourceOwnedByName=source_owned_by_name_s, + SourceOwnedByLogin=source_owned_by_login_s, + CreatedByType=created_by_type_s, + SrcUserSid=created_by_id_s, + SrcUserName=created_by_name_s, + SrcUserUpn=created_by_login_s, + EventEndTime=created_at_t, + EventId=event_id_g, + EventType=event_type_s, + SrcIpAddr=ip_address_s, + BoxType=type_s, + FileSize=additional_details_size_d, + AdditionalDetailsEkmId=additional_details_ekm_id_g, + AdditionalDetailsVersionId=additional_details_version_id_s, + AdditionalDetailsServiceId=additional_details_service_id_s, + AdditionalDetailsServiceName=additional_details_service_name_s, + SourceType=source_type_s, + SourceId=source_id_s, + SourceName=source_name_s, + SourceLogin=source_login_s, + AdditionalDetailsAccessTokenIdentifier=additional_details_access_token_identifier_s, + AdditionalDetailsSharedLinkId=additional_details_shared_link_id_s, + SourceFolderId=source_folder_id_s, + SourceFolderName=source_folder_name_s, + SourceUserId=source_user_id_s, + SourceUserName=source_user_name_s, + AccessibleByType=accessible_by_type_s, + AccessibleById=accessible_by_id_s, + AccessibleByName=accessible_by_name_s, + AccessibleByLogin=accessible_by_login_s, + AdditionalDetailsType=additional_details_type_s, + AdditionalDetailsCollabId=additional_details_collab_id_s, + AdditionalDetailsRole=additional_details_role_s, + AdditionalDetailsIsPerformedByAdmin=additional_details_is_performed_by_admin_b, + UserSessionId=session_id_s; + let BoxEventsv2 = union isfuzzy=true BoxEventsv1_empty, BoxEventsV2_CL | + extend additional_details_annotation_id_s=tostring(additional_details.annotation_id), + additional_details_group_id_s=tostring(additional_details.group_id), + additional_details_group_name_s=tostring(additional_details.group_name), + source_user_email_s=source_user_email, + additional_details_comment_id_d=todouble(additional_details.comment_id), + additional_details_message_s=tostring(additional_details.message), + additional_details_task_id_d=todouble(additional_details.task.id), + additional_details_task_message_s=tostring(additional_details.task.message), + additional_details_task_created_by_id_d=todouble(additional_details.task.created_by.id), + additional_details_task_created_by_login_s=tostring(additional_details.task.created_by.login), + additional_details_task_assignment_assigned_to_id_d=todouble(additional_details.task_assignment.assigned_to.id), + additional_details_task_assignment_assigned_to_login_s=tostring(additional_details.task_assignment.assigned_to.login), + additional_details_task_assignment_status_s=tostring(additional_details.task_assignment.status), + additional_details_task_assignment_message_s=tostring(additional_details.task_assignment.message), + source_file_id_s=source_file_id, + source_file_name_s=source_file_name, + source_parent_name_g=source_parent_name, + source_item_type_s=source_item_type, + source_item_id_s=source_item_id, + source_item_name_s=source_item_name, + source_parent_type_s=source_parent_type, + source_parent_name_s=source_parent_name, + source_parent_id_s=source_parent_id, + source_owned_by_type_s=source_owned_by_type, + source_owned_by_id_s=source_owned_by_id, + source_owned_by_name_s=source_owned_by_name, + source_owned_by_login_s=source_owned_by_login, + created_by_type_s=created_by_type, + created_by_id_s=created_by_id, + created_by_name_s=created_by_name, + created_by_login_s=created_by_login, + created_at_t=created_at, + event_id_g=event_id, + event_type_s=event_type, + ip_address_s=ip_address, + type_s=event_type, + additional_details_size_d=todouble(additional_details.size), + additional_details_ekm_id_g=toguid(additional_details.ekm_id), + additional_details_version_id_s=tostring(additional_details.version_id), + additional_details_service_id_s=tostring(additional_details.service_id), + additional_details_service_name_s=tostring(additional_details.service_name), + source_type_s=source_type, + source_id_s=source_id, + source_name_s=source_name, + source_login_s=source_login, + additional_details_access_token_identifier_s=tostring(additional_details.access_token_identifier), + additional_details_shared_link_id_s=tostring(additional_details.shared_link_id), + source_folder_id_s=source_folder_id, + source_folder_name_s=source_folder_name, + source_user_id_s=source_user_id, + source_user_name_s=source_user_name, + accessible_by_type_s=accessible_by_type, + accessible_by_id_s=accessible_by_id, + accessible_by_name_s=accessible_by_name, + accessible_by_login_s=accessible_by_login, + additional_details_type_s=tostring(additional_details.type), + additional_details_collab_id_s=tostring(additional_details.collab_id), + additional_details_role_s=tostring(additional_details.role), + additional_details_is_performed_by_admin_b=toboolean(additional_details.is_performed_by_admin), + session_id_s=session_id + | project-rename + AdditionalDetailsAnnotationId=additional_details_annotation_id_s, + AdditionalDetailsGroupId=additional_details_group_id_s, + AdditionalDetailsGroupName=additional_details_group_name_s, + SourceUserEmail=source_user_email_s, + AdditionalDetailsCommentId=additional_details_comment_id_d, + AdditionalDetailsMessage=additional_details_message_s, + AdditionalDetailsTaskId=additional_details_task_id_d, + AdditionalDetailsTaskMessage=additional_details_task_message_s, + AdditionalDetailsTaskCreatedById=additional_details_task_created_by_id_d, + AdditionalDetailsTaskCreatedByLogin=additional_details_task_created_by_login_s, + AdditionalDetailsTaskAssignmentAssignedToId=additional_details_task_assignment_assigned_to_id_d, + AdditionalDetailsTaskAssignmentAssignedToLogin=additional_details_task_assignment_assigned_to_login_s, + AdditionalDetailsTaskAssignmentStatus=additional_details_task_assignment_status_s, + AdditionalDetailsTaskAssignmentMessage=additional_details_task_assignment_message_s, + SourceFileId=source_file_id_s, + SourceFileName=source_file_name_s, + SourceParentName=source_parent_name_g, + SourceItemType=source_item_type_s, + SourceItemId=source_item_id_s, + SourceItemName=source_item_name_s, + SourceParentType=source_parent_type_s, + FileDirectory=source_parent_name_s, + SourceParentId=source_parent_id_s, + SourceOwnedByType=source_owned_by_type_s, + SourceOwnedById=source_owned_by_id_s, + SourceOwnedByName=source_owned_by_name_s, + SourceOwnedByLogin=source_owned_by_login_s, + CreatedByType=created_by_type_s, + SrcUserSid=created_by_id_s, + SrcUserName=created_by_name_s, + SrcUserUpn=created_by_login_s, + EventEndTime=TimeGenerated, + EventId=event_id_g, + EventType=event_type_s, + SrcIpAddr=ip_address_s, + BoxType=type_s, + FileSize=additional_details_size_d, + AdditionalDetailsEkmId=additional_details_ekm_id_g, + AdditionalDetailsVersionId=additional_details_version_id_s, + AdditionalDetailsServiceId=additional_details_service_id_s, + AdditionalDetailsServiceName=additional_details_service_name_s, + SourceType=source_type_s, + SourceId=source_id_s, + SourceName=source_name_s, + SourceLogin=source_login_s, + AdditionalDetailsAccessTokenIdentifier=additional_details_access_token_identifier_s, + AdditionalDetailsSharedLinkId=additional_details_shared_link_id_s, + SourceFolderId=source_folder_id_s, + SourceFolderName=source_folder_name_s, + SourceUserId=source_user_id_s, + SourceUserName=source_user_name_s, + AccessibleByType=accessible_by_type_s, + AccessibleById=accessible_by_id_s, + AccessibleByName=accessible_by_name_s, + AccessibleByLogin=accessible_by_login_s, + AdditionalDetailsType=additional_details_type_s, + AdditionalDetailsCollabId=additional_details_collab_id_s, + AdditionalDetailsRole=additional_details_role_s, + AdditionalDetailsIsPerformedByAdmin=additional_details_is_performed_by_admin_b, + UserSessionId=session_id_s + | project-away created_at, event_category, additional_details*, event_id, event_type, ip_address, source*, created_by*, accessible_by*, created_at_t; + union isfuzzy=true BoxEventsv2, BoxEventsv1 + | project-reorder EventEndTime, Source* \ No newline at end of file diff --git a/Solutions/Box/ReleaseNotes.md b/Solutions/Box/ReleaseNotes.md index a40cf024919..8c560b94fe9 100644 --- a/Solutions/Box/ReleaseNotes.md +++ b/Solutions/Box/ReleaseNotes.md @@ -1,5 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.1 | 18-08-2023 | Added text 'using Azure Functions' in **Data Connector** page | | -| 3.0.0 | 19-07-2023 | Manual deployment instructions updated for **Data Connector** | - +| 3.1.0 | 06-12-2024 | Added new CCP **Data Connector** and modified **Parser** | +| 3.0.1 | 18-08-2023 | Added text 'using Azure Functions' in **Data Connector** page | +| 3.0.0 | 19-07-2023 | Manual deployment instructions updated for **Data Connector** | \ No newline at end of file