diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.0.2.zip b/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.0.2.zip index 7986916dab3..97b05303893 100644 Binary files a/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.0.2.zip and b/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.0.2.zip differ diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json index 8f5ade3fb91..7ea6e3ae189 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json @@ -733,7 +733,7 @@ "category": "Microsoft Sentinel Parser", "functionAlias": "ExchangeConfiguration", "query": "// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SpecificSectionList = '';\n// let SpecificConfigurationDate = 'lastdate';\n// let SpecificConfigurationEnv = 'All';\n// let Target = 'On-Premises';\n//\n// Parameters definition\nlet _SpecificSectionList = split(SpecificSectionList,',');\nlet _configurationDate = iff(isnull(SpecificConfigurationDate) or isempty(SpecificConfigurationDate),\"lastdate\",tostring(SpecificConfigurationDate));\nlet _configurationEnv = split(iff(isnull(SpecificConfigurationEnv) or isempty(SpecificConfigurationEnv) or tolower(SpecificConfigurationEnv) == \"all\",\"All\",tostring(SpecificConfigurationEnv)),',');\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\n// Building Base Request\nlet _targetDate = iff(_configurationDate == \"lastdate\", ago(7d), iif(_configurationDate == \"alllife\",ago(1080d),todatetime(_configurationDate)));\nlet baseRequest = materialize (union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange* \n | where TimeGenerated > _targetDate\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target\n | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \n | where ScopedEnvironment in (_configurationEnv)\n | extend EntryDate = todatetime(EntryDate_s)\n | project-away EntryDate_s);\n// Find Config Id (can be multiple id in all)\nlet findConfigDate = baseRequest\n | extend Env =strcat(Source, \"_\",ESIEnvironment_s)\n | summarize count() by GenerationInstanceID_g,Env,EntryDate\n | extend distance = iff(_configurationDate == \"lastdate\" or _configurationDate == \"alllife\", now() - EntryDate, (EntryDate - todatetime(_configurationDate)))\n | top-nested of Env by Ignore0=max(1), \n top-nested 1 of distance by Ignore1 = min(distance) asc nulls last, \n top-nested of GenerationInstanceID_g by Ignore2=max(2) \n | project GenerationInstanceID_g;\n// Parse Result\nlet ParseExchangeConfig = () { baseRequest \n | join kind=leftsemi (findConfigDate) on $left.GenerationInstanceID_g == $right.GenerationInstanceID_g\n | where isempty(_SpecificSectionList[0]) or Section_s in (_SpecificSectionList)\n | extend TimeGenerated = EntryDate\n | extend Identity = IdentityString_s\n | extend CmdletResultValue = parse_json(rawData_s)\n | project-rename ConfigurationInstanceID = GenerationInstanceID_g, ESIEnvironment = ESIEnvironment_s, Section = Section_s, PSCmdlet = PSCmdL_s, CmdletResultType = ExecutionResult_s, WhenChanged = WhenChanged_t, WhenCreated = WhenCreated_t, Name = Name_s\n | project-away TenantId,SourceSystem,Type,EntryDate\n};\nParseExchangeConfig\n", - "functionParameters": "SpecificSectionList:string,SpecificConfigurationDate:string,SpecificConfigurationEnv:string,Target:string", + "functionParameters": "SpecificSectionList:string = \"\", SpecificConfigurationDate:string = \"lastdate\", Target:string = \"On-Premises\", SpecificConfigurationEnv:string = \"All\"", "version": 2, "tags": [ {