Azure · v-dvedak · Dec 1, 2023 · Nov 28, 2023 · Nov 28, 2023 · Nov 28, 2023
@@ -16,7 +16,7 @@
   ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\GitHub\\azure\\Solutions\\AzureSecurityBenchmark",
-  "Version": "2.0.3",
+  "Version": "3.0.0",
   "TemplateSpec": true,
   "Is1Pconnector": true
 }
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Azure Security Benchmark v3 Solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to gain situational awareness for cloud security posture and hardening. Benchmark recommendations provide a starting point for selecting specific security configuration settings and facilitate risk reduction. The Azure Security Benchmark includes a collection of high-impact security recommendations for improving posture. This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation.\n\n**Workbooks:** 1, **Analytic Rules:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Azure Security Benchmark v3 Solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to gain situational awareness for cloud security posture and hardening. Benchmark recommendations provide a starting point for selecting specific security configuration settings and facilitate risk reduction. The Azure Security Benchmark includes a collection of high-impact security recommendations for improving posture. This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation.\n\n**Workbooks:** 1, **Analytic Rules:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",

@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                         |
+|-------------|--------------------------------|----------------------------------------------------------------------------|
+| 3.0.0       | 28-11-2023                     | Changes for rebranding from Azure Active Directory to Microsoft Entra ID & MS 365 Defender to MS Defender XDR |
@@ -9,7 +9,7 @@
   ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\GitHub\\azure-sentinel\\Solutions\\KQL Training",
-  "Version": "3.0.0",
+  "Version": "3.0.1",
   "TemplateSpec": true,
   "Is1PConnector": false
 }
@@ -1,3 +1,3 @@
-| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
-|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0       | 07-09-2023                     | Updated **Workbook** (IntroToKQL) to fix ongoing issue that breaks the tool   | 
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                           |
+|-------------|--------------------------------|------------------------------------------------------------------------------|
+| 3.0.1       | 28-11-2023                     | Changes for rebranding from Azure Active Directory to Microsoft Entra ID & MS 365 Defender to MS Defender XDR |
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOC%20Handbook/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThe SOC Handbook solution for Microsoft Sentinel provides a collection of resources that enable and empower SOC Analysts to get better visibility and understanding of point-in-time security posture of organizational resources.\n\n All content packaged in this solution is built and supported by the Microsoft Sentinel community. For any support, please create an [issue](https://github.com/Azure/Azure-Sentinel/issues) on the Microsoft Sentinel GitHub repository.\n\n**Workbooks:** 13\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOC%20Handbook/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe SOC Handbook solution for Microsoft Sentinel provides a collection of resources that enable and empower SOC Analysts to get better visibility and understanding of point-in-time security posture of organizational resources.\n\n All content packaged in this solution is built and supported by the Microsoft Sentinel community. For any support, please create an [issue](https://github.com/Azure/Azure-Sentinel/issues) on the Microsoft Sentinel GitHub repository.\n\n**Workbooks:** 13\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -268,4 +268,4 @@
       "workspace": "[basics('workspace')]"
     }
   }
-}
+}
@@ -1,5 +1,6 @@
-| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
-|-------------|--------------------------------|---------------------------------------------|
-| 3.0.2       | 21-11-2023                     |Updated SecurityOperationsEfficiency **Workbook** to run the query on "set in query" |
-| 3.0.1       | 14-07-2023                     | Updated **Workbook** to correctly get the drop down for Subscription and Workspace |
-| 3.0.0       | 07-07-2023                     | Initial Solution Release|
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                                  |
+|-------------|--------------------------------|-------------------------------------------------------------------------------------|
+| 3.0.3       | 28-11-2023                     | Changes for rebranding from Azure Active Directory to Microsoft Entra ID            |
+| 3.0.2       | 21-11-2023                     | Updated SecurityOperationsEfficiency **Workbook** to run the query on "set in query"|
+| 3.0.1       | 14-07-2023                     | Updated **Workbook** to correctly get the drop down for Subscription and Workspace  |
+| 3.0.0       | 07-07-2023                     | Initial Solution Release                                                            |
@@ -420,7 +420,7 @@
     {
       "type": 1,
       "content": {
-        "json": "## Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5 and G5 customers\r\n\r\nWith security information and event management (SIEM) and extended detection and response (XDR) from Microsoft, you’re armed with the context and automation you need to stop sophisticated, cross-domain attacks across your entire organization. \r\n\r\nMicrosoft 365 E5, A5, F5, G5 and Microsoft 365 E5, A5, F5, G5 Security customers can get data grant up to 5MB per user/day of Microsoft 365 data ingestion into Microsoft Sentinel. <br>\r\nThe data sources included in this offer include:\r\n\r\n- Azure Active Directory (Azure AD) sign-in and audit logs\r\n- Microsoft Cloud App Security shadow IT discovery logs\r\n- Microsoft Information Protection logs\r\n- Microsoft 365 advanced hunting data\r\n\r\nThe data grant will be calculated at the end of the month and applied to your bill, covering the cost of up to 5 MB of data ingestion per user/day.\r\n\r\nVisit https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/ for more information\r\n\r\n<br>\r\n\r\n### Below are the ingestion for the eligible data sources:\r\n\r\n_**Note:** Kindly specify **Total seats (E5/A5/F5/G5)** and **Ingestion Price** parameters for calculation._"
+        "json": "## Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5 and G5 customers\r\n\r\nWith security information and event management (SIEM) and extended detection and response (XDR) from Microsoft, you’re armed with the context and automation you need to stop sophisticated, cross-domain attacks across your entire organization. \r\n\r\nMicrosoft 365 E5, A5, F5, G5 and Microsoft 365 E5, A5, F5, G5 Security customers can get data grant up to 5MB per user/day of Microsoft 365 data ingestion into Microsoft Sentinel. <br>\r\nThe data sources included in this offer include:\r\n\r\n- Microsoft Entra ID sign-in and audit logs\r\n- Microsoft Cloud App Security shadow IT discovery logs\r\n- Microsoft Information Protection logs\r\n- Microsoft 365 advanced hunting data\r\n\r\nThe data grant will be calculated at the end of the month and applied to your bill, covering the cost of up to 5 MB of data ingestion per user/day.\r\n\r\nVisit https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/ for more information\r\n\r\n<br>\r\n\r\n### Below are the ingestion for the eligible data sources:\r\n\r\n_**Note:** Kindly specify **Total seats (E5/A5/F5/G5)** and **Ingestion Price** parameters for calculation._"
       },
       "name": "text - 12"
     },

@@ -330,7 +330,7 @@
           {
             "type": 1,
             "content": {
-              "json": "## Investigation Insights Help\r\n\r\n### Overview\r\n\r\nThe Investigation Insights Workbook is designed to assist in investigations of Azure Sentinel Incidents or individual IP/Account/Host/URL entities. The workbook leverages multiple data sources to provide detailed views of frequently used information during the analysis of an incident.\r\n\r\nDetailed help on this workbook is maintained at the [Azure Sentinel Github Wiki](https://github.com/Azure/Azure-Sentinel/wiki/Investigation-Insights---Overview).\r\n\r\nThe workbook is broken up into 2 main sections, Incident Insights and Entity Insights.\r\n\r\n#### Incident Insights\r\n\r\nThe Incident Insights gives the analyst a view of ongoing Sentinel Incidents and allows for quick access to their associated metadata including alerts and entity information.\r\n\r\n#### Entity Insights\r\n\r\nThe Entity Insights allows the analyst to take entity data either from an incident or through manual entry and explore related information about that entity.  This workbook presently provides view of the following entity types:\r\n- IP Address\r\n- Account\r\n- Host\r\n- URL\r\n- FileHash\r\n\r\n### Workbook Setup\r\n\r\nThis workbook can be configured using the parameters at the top of the workbook.  Some of these parameters are only available in Edit mode.\r\n\r\n\r\n| Parameter | Description |\r\n|---|---|\r\n|Subscription |Select the Azure subscription where your Azure Sentinel instance resides |\r\n|Workspace|Select the Azure Log Analytics workspace where your Azure Sentinel data resides|\r\n|TimeRange|Select the time window you want to Investigate|\r\n|Investigate by|Investigate by Incident allows you to view Sentinel incident data and investigate by entity, Investigate by Entity allows you to proceed directly to entering the entity data manually for your investigation |\r\n| Show Incident Trend |Use this toggle, to see additonal data about the Trends over the past (TimeRange), compared to the last 24hours.|\r\n|Help|Turn on/off this help data, Turn on/off the change log|\r\n|DefaultUPNSuffix|This parameter is used when the entity data does not include a UPN suffix, the value of this parameter will be the assumed suffix|\r\n|AlertID|This parameter should be left blank and is hidden when using the workbook|\r\n|EntityData|This parameter should be left blank and is hidden when using the workbook|\r\n|EntityType|This parameter should be left blank and is hidden when using the workbook|\r\n\r\n#### Data Sources\r\n\r\nThis workbook leverages a number of different data sources.  Most of these data sources are not required for this workbook to function but elements of the workbook may not function if data sources are missing.  Our detailed help located on [GitHub](https://github.com/Azure/Azure-Sentinel/wiki/Investigation-Insights---Overview) includes additional information about which data sources are required for specific capabilities of this workbook.\r\n\r\n|Data Source|Type|Data Connector|\r\n|---|---|\r\n| Azure Resource Graph |api| Not Applicable|\r\n| AuditLogs | table| Azure Active Directory |\r\n| AWSCloudTrail | table| Amazon Web Services |\r\n| AzureActivity |table| Azure Activity | \r\n| BehaviorAnalytics | table | Entity Behavior Analytics |\r\n| CommonSecurityLog |table| Multiple Connectors |\r\n| DeviceLogonEvents |table| Defender ATP |\r\n| DnsEvents |table| DNS |\r\n| IdentityInfo | table | Entity Behavior Analytics |\r\n| OfficeActivity |table| Office 365 |\r\n| ProtectionStatus |table| Azure Security Center with Microsoft Monitoring Agent |\r\n| SecurityAlert |table| Multiple Connectors |\r\n| SecurityBaseline | table | Azure Security Center with Microsoft Monitoring Agent |\r\n| SecurityBaselineSummary | table | Azure Security Center with Microsoft Monitoring Agent |\r\n| SecurityEvent |table| Security Events |\r\n| SecurtityIncident | table| Not Applicable |\r\n| SigninLogs |table|Azure Active Directory |\r\n| ThreatIntelligenceIndicator |table| Threat Intelligence (Platforms and/or TAXII)|\r\n| UpdateSummary |table| Azure Security Center with Microsoft Monitoring Agent |\r\n| Update | table | Azure Security Center with Microsoft Monitoring Agent |\r\n| VMConnection | table | Azure Monitor VM Insights |\r\n| W3CIISLog | table | Microsoft Monitoring Agent |\r\n| WindowsFirewall | table | Windows Firewall |\r\n\r\n",
+              "json": "## Investigation Insights Help\r\n\r\n### Overview\r\n\r\nThe Investigation Insights Workbook is designed to assist in investigations of Azure Sentinel Incidents or individual IP/Account/Host/URL entities. The workbook leverages multiple data sources to provide detailed views of frequently used information during the analysis of an incident.\r\n\r\nDetailed help on this workbook is maintained at the [Azure Sentinel Github Wiki](https://github.com/Azure/Azure-Sentinel/wiki/Investigation-Insights---Overview).\r\n\r\nThe workbook is broken up into 2 main sections, Incident Insights and Entity Insights.\r\n\r\n#### Incident Insights\r\n\r\nThe Incident Insights gives the analyst a view of ongoing Sentinel Incidents and allows for quick access to their associated metadata including alerts and entity information.\r\n\r\n#### Entity Insights\r\n\r\nThe Entity Insights allows the analyst to take entity data either from an incident or through manual entry and explore related information about that entity.  This workbook presently provides view of the following entity types:\r\n- IP Address\r\n- Account\r\n- Host\r\n- URL\r\n- FileHash\r\n\r\n### Workbook Setup\r\n\r\nThis workbook can be configured using the parameters at the top of the workbook.  Some of these parameters are only available in Edit mode.\r\n\r\n\r\n| Parameter | Description |\r\n|---|---|\r\n|Subscription |Select the Azure subscription where your Azure Sentinel instance resides |\r\n|Workspace|Select the Azure Log Analytics workspace where your Azure Sentinel data resides|\r\n|TimeRange|Select the time window you want to Investigate|\r\n|Investigate by|Investigate by Incident allows you to view Sentinel incident data and investigate by entity, Investigate by Entity allows you to proceed directly to entering the entity data manually for your investigation |\r\n| Show Incident Trend |Use this toggle, to see additonal data about the Trends over the past (TimeRange), compared to the last 24hours.|\r\n|Help|Turn on/off this help data, Turn on/off the change log|\r\n|DefaultUPNSuffix|This parameter is used when the entity data does not include a UPN suffix, the value of this parameter will be the assumed suffix|\r\n|AlertID|This parameter should be left blank and is hidden when using the workbook|\r\n|EntityData|This parameter should be left blank and is hidden when using the workbook|\r\n|EntityType|This parameter should be left blank and is hidden when using the workbook|\r\n\r\n#### Data Sources\r\n\r\nThis workbook leverages a number of different data sources.  Most of these data sources are not required for this workbook to function but elements of the workbook may not function if data sources are missing.  Our detailed help located on [GitHub](https://github.com/Azure/Azure-Sentinel/wiki/Investigation-Insights---Overview) includes additional information about which data sources are required for specific capabilities of this workbook.\r\n\r\n|Data Source|Type|Data Connector|\r\n|---|---|\r\n| Azure Resource Graph |api| Not Applicable|\r\n| AuditLogs | table| Microsoft Entra ID |\r\n| AWSCloudTrail | table| Amazon Web Services |\r\n| AzureActivity |table| Azure Activity | \r\n| BehaviorAnalytics | table | Entity Behavior Analytics |\r\n| CommonSecurityLog |table| Multiple Connectors |\r\n| DeviceLogonEvents |table| Defender ATP |\r\n| DnsEvents |table| DNS |\r\n| IdentityInfo | table | Entity Behavior Analytics |\r\n| OfficeActivity |table| Office 365 |\r\n| ProtectionStatus |table| Azure Security Center with Microsoft Monitoring Agent |\r\n| SecurityAlert |table| Multiple Connectors |\r\n| SecurityBaseline | table | Azure Security Center with Microsoft Monitoring Agent |\r\n| SecurityBaselineSummary | table | Azure Security Center with Microsoft Monitoring Agent |\r\n| SecurityEvent |table| Security Events |\r\n| SecurtityIncident | table| Not Applicable |\r\n| SigninLogs |table|Microsoft Entra ID |\r\n| ThreatIntelligenceIndicator |table| Threat Intelligence (Platforms and/or TAXII)|\r\n| UpdateSummary |table| Azure Security Center with Microsoft Monitoring Agent |\r\n| Update | table | Azure Security Center with Microsoft Monitoring Agent |\r\n| VMConnection | table | Azure Monitor VM Insights |\r\n| W3CIISLog | table | Microsoft Monitoring Agent |\r\n| WindowsFirewall | table | Windows Firewall |\r\n\r\n",
               "style": "info"
             },
             "name": "text - 19"